I am having this problem after enabling mbam or bitlocker on a windows 7 deployment via sccm or manual install. There seems to be a problem with windows 7 and tpm when the machine is in UEFI only mode.
We are trying to configure this NUC for UEFI only bios with mbam on windows 7 enterprise. All other manufacturers machine work correctly in this mode, only the NUC has the problem below.
samsung 840 evo 250gb ssd
The bios is configured as follows prior to any imaging and is reset each time to test imaging.
F9 bios defaults reset
Legacy boot unchecked
UEFI boot chekced
secure boot unchecked
(also tested with physical jumper reset - clear tpm )
UEFI partitions setup in task sequence per Microsoft recommendation
Windows RE Tools 600mb
EFI - 512mb
MSR - 128mb
Windows - remaining 100 %
Windows 7 enterprise is up to date with patches + the tpm 2.0 patch for windows 7 - https://support.microsoft.com/en-us/kb/2920188
Problem example A - sccm imaging enabling mbam in task sequence
Our production image that works with dell, lenovo, other intel nuc's. (manufactures sccm driver packs applied based on manufacturer) Machines all imaged fine boot into windows with uefi only configured in bios.
Testing - tried to save tpm owner auth per microsoft https://technet.microsoft.com/en-us/itpro/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25
Install mbam in task sequence
enable mbam via microsoft powershell script
Once MBAM is enabled, the machine starts encrypting in the task sequence as required. Once the machine is rebooted it cannot get into windows and gives a
This is only corrected when the legacy boot option is enabled in the bios.
Once enabled the system boots normally.
Not sure why this option has to be enabled after bitlocker or mbam is setup
(same task sequence works as intended without the need to reenter the bios post boot on - several generations of lenov x1 laptops, dell desktops)
Problem example B - (sccm image test machine / also manually intalled win 7 ) + manual bitlocker setup or mbam setup from in windows
Machine has above bios settings, boots normally, restarts normally with bios in UEFI only - legacy unchcked
tpm.msc - in windows 7 tpm is not owned, or initiated ( also tested when owned and initiated same issue )
Install mbam client manually
run powershell script to enable mbam (https://technet.microsoft.com/en-us/itpro/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25)
drive starts encrypting
Reboot - windows will no longer boot - error
until the bios legacy options is also enabled. if it is left in UEFI mode it will not boot
go ingo bios enable legacy - reboot machine - windows start normally
i checked bcd edit before and after and confirmed had the correct setting to boot to efi
When i go into the bios, windows boot manager is listed under uefi
if i enable legacy, exit and then go back into the bios the ssd is under legacy
I have tested this with BIOS version BIOS Version 0026 - MYBDWi5v.86A.0026.2015.0820.1501
I have also tested with BIOS version MYBDWi5v.86A.0029.2016.0422.1803 Development BIOS
If anyone know a programmatic way i can change a bios setting from a task sequence, i could fix this via a script however i cannot find any wmi commands for the nuc bios like other vendors.
The question i have is the tpm designed to not work when legacy is not selected in the bios?
I have done several options to test, so please not generic try another machine answers. Thanks