locked
BitLocker not activating when imaging with MDT RRS feed

  • Question

  • Hi,

    I have created a TS that installs Windows 10 Pro (1909), a few apps and enables BitLocker; however, the BitLocker step fails. The drive shows up as encrypted, but with an exclamation triangle. The BitLocker Control Panel applet states "Bitlocker waiting for activation". manage-bde -status shows the drive as encrypted:

    The TS step is the default "Enable Bitlocker" one as follows:

    And my customsettings.ini contains the following BitLocker related parameters:

    SkipBitLocker=NO
    SkipSummary=YES
    SkipFinalSummary=NO
    
    ' Bitlocker Configuration
    BDEInstallSuppress=NO
    BDEWaitForEncryption=False
    BDEDriveLetter=S:
    BDEDriveSize=3000
    BDEInstall=TPM
    BDERecoveryKey=AD
    OSDBitLockerWaitForEncryption=TRUE


    AD has been configured to store BitLocker recovery keys (not tested as deployment wit BitLocker won't work!!)

    Deployment shows an error in the final step stating "verify %OSSKU% is defined.", but I don't think this is related to BitLocker (not sure what this is about as no logs, but happy to ignore as it's not causing any issues)

    A GPO has been configured with the following settings:

    • Choose how Bitlocker- protected operating system drives can be recovered:
    • Allow data recovery agent
    • Do not enable Bitlocker until recovery information is stored in AD DS for OS drives
    • Configure TPM platform validation profile for BIOS-Based firmware configuration
    • Configure TPM platform validation profile for (Windows Vista, Windows Server 2008, Windows 7 Windows Server 2008 R2)
    • Configure TPM platform validation profile for native UEFI Firmware configurations

    I also ran the Add-TPMSelfWriteACE.vbs script located at: http://go.microsoft.com/fwlink/?LinkId=167133

    I added a Command Line with the following "powershell.exe -command "& {(Get-WMIObject -Namespace root/cimv2/Security/MicrosoftTPM -class Win32_TPM).SetPhysicalPresenceRequest(10)}" after reading https://social.technet.microsoft.com/Forums/azure/en-US/af57538f-a0b9-4418-a626-be29af0991b3/bitlocker-not-activating-when-imaging-with-mdt?forum=mdt, but this does not work.

    Now I'm completely stuck!


    Tuesday, March 10, 2020 10:40 AM

All replies

  • Fixed! The "verify %OSSKU% is defined" failure is due to BitLocker pre-checks failing. In my case, using the Pro (Education) version of Windows 10 (an SKU newer than the ZTIBde.wsf file in the Scripts directory in the deployment share) was the cause. To workaround this, I commented out the following check section from the ZTIBde.wsf file:

    '//----------------------------------------------------------------------------
    		'//  Check to see if BDE is supported in this OS
    		'//----------------------------------------------------------------------------	
    		
    		'// Check to see if we are running Vista or later and exit if we are not		
    		'//If iOSCVMajor < 6 Then
    			'//oLogging.CreateEntry "Bitlocker is not supported on this version of Windows", LogTypeInfo
    			'//Main = iRetVal
    			'//Exit Function
    		'// Check to see if the SKU supportes Bitlocker
    		'//ElseIf not oUtility.IsHighEndSKU then
    			'//oLogging.CreateEntry "Bitlocker is only supported on Windows Enterprise or Windows Ultimate or Windows Server", LogTypeInfo
    			'//Main = iRetVal
    			'//Exit Function
    		'//Else
    			'//oLogging.CreateEntry "We are running a OS that supports BitLocker", LogTypeInfo
    		'//End if

    BitLocker activates fine and stores it's recovery key in AD.

    There's probably a more elegant way of doing this (i.e. adding your unsupported SKU!), but this works for now!
    • Proposed as answer by JiteshKumar Wednesday, March 11, 2020 2:41 PM
    Tuesday, March 10, 2020 11:27 AM