locked
Errors when Enabling BitLocker and Saving to AD RRS feed

  • Question

  • Hello All,

    Having a real problem here when trying to automate Bitlocker and saving Recovery Keys to AD in a Windows 7 Task Sequence.  Currently using MDT 2013 Update 2 (6.3.8330.1000) and WADK 10.1.10586.0

    Active Directory has been configured per https://technet.microsoft.com/en-us/library/dn744301.aspx?f=255&MSPPError=-2147217396 and https://technet.microsoft.com/en-us/library/dd875529%28WS.10%29.aspx

    But sequences always fail when reaching the Enable Bitlocker task.  Enable Bitlocker (Offline) is disabled.

    BDD.LOG

    FAILURE ( 6751 ): -2147016656  0x80072030: Change owner authorization ZTIBde 5/13/2016 1:02:38 PM 0 (0x0000)
    Command completed, return code = -2147467259 LiteTouch 5/13/2016 1:02:39 PM 0 (0x0000)
    Litetouch deployment failed, Return Code = -2147467259  0x80004005 LiteTouch 5/13/2016 1:02:39 PM 0 (0x0000)

    SMSTL.LOG

    <![LOG[Error Task Sequence Manager failed to execute task sequence. Code 0x80004005]LOG]!><time="13:02:38.944+240" date="05-13-2016" component="TSManager" context="" type="3" thread="1288" file="tsmanager.cpp:1007">
    <![LOG[Sending error status message]LOG]!><time="13:02:38.944+240" date="05-13-2016" component="TSManager" context="" type="1" thread="1288" file="tsmanager.cpp:1008">

    ZTIBDE.LOG

    FAILURE ( 6751 ): -2147016656  0x80072030: Change owner authorization ZTIBde 5/13/2016 1:02:38 PM 0 (0x0000)

    After failures, when trying to manually enable TPM I receive Cannot Connect to AD DS on the network, error code:  0x8007054b (even though the machine is successfully added to the Domain).  And trying to turn on BitLocker results in the message:  "There is no such object on the server".

    If thoughts would be appreciated.  I can upload additional logs and screenshots if needed.

    Thank you in advance for any help.

    Chris


    Chris

    Friday, May 13, 2016 5:30 PM

All replies

  • Do you have the schema that adds bitlocker to AD?

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it.


    • Edited by Ty Glander Friday, May 13, 2016 6:23 PM Typo
    Friday, May 13, 2016 6:14 PM
  • Hello Ty,

    Yes.  See below:


    Chris

    Friday, May 13, 2016 6:27 PM
  • When you open Active Directory Users and Computers do you have a bitlocker tab (check some PC ad object).

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it.

    Friday, May 13, 2016 6:39 PM
  • There are two parts needed. The policies and the schema extension. If that doesn't work for you I might move this post to a forum that more directly handles this. From your testing we already know this is an issue saving keys even without MDT involved.

    https://technet.microsoft.com/en-us/library/jj592683.aspx


    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it.

    Friday, May 13, 2016 6:47 PM
  • Grr I forgot to mention the access control entries:

    https://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx


    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it.

    Friday, May 13, 2016 6:52 PM
  • Lol ... "grr" :)

    Seems that the ACE is in place.  From a Domain Controller:

    C:\Scripts\BitLockerAD>cscript List-ACEs.vbs
    Microsoft (R) Windows Script Host Version 5.8
    Copyright (C) Microsoft Corporation. All rights reserved.

    Accessing object: DC=xxx,DC=com

    >            AceFlags: 10
    >             AceType: 5
    >               Flags: 3
    >          AccessMask: 32
    >          ObjectType: {AA4E1A6D-550D-4E05-8C35-4AFCB917A9FE}
    > InheritedObjectType: {BF967A86-0DE6-11D0-A285-00AA003049E2}
    >             Trustee: NT AUTHORITY\SELF

    1 ACE(s) found in DC=xxx,DC=com related to BitLocker and TPM

    And the Schema extensions are present:


    Chris

    Friday, May 13, 2016 7:38 PM
  • this really is now seeming like an AD/GPO issue.  i have created a test OU, and applied a bare-bones Bitlocker GPO:

    When trying to initialize the TPM, I receive the following error:


    Chris

    Friday, May 13, 2016 7:55 PM
  • I am going to assume you already made sure the user account you are using has the rights. I am at a loss. I was going to move this over to the Windows 7 forum but, they already bounced you here...

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it.

    Friday, May 13, 2016 9:38 PM
  • Interestingly enough, I have come across the following link:

    http://mickitblog.blogspot.com/2016/03/bitlocker-access-is-denied.html

    Based off of this, i have taken the following steps:

    1)  Deleted the registry keys indicated

    2)  manually executed the Lenovo-specific VBS script to Enable the Lenovo TPM:

    SetConfig.vbs" SecurityChip Active

    3)  Rebooted

    4)  Running an LTI task sequence with 1 action that has the following settings:

    The bitlocker process is currently running without errors, though there is currently no recovery information found in the computer object.  Hoping it will be there when the process finishes or when the laptop reboots again.  I'll reply back again with results just to keep you informed.

    Thanks much for the help so far, Ty.


    Chris

    Friday, May 13, 2016 10:29 PM
  • You might try a deployment OU that doesn't have your bitlocker policies. You should still be able to save the keys to AD.

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it.

    Friday, May 13, 2016 10:52 PM
  • Hello Ty,

    Thanks for all of your suggestions.  Don't ask why, but switching to pre-provisioning of Bitlocker has resolved the issue.  I made no changes to any GPOs in use or any other modifications.  But now, not only is it working as expected, it's also finishing much more quickly.

    Only had to work around the problem of Windows 7 not understanding the default encryption of WADK 10.1.10586.0 (see https://social.technet.microsoft.com/Forums/en-US/07c809fc-486b-49aa-8df8-70e374d90402/sccm-2012-r2-sp1-preprovision-bitlocker-windows-7-cannot-read-drive-after-reboot?forum=configmanagerosd)

    Again, thanks for your efforts.

    Regards,

    Chris


    Chris

    Monday, May 16, 2016 2:04 PM