13 Replies Latest reply on May 15, 2017 6:50 AM by Intel Corporation

    nuc5i5myhe UEFI only tpm problems windows 7

    cpuadmin

      I am having this problem after enabling mbam or bitlocker on a windows 7 deployment via sccm or manual install.  There seems to be a problem with windows 7 and tpm when the machine is in UEFI only mode.

      We are trying to configure this NUC for UEFI only bios with mbam on windows 7 enterprise. All other manufacturers machine work correctly in this mode, only the NUC has the problem below.

       

      nuc5i5myhe

      samsung 840 evo 250gb ssd

      The bios is configured as follows prior to any imaging and is reset each time to test imaging.

      F9 bios defaults reset

      Legacy boot unchecked

      UEFI boot chekced

      secure boot unchecked

      (also tested with physical jumper reset - clear tpm )

      UEFI partitions setup in task sequence per Microsoft recommendation

      Windows RE Tools 600mb

      EFI - 512mb

      MSR - 128mb

      Windows - remaining 100 %

      Windows 7 enterprise is up to date with patches + the tpm 2.0 patch for windows 7 - https://support.microsoft.com/en-us/kb/2920188

       

       

      Problem example A - sccm imaging enabling mbam in task sequence

      Our production image that works with dell, lenovo, other intel nuc's.  (manufactures sccm driver packs applied based on manufacturer) Machines all imaged fine boot into windows with uefi only configured in bios. 

      Testing - tried to save tpm owner auth per microsoft https://technet.microsoft.com/en-us/itpro/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25

      Install mbam in task sequence

      enable mbam via microsoft powershell script

      Once MBAM is enabled, the machine starts encrypting in the task sequence as required.  Once the machine is rebooted it cannot get into windows and gives a

      This is only corrected when the legacy boot option is enabled in the bios.

      Once enabled the system boots normally.

      Not sure why this option has to be enabled after bitlocker or mbam is setup

      (same task sequence works as intended without the need to reenter the bios post boot on - several generations of lenov x1 laptops, dell desktops)

       

       

      Problem example B - (sccm image test machine / also manually intalled win 7 ) + manual bitlocker setup or mbam setup from in windows

      Machine has above bios settings, boots normally, restarts normally with bios in UEFI only - legacy unchcked

      tpm.msc - in windows 7 tpm is not owned, or initiated ( also tested when owned and initiated same issue )

      Install mbam client manually

      run powershell script to enable mbam (https://technet.microsoft.com/en-us/itpro/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25)

      drive starts encrypting

      Reboot  - windows will no longer boot - error

      until the bios legacy options is also enabled.  if it is left in UEFI mode it will not boot

      go ingo bios enable legacy - reboot machine - windows start normally

      i checked bcd edit before and after and confirmed had the correct setting to boot to efi

       

       

      When i go into the bios, windows boot manager is listed under uefi

      if i enable legacy, exit and then go back into the bios the ssd is under legacy

      I have tested this with BIOS version BIOS Version 0026 - MYBDWi5v.86A.0026.2015.0820.1501

      I have also tested with BIOS version MYBDWi5v.86A.0029.2016.0422.1803 Development BIOS

       

      If anyone know a programmatic way i can change a bios setting from a task sequence, i could fix this via a script however i cannot find any wmi commands for the nuc bios like other vendors.

       

      The question i have is the tpm designed to not work when legacy is not selected in the bios?

      I have done several options to test, so please not generic try another machine answers.  Thanks