09-21-2017 04:52 AM
We are running SCCM Current Branch version 1706 and ADK 1703. We just started having issues with the T470 TPM not initializing correctly during the OSD Deployment. The TPM goes through the Pre-Provision steps without any problem but when we attempt to Enable Bitlocker and send the Key into AD we get "The TPM is defending against dictionary attacks and is in a time-out period." Error Code: 0x80280803
This is not a problem on any other model at this time. We are also deploying M710s and X270 devices with the same task sequence using the same steps without issue. Is there a step we need to take on the T470?
This task sequence is deploying Windows 7
Machine is in UEFI mode with CSM support. Secure Boot is disabled and TPM is set to Active version 2.0
Let me know what else you need to help get this resolved.
09-21-2017 05:44 AM
Has Win10 ever been installed on the machine? Because Win10 will automatically take ownership of the TPM. I have heard of strange things like this after Win10 takes ownership, and then you re-image the box with Win7 and try to use the TPM without clearing it first. Anyway, once the TPM is in lockout (or in this strange state that causes lockout), the only solution is to clear it.
09-21-2017 06:47 AM
This occurs on machines "out of the box". I don't know what OEM OS is on them, I assume Windows 10. This wasn't a problem until we updated our ADK and CB versions to current so we could start developing Windows 10 deployments. We still need to deploy Windows 7 until we are fully tested and certified for 10 in our environment.
I have cleared the TPM from the BIOS and no change in behavior.
I tried to post this under the Enterprise forum but it wouldn't post. Hoping to get more feedback.
09-21-2017 06:54 AM
Please try running the attached VBS (and reboot) before the pre-provision steps and see if the problem still happens?
09-21-2017 08:03 AM
No change. The error log says Initial TPM State: 55 but I can't find any documentation on what the "states" of TPM are and what they mean. Even when its clear it cant take ownership when it gets to the Enable Bitlocker steps.
09-21-2017 08:45 AM
What error log are you referring to?
As an experiment, can you try taking the preprovisioning and BitLocker steps out of your OSD and manually setting up BitLocker after deployment? I think we need to prove that the TPM can work successfully and then figure out how to get it working within your image after that.
09-21-2017 08:47 AM
What I mean is:
1. deploy the system without BitLocker
2. run tpm.msc, initialize the TPM
3. from BitLocker control panel, turn on BitLocker
Can you get that working?
09-21-2017 10:57 AM
We were able to reproduce this, and then realized that the required Microsoft hotfix for TPM 2.0 support wasn't in our Win7 reference image. After the image was deployed, we saw the failure in smsts.log. Then, I wasn't able to manually initialize the TPM (in TPM.msc) either. Same error about the TPM defending against dictionary attacks. So I applied the hotfix, rebooted, cleared the TPM one last time, and finally I was able to initialize it in TPM.msc without error. Just applying the hotfix wasn't enough - the TPM was in a bad state so it had to be cleared also.
So we have added the hotfix and are currently rebuilding the image. I'll let you know how that goes.
Is this hotfix in your image? https://support.microsoft.com/en-us/help/2920188/update-to-add-support-for-tpm-2-0-in-windows-7-and-...
09-21-2017 11:01 AM
Yes, that patch is in the image we are using. We are able to image the M710s and the X270 using UEFI with CSM and TPM 2.0 and it works and we were able to use the T470 in this matter.
In doing some testing I switched the TPM to 1.2 and used Legacy boot with CSM support and it imaged and bitlocker applied but immediatly went into recovery mode. I am retesting with an OS image without the TPM 2.0 patch in it to see where we get.
09-21-2017 11:19 AM
Your issue with TPM 1.2 and legacy mode is probably caused by not setting the boot order to make HDD first. Also, prior to a legacy mode deployment, you need to load default settings in BIOS mode to make "Windows Boot Manager" boot entry go away (which is only for UEFI mode).
We are still deploying the T470 with Win7/UEFI + hotfix + TPM 2.0; will have results to share later this afternoon.