Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, March 23, 2017 5:59 PM
All,
I am having an issue that I can't seem to resolve.
I have an office full of Dell laptops that run Windows 10 Enterprise 1607. They are all setup with Bitlocker and virtual smart cards. There is a mix of TPM versions 1.2 and 2.0, depending on the latest firmware offered. Out of all of the laptops that have been imaged, only two Dell Latitude E5540 machines are having issues.
The issue is that when I try to setup the virtual smart card on these two machines using the MMC console, they fail when creating a request for a certificate. The error that I get is not very helpful and I cannot find any trace of the failure anywhere.
The entire error is:
An error occurred while enrolling for a certficate. A certificate request could not be created.
Url: {our local CA}
Error: An unexpected card error has occurred. 0x8010001f (-2146435041 SCARD_E_UNEXPECTED)
Any help that can be offered will be greatly appreciated!
All replies (10)
Friday, March 24, 2017 2:54 AM
Hi Stahj76,
The issue only occurred with the specific machine model and the other machines could work well, right?
First of all, please update the BIOS from the Dell website. The latest BIOS version should be A17 released on 17 Jan 2017.
As far as I know, the "Virtual Smart Cards" is based on the TPM.
Ensure you are using the UEFI mode and "TPM" has been enabled on the BIOS.
Try to initialize the TPM manually. Then request the certificate again.
Use Virtual Smart Cards
https://technet.microsoft.com/en-us/library/dn579265(v=ws.11).aspx
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, March 24, 2017 7:57 PM
Thanks for the reply.
The machine is currently updated to A17 BIOS, but this is not limited to all laptops of this model. We have 4 E5540 machines and 2 of them have this problem and the other two are fine.
We are currently using UEFI mode and use Bitlocker, so the TPM is enabled. It is working as expected for that application.
I have turned off Bitlocker and cleared and initialized the TPM and found the same results.
Jason
Monday, March 27, 2017 8:00 AM
Hi Stahj76,
"I have turned off Bitlocker and cleared and initialized the TPM and found the same results."
Have you re-created the virtual smart card after initializing the TPM?
Since the issue only occurred with the specific machines, try to recreate the smart card in a clean boot environment and re-enroll the certificates again. Try to remove the machine from the domain and re-join them to the domain.
How to perform a clean boot in Windows
https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, March 27, 2017 6:11 PM
I created the virtual smart card reader in Windows after initializing the TPM using "tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey PROMPT /pin DEFAULT /generate".
I booted clean and tried again with the same result. I removed and joined it to the domain and got the same result. Previously, I had tested a clean install from a Dell disc to see if it was a problem in the image, and that yielded the same result.
Is there a location where these failures are logged on the client? It doesn't show in the logs on the CA, so it appears that it never reaches it.
Thanks!
Tuesday, March 28, 2017 8:09 AM
Hi Stahj76,
Please try to enable the TPM log to collect more information to troubleshoot this issue.
To enable TPM logging:
- From an elevated command prompt, run the following commands:
reg add HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Tpm /v Start /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Tpm /v LogFileMode /t REG_DWORD /d 0x10000004 /f
reg delete HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Tpm /v FileMax /f
reg delete HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Tpm /v FileCounter /f - Reboot the machine.
- Run the test.
- From an elevated command prompt,
Change to the directory '%SystemRoot%\System32\LogFiles\WMI’
Temporarily stop the TPM driver logging and flush the buffer: 'logman stop tpm -ets' - Log files start with 'tpm*' from '%SystemRoot%\System32\LogFiles\WMI'
To disable TPM logging, from an elevated command prompt, type:
HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Tpm /v Start /t REG_DWORD /d 0 /f
Once the log is collected, upload the log to OneDrive and paste the link here. We will try to analyze the log deeply for you.
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, March 28, 2017 2:00 PM
https://1drv.ms/u/s!AqXhKdFziH4OrCIiH42woxriDsc6
Thank you!
Wednesday, March 29, 2017 9:32 AM
Hi Stahj76,
According to the TPM log, it seems that there is something wrong with the TPM. It could be a hardware or driver issue.
"882 [0] 0328.032C::03/28/17-21:26:55.2540053 [pcpksp] interface_cpp530 PCPKspOpenKey() - INFORMATION interface.cpp(530) PCPKspOpenKey Exited {status = 0x80090016(NTE_BAD_KEYSET)}
* 2456 [0] 0004.00F8::03/28/17-21:26:59.6430037 [drv] tpmrsrc_cpp327 TpmResourceManager::PreProcess() - INFORMATION tpmrsrc.cpp(327) TpmResourceManager::PreProcess:Virtual TPM_RT_AUTH handle 0x5 translated to physical TPM_RT_INVALID handle 0x0"*
Please compare the tpm driver version with a normal machine, try to reinstall the TPM driver then check the symptom.
If the issue persists, I am afraid the TPM hardware is corrupted. If it is possible, we could perform a clean installation to troubleshoot whether it is a system or hardware issue.
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, March 30, 2017 2:36 PM
I reinstalled the TPM driver and tried again with the same result. The machine was clean imaged 3 days ago, so this is pretty clean, but it has been tested using an OEM installation disc and the result is the same.
I have been using Bitlocker on these two machines, which uses the TPM as well. It appears for that use, it is working correctly. I am not sure what the setup difference on the TPM is between Bitlocker and the virtual smart card though. If there is a problem with the TPM itself, is there a way to resolve it, or do I just accept that I cannot use virtual smart cards on these two machines?
Friday, March 31, 2017 8:41 AM
Hi Stahj76,
Since you have performed a clean installation and the issue persists, I am afraid the TPM itself may have been corrupted. You`d better to contact the device manufacturer support for help.
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, March 31, 2017 4:04 PM
One thing that I had forgotten to mention is that when these problems began, we had Dell replace the motherboard in this machine, effectively replacing the TPM. Also, this TPM is running fine with Bitlocker. I will reengage Dell and send them the TPM log and hopefully they find something, but up to this point, they have been no help.
Thank you for all of your time on this.