none
BitLocker on Windows 10 1803

    Question

  • I tried to enable BitLocker on a newly installed Windows 10 1803 notebook.
    GPO is set to use the TPM module and store the recovery key in Active Directory. This works fine with Windows 10 1703 and Windows 10 1709 but fails on the newly released Windows 10 1803.

    It now complains about the AD Schema and cancels the encryption.

    Thursday, May 03, 2018 10:52 AM

All replies

  • Same issue on my side, working with 1703 and 1709 but not with 1803.

    We should wait for new .admx files related to version 1803 to make it fully compatible.

    Thursday, May 03, 2018 12:34 PM
  • I've just encountered this too..

    Just currently rolled back with the new DISM command

    DISM /Online /Initiate-OSUninstall 

    Took a couple of minutes, but I can now encrypt again and then apply the update. 

    Thursday, May 03, 2018 2:33 PM
  • SOLVED : Install new administrative template files TPM.admx and TPM.adml from the new windows 1803 image to your AD.

    - Mount the image using the image using DISM tool. (image file can be found at sources\install.wim on the 1803 iso)

    - .admx and .adml files can be found from mountdir\windows\policydefinitions

    - install like you would do any administrative template install to contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions


    Friday, May 04, 2018 12:34 PM
  • Updating the admx files does not seem to help here. I still get the same error.
    Monday, May 07, 2018 8:16 AM
  • Hi,

    We haven’t heard from you for a couple of days, have you solved the problem?  

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 11, 2018 6:30 AM
    Moderator
  • There is a post on reddit where others have confirmed that if using a domain account which is a member of the local administrators group then the information is stored correctly. The user does not need to be a domain administrator.

    https://www.reddit.com/r/sysadmin/comments/8i6v32/bitlocker_with_adstored_keys_broken_on_new_1803/ 

    Friday, May 11, 2018 9:07 AM
  • I have been experiencing this same problem with Windows 10 1803, latest ADK. I can enable bitlocker when using a domain user account as suggested by Linkazoid however would like to know if anyone has any other solutions to continue to use a local account?

    How have people integrated using a domain account for bitlocker into their TS? 


    • Edited by KyleITW Thursday, May 17, 2018 3:36 PM
    Thursday, May 17, 2018 3:36 PM
  • Is there still no fix for this yet?
    Tuesday, June 05, 2018 6:26 AM
  • Works here without needing to change anything. Win10 1803, Server 2016 AD.
    Tuesday, June 05, 2018 7:00 AM
  • Works here without needing to change anything. Win10 1803, Server 2016 AD.
    Well thats great for you... meanwhile the rest of us with the problem are still looking for an answer.
    Tuesday, June 05, 2018 12:59 PM
  • Bump.

    We are having the same issue here with Windows 1803. Bitlocker will not active through the MDT task sequence. Instead we have to login with a domain account (with local admin access) and manually enable. We have already updated the adml and admx files on the domain.


    MCITP Windows 7 Enterprise Administrator

    Tuesday, July 10, 2018 2:16 PM
  • Updating the admx files does not seem to help here. I still get the same error.

    Hi

    Go to the BIOS and disable the TPM. Then, in Windows, open a command prompt and enter the following commands:
    set devmgr_show_nonpresent_devices = 1
    Start devmgmt.msc
    In the Hidden Device View of the Device Manager, find the TPM device and delete it. Restart and go to the BIOS and re-enable the TPM. Restart Windows. Give Windows a chance to reinstall the TPM device. You should now be able to activate the bitlocker again.

    Momominta

    Wednesday, July 11, 2018 12:29 AM
  • Updating the admx files does not seem to help here. I still get the same error.


    Hi

    Go to the BIOS and disable the TPM. Then, in Windows, open a command prompt and enter the following commands:
    set devmgr_show_nonpresent_devices = 1
    Start devmgmt.msc
    In the Hidden Device View of the Device Manager, find the TPM device and delete it. Restart and go to the BIOS and re-enable the TPM. Restart Windows. Give Windows a chance to reinstall the TPM device. You should now be able to activate the bitlocker again.

    Momominta

    Thank you, but this isn't really a suitable solution in a production environment. This worked fine before 1803.


    MCITP Windows 7 Enterprise Administrator

    • Proposed as answer by ITeasy Wednesday, July 11, 2018 12:37 PM
    • Unproposed as answer by ITeasy Wednesday, July 11, 2018 12:37 PM
    Wednesday, July 11, 2018 8:34 AM
  • I have the same issue... been working on it steady for 3 days now.

    I have narrowed it down to this:
    Error only occurs on Intel 8th Gen CPU's... We deploy BitLocker using GPO only, and saves recovery information in AD. It works great on both Win10 1803 and 1709, as long as the PC is a 7th/6th etc. Gen CPU.

    I can enable BitLocker manually on my 8th Gen machines, and then it works fine, it saves the recovery information in AD and everything, but no matter what I do, I cannot get the GPO to enable and save AD info automatically on a 8th Gen

    Wednesday, July 11, 2018 11:50 AM
  • hi there,

    we're using a script to activate BitLocker during automated setup. as with you, everything worked prior to v1803.
    our script now temporarily adds a domain user to the group of local admins, activates BitLocker, and then reverts the changes.

    a hopefully helpful code snippet:

    [...]
    # activate BitLocker, store key in AD
    # a real pain since win 10 v1803 ...
    $ScriptPath = "C:\bitlocker.ps1"
    $secretPIN = "foo"
    $password = "bar"
    net localgroup "Administrators" /add "DOMAIN\someUSER"
    sleep 2
    # create script file
    $ScriptValue = 'manage-bde -off c:;
    manage-bde -on c: -EncryptionMethod aes256 -SkipHardwareTest -UsedSpaceOnly -TPMandPIN ' + "$secretPIN" + ' -RecoveryPassword;'
    Set-Content -Path $ScriptPath -Value $ScriptValue
    $cred = New-Object System.Management.Automation.PsCredential("DOMAIN\someUSER", (ConvertTo-SecureString $password -AsPlainText -Force))
    # command line arguments
    $ArgList = 'Start-Process -FilePath powershell.exe -ArgumentList \"-ExecutionPolicy Bypass -File "{0}"\" -Verb Runas' -f $ScriptPath
    # deactivate UAC prompt for admins
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    # launch elevated process using different credentials
    Start-Process -FilePath powershell.exe -Credential $cred -ArgumentList $ArgList -Wait -NoNewWindow -WorkingDirectory C:\
    # re-activate UAC prompt for admins
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
    # clean up
    net localgroup "Administrators" /delete "DOMAIN\someUSER"
    Remove-Item -path $ScriptPath -force
    [...]

    cheers!


    • Proposed as answer by ITeasy Wednesday, July 11, 2018 12:44 PM
    • Edited by ITeasy Wednesday, July 11, 2018 12:45 PM
    Wednesday, July 11, 2018 12:43 PM
  • Hi the $password is the password for the domain user?
    Friday, August 10, 2018 11:05 PM
  • Hi the $password is the password for the domain user?

    yes, it is.

    Wednesday, August 15, 2018 11:24 AM
  • Hello,

    there is a Known issue with this, will post when a fix is available


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, August 24, 2018 9:08 PM
  • Hello,

    there is a Known issue with this, will post when a fix is available


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.


    is it a documented case? anything we can follow apart from this thread?
    Monday, August 27, 2018 11:39 AM
  • Any ETA on a fix or work around?
    Tuesday, September 04, 2018 5:56 PM
  • I would also like to see an official fix on this.
    Sunday, September 09, 2018 7:51 PM
  • Hello,

    I don't have an update on the timeline for a fix yet, I will post when it's available.


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, September 10, 2018 11:01 PM
  • Lenovo T480s on 1803 and having trouble encrypting with Group Policy (new .admx templates have been loaded), Secure boot/UEFI set in BIOS. 

    +1 for the fix
    Thursday, September 13, 2018 5:53 PM
  • Same issue here. 
    Using Lenovo X1 carbon 6th gen
    Monday, September 17, 2018 1:42 PM
  • https://borncity.com/win/2018/07/02/windows-10-v1803-no-bitlocker-recovery-backup-in-ad/

    That link holds info about it. It should only happen if you use a local account (instead of the system account or a domain account) for BL activation AND at the same time use GPOs that require AD key backup.

    Please verify and confirm.

    Tuesday, September 18, 2018 7:22 AM
  • https://borncity.com/win/2018/07/02/windows-10-v1803-no-bitlocker-recovery-backup-in-ad/

    That link holds info about it. It should only happen if you use a local account (instead of the system account or a domain account) for BL activation AND at the same time use GPOs that require AD key backup.

    Please verify and confirm.


    That is indeed our build process as we use MDT for deployment & AD recovery key storage.



    MCITP Windows 7 Enterprise Administrator

    Tuesday, September 25, 2018 9:17 AM
  • Hello

    The fix should be in the in this release

    https://support.microsoft.com/en-us/help/4464217/september172018kb4464217osbuild16299666 


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, September 25, 2018 7:38 PM
  • That KB is for 1709 but hey ho.

    I have an up to date 1803 and cannot bitlocker with built-in local admin

    and yes I have the Sept cumulative installed...

    Tuesday, October 02, 2018 6:31 PM
  • Hello,

    Here is the link to the 1803 article, this is post Sept cumulative.

    https://support.microsoft.com/en-us/help/4458469/windows-10-update-kb4458469


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, October 02, 2018 7:31 PM
  • September 26, 2018—KB4458469 (OS Build 17134.320)
    Note:  This update has been re-released because of a missing solution. If you installed build 17134.319, please install this newer version of OS build 17134.320.
    Improvements and fixes includes: Addresses an issue that occurs when enabling BitLocker from a local administrator account.


    Carey Frisch

    Tuesday, October 02, 2018 8:01 PM
    Moderator
  • Hi Christopher

    Take a look at this article


    Momominta

    Tuesday, October 02, 2018 10:35 PM