none
Bitlocker Not Enabling

    Question

  • I am having trouble getting Bitlocker to start on deployment for Win7Ent and Win8Pro

    If I enable bitlocker manually from within windows it works fine

    Tpm is enabled

    Partitions:

    BDEDisk - Boot - Primary - 350 Mb - No Drive Letter

    OSDisk - Primary - 100%

    Ignore "Create Bitlocker Partition" as disabled as I am using partition step for that

    Is there a log I am overlooking, I cant seem to find anything in SMSTS.log but I am no expert in that log and cant seem to find any problems with anything when I do look.

    Tuesday, December 17, 2013 7:30 PM

Answers

  • You have to enable, activate and made the tpm chip ready to for the ownership change.

    This all can be done with a script (Google: EnableBitlocker.vbs), although you need do modify it a little bit to do only the TPM chip parts...

    Here's an old blog post about lenovo tpm chip activation:

    http://blog.coretech.dk/mip/enable-lenovo-tpm-security-chip-and-other-stuff-from-a-ts/

    Hope this helps!

    • Proposed as answer by Narcoticoo Wednesday, December 18, 2013 4:02 AM
    • Marked as answer by CamecoKev Wednesday, December 18, 2013 9:30 PM
    Wednesday, December 18, 2013 4:02 AM

All replies

  • Hi,

    Look in the SMSTS.log file for more information, could it be that you have a cd/DVD in the drive? The Enable Bitlocker step in the TS doesn't start the encryption if a CD/DVD is in the drive.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Tuesday, December 17, 2013 8:27 PM
  • No Discs in the drives

    This is my problem, I look in SMSTS and cant find anything about bitlocker :(

    When I manually enable BL Post Deployment it tells me that it has to:

    - Prepare your drive for BL (Windows RE will be moved to your system or recovery drive)

    - Turn on the TPM security hardware (I have verified in BIOS that TPM is enabled)

              - Reboot required to take ownership of TPM by hitting f10 on boot?

    I am doing this on Lenovo Hardware.

    Tuesday, December 17, 2013 9:02 PM
  • We enable bitlocker on our task sequences and it always works.   I do see some things that you don't have.

    1)  we do make sure tpm is already enabled (you said you have done this already)

    2)  Our partition disk step has one named "System Reserved (Primary)" and equals 350 mbs.    Then we have another partition named "Windows (Primary)"  using 100% of remaining disk space.  NTFS  (looks like you may have this step)

    3)  In our task sequence, before "Apply Operating System", we have "Pre-provision Bitlocker".   Destination is "Next available formatted partition".  Check skip if TPM is not enabled. (looks like you disabled this step)

    4)  After "Setup Windows and Configuration Manager", we have a step called "Enable Bitlocker".     We have bitlocker key set to go to Active Directory.   Be sure your active directory is setup for this.  (I see that you have this step enabled)

    I'm going to assume maybe you're missing the pre-provision.  re-enable that.  This will fix your "prepare your drive for BL" issue.



    • Edited by CSMatMan Wednesday, December 18, 2013 12:41 AM
    Wednesday, December 18, 2013 12:09 AM
  • You have to enable, activate and made the tpm chip ready to for the ownership change.

    This all can be done with a script (Google: EnableBitlocker.vbs), although you need do modify it a little bit to do only the TPM chip parts...

    Here's an old blog post about lenovo tpm chip activation:

    http://blog.coretech.dk/mip/enable-lenovo-tpm-security-chip-and-other-stuff-from-a-ts/

    Hope this helps!

    • Proposed as answer by Narcoticoo Wednesday, December 18, 2013 4:02 AM
    • Marked as answer by CamecoKev Wednesday, December 18, 2013 9:30 PM
    Wednesday, December 18, 2013 4:02 AM
  • there are some known issues regarding bit locker when you are using MDT2013 haven't closer into it yet...

    http://anoopcnair.com/2013/10/19/features-removed-microsoft-deployment-toolkit-mdt-2013/
    Wednesday, December 18, 2013 9:06 AM
  • below is the task sequence I am using currently, I am not worrying about preprovision yet as I still am unable to get BL to enable on OS Startup

    I used cscript.exe "enablebitlocker.vbs" /on:tpm /l:c:\temp\enablebl.log /ro in run command line.

    I have gotten to the point where TPM Admin is stating "The TPM is off and ownership has not been taken"

    BIOS is currently set to TPM Active

    My last step of TS is still not enabling bitlocker.

    It appears that TPM has not been initialized.


    • Edited by CamecoKev Wednesday, December 18, 2013 5:13 PM
    Wednesday, December 18, 2013 5:11 PM
  • Ah ok sorry.  I have not used this method to enable tpm.   We have used an hp utility before to do it but we ended up just having our desktop guys or vendor turn it on before imaging.   Once on.. never have to worry about it again.
    Wednesday, December 18, 2013 5:22 PM
  • This was it, I added 2 reboots after all of these were run, and everything is good now

    Thanks

    Wednesday, December 18, 2013 9:31 PM