Compartilhar via

Access Denied Error 0x80070005 message when initializing TPM for Bitlocker

  • Artigo

 

Hello, my name is Manoj Sehgal. I am a Senior Support Engineer in the Windows group and today’s blog will cover How to initialize TPM successfully when you enable Bitlocker in Windows 7.

A common problem we have seen since the release of Windows 7 has been to initialize TPM successfully so that you can successfully turn ON Bitlocker. This is most likely due to incorrect permissions for the SELF account in AD for ms-TPMOwnerInformation attribute.

When you try to turn on Bitlocker on Windows 7 Operating System Drive, you may get the Access Denied Error message while initializing TPM.

image

Additionally, when you open the TPM Management Console and you try to initialize TPM you get error message 0x80070005.

image

NOTE: If you are using SCCM to build Windows 7 machines and using Bitlocker Task Sequencer you may see the following error message(s) logged in smsts.log for OSDbitlocker.

pTpm->TakeOwnership( sOwnerAuth ), HRESULT=80070005 e:\nts_sms_fre\sms\client\osdeployment\bitlocker\bitlocker.cpp,480)OSDBitLocker 3032 (0x0BD8)
Failed to take ownership of TPM. Ensure that Active Directory permissions are properly configured.
Access is denied. (Error: 80070005; Source: Windows) OSDBitLocker 3032 (0x0BD8)

Resolution:

To set correct permissions, follow the instruction below:

1. Open Active Directory Users and Computers.

2. Select the OU where you have all computers which will have Bitlocker turned ON.

3. Right Click on the OU and click Delegate Control.

image

4. Click Next and then click Add.

image

image

5. Type SELF as the Object Name.

image

6. Select create a custom task to delegate.

image

7. From the object in the folder, select Computer Objects.

image

8. Under show these permissions, select all 3 checkbox.

image

9. Scroll down in permissions and select the attribute Write msTPM-OwnerInformation.

image

10. Click Finish.

After you have done the above steps, you should be able to initialize TPM successfully.

More Information:

Backing Up BitLocker and TPM Recovery Information to AD DS

https://technet.microsoft.com/en-us/library/dd875529(WS.10).aspx

 

 

Author:

Manoj Sehgal
Senior Support Engineer
Microsoft Corporation

Comments

  • Anonymous
    January 01, 2003
    worked a treat.Thanks,Mark.
  • Anonymous
    June 11, 2012
    Hi Manoj,I get the same error when I try to start the service "Function Discovery Resource Publication".  The error message is "Windows could not start the Function Discovery Resource Publication service on local computer.  Error 0x80070005: Access is denied."I am trying to do this because I am trying to network my Win7 desktop to my Vista64 laptop.  On the win7 machine i could't turn Network Discovery on so this why I am trying to start this service.  Any help would be appreciated.Mark Sutton
  • Anonymous
    April 05, 2013
    ManojCan i apply this to my OU on AD when am using MBAM ?
  • Anonymous
    June 27, 2014
    LIFE SAVER!!!!
    Thanks for posting this information! Worked like a charm :)
  • Anonymous
    June 30, 2014
    For WindowsXP Tech Support
    contact on 1-800-935-0537
    http://www.computertechsupport.us/
    (FREE CONSULT)
  • Anonymous
    August 27, 2015
    Thanks for this! Worked like a charm
  • Anonymous
    January 07, 2016
    In my environment (Windows 10 Client, 2008R2-DC with Schema Extension like https://technet.microsoft.com/en-us/library/jj635854.aspx and set rights with Add-TPMSelfWriteACE.vbs from Technet) this doesn't work :-( But the posting help me to find the solution (many thanks!). You have select to delegate the rights for "write msTPM-TPMInformationForComputer"
  • Anonymous
    January 27, 2016
    I did these steps, but still access denied !!
    any other solution plz
  • Anonymous
    September 20, 2016
    Hi Manoj,I have a issue on one of our client machine. The Trusted Platform Module (TPM) is initialized currently done when the image is deployed in our enterprise environment. All clients are running Windows 7 Enterprise and domain joined.Couple of clients we find that the TPM is not getting initialized.Using Administrator rights opened the TPM.msc and tried to initialize the TPM. Error “Cannot connect to Active Directory” Error 0x8007054b. We have confirmed with the AD team and find no issues with the machine communicating with the domain controller.Any help on this issue will be much appreciated. Thanks in advance!Deepak S