Hello, my name is Manoj Sehgal. I am a Senior Support Engineer in the Windows group and today’s blog will cover How to initialize TPM successfully when you enable Bitlocker in Windows 7.
A common problem we have seen since the release of Windows 7 has been to initialize TPM successfully so that you can successfully turn ON Bitlocker. This is most likely due to incorrect permissions for the SELF account in AD for ms-TPMOwnerInformation attribute.
When you try to turn on Bitlocker on Windows 7 Operating System Drive, you may get the Access Denied Error message while initializing TPM.
Additionally, when you open the TPM Management Console and you try to initialize TPM you get error message 0x80070005.
NOTE: If you are using SCCM to build Windows 7 machines and using Bitlocker Task Sequencer you may see the following error message(s) logged in smsts.log for OSDbitlocker.
pTpm->TakeOwnership( sOwnerAuth ), HRESULT=80070005 e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,480)OSDBitLocker 3032 (0x0BD8) Failed to take ownership of TPM. Ensure that Active Directory permissions are properly configured. Access is denied. (Error: 80070005; Source: Windows) OSDBitLocker 3032 (0x0BD8)
To set correct permissions, follow the instruction below:
1. Open Active Directory Users and Computers.
2. Select the OU where you have all computers which will have Bitlocker turned ON.
3. Right Click on the OU and click Delegate Control.
4. Click Next and then click Add.
5. Type SELF as the Object Name.
6. Select create a custom task to delegate.
7. From the object in the folder, select Computer Objects.
8. Under show these permissions, select all 3 checkbox.
9. Scroll down in permissions and select the attribute Write msTPM-OwnerInformation.
10. Click Finish.
After you have done the above steps, you should be able to initialize TPM successfully.
Backing Up BitLocker and TPM Recovery Information to AD DS
Manoj Sehgal Senior Support Engineer Microsoft Corporation
Works great, thanks!