Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, April 24, 2019 7:37 PM | 1 vote
Hello
We are using a PS script to encrypt machines & backup keys to AD. The script runs fine as Admin. Machines are TPM 2.0 & UEFI , W10 1809
When running as a group policy startup script (SYSTEM) we get a TPM failure: 2147943714
Bitlocker-API in Event Viewer shows Event ID 812: Bitlocker cannot use Secure Boot for integrity because the UEFI variable "SecureBoot" could not be read.
In AD I've checked SYSTEM and SELF for TPM attribute writing - looks good there.
Is this User Rights Access related? Getting this on a VM & physical machines. Thanks
All replies (12)
Thursday, April 25, 2019 9:49 AM
Hi.
Please test like this: download psexec from microsoft. In an levetaed command prompt (you will need to right click cmd.exe and select "run as administrator"), run psexec like this:
psexec -s -i powershell
->a new powershell window will appear, running as system account. Now execute your script from there and see if it shows errors or not.
Thursday, April 25, 2019 3:43 PM | 1 vote
Thanks for your reply.
That worked, verified nt authority\system with "whoami"
Was hoping for an error - any further insight?
We can deploy this script from SCCM & it will work (presumably, with service account), but trying to go the GP startup script route.
Friday, April 26, 2019 5:32 AM
Hi,
You may check group policy item Allow Secure Boot for integrity validation, which can be found in Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
For more information, please check the following link as reference:
Enable Bitlocker to use Secure Boot for platform and BCD integrity validation
Note: This is a third-party link and we do not have any guarantees on this website. And Microsoft does not make any guarantees about the content.
Hope these are helpful. If you have any question, please feel free to let me know.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, April 26, 2019 5:59 AM
hotonion, once I had a case, where a startup script did not work although psexec let me execute the same script as system account. I worked around that by deploying a scheduled task that ran as system account. You could do that.
Friday, April 26, 2019 3:31 PM
Hi,
You may check group policy item Allow Secure Boot for integrity validation, which can be found in Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
For more information, please check the following link as reference:
Enable Bitlocker to use Secure Boot for platform and BCD integrity validation
Note: This is a third-party link and we do not have any guarantees on this website. And Microsoft does not make any guarantees about the content.
Hope these are helpful. If you have any question, please feel free to let me know.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact
Thanks. Yes we are using this GPO. Running the script with admin account works. The error when run from gp startup script: Bitlocker-API Event ID 812: Bitlocker cannot use Secure Boot for integrity because the UEFI variable "SecureBoot" could not be read.
Would this indicate SYSTEM not having permissions for the BCD partition? Where's that variable located?
Running the same script with psexec works - uses SYSTEM to run.
Friday, April 26, 2019 3:33 PM | 1 vote
Ronald,
Unfortunately we are getting the same errors with task scheduler running as SYSTEM
Friday, April 26, 2019 3:40 PM
We would need to look at your script, now.
Tuesday, April 30, 2019 6:06 AM
Would this indicate SYSTEM not having permissions for the BCD partition? Where's that variable located?
Running the same script with psexec works - uses SYSTEM to run.
Hi hotonion,
You may check the registry enter permission of Computer\HKEY_LOCAL_MACHINE\BCD000000. it shows that SYSTEM has full control of BCD.
So i considered if there's something wrong with your script. if so, i'd recommend you to submit a new thread on Script forum as they will be more professional on your issue.
https://social.technet.microsoft.com/Forums/en-US/home?category=scripting
Thanks for your understanding!
If you have any other question, please feel free to let me know.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, May 6, 2019 2:02 AM | 1 vote
Hi,
Was your issue solved?
If yes, would you like to share your solution in order that other community members could find the helpful reply quickly.
If no, please reply and tell us the current situation in order to provide further help.
Best
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, June 11, 2019 5:55 PM
I have the same issue, did u ever solve this?
Thursday, February 13, 2020 9:12 PM
Hi was this resolved?
Monday, March 2, 2020 3:22 PM
Has anyone figured this out? I can get my startup scripts to run on Windows 10 1803 but on Windows 10 1903 we get the Bitlocker-API in Event Viewer shows Event ID 812: Bitlocker cannot use Secure Boot for integrity because the UEFI variable "SecureBoot" could not be read.