none
BitLocker on Windows 10 1803

    Question

  • I tried to enable BitLocker on a newly installed Windows 10 1803 notebook.
    GPO is set to use the TPM module and store the recovery key in Active Directory. This works fine with Windows 10 1703 and Windows 10 1709 but fails on the newly released Windows 10 1803.

    It now complains about the AD Schema and cancels the encryption.

    Thursday, May 3, 2018 10:52 AM

All replies

  • Same issue on my side, working with 1703 and 1709 but not with 1803.

    We should wait for new .admx files related to version 1803 to make it fully compatible.

    Thursday, May 3, 2018 12:34 PM
  • I've just encountered this too..

    Just currently rolled back with the new DISM command

    DISM /Online /Initiate-OSUninstall 

    Took a couple of minutes, but I can now encrypt again and then apply the update. 

    Thursday, May 3, 2018 2:33 PM
  • SOLVED : Install new administrative template files TPM.admx and TPM.adml from the new windows 1803 image to your AD.

    - Mount the image using the image using DISM tool. (image file can be found at sources\install.wim on the 1803 iso)

    - .admx and .adml files can be found from mountdir\windows\policydefinitions

    - install like you would do any administrative template install to contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions


    Friday, May 4, 2018 12:34 PM
  • Updating the admx files does not seem to help here. I still get the same error.
    Monday, May 7, 2018 8:16 AM
  • Hi,

    We haven’t heard from you for a couple of days, have you solved the problem?  

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 11, 2018 6:30 AM
    Moderator
  • There is a post on reddit where others have confirmed that if using a domain account which is a member of the local administrators group then the information is stored correctly. The user does not need to be a domain administrator.

    https://www.reddit.com/r/sysadmin/comments/8i6v32/bitlocker_with_adstored_keys_broken_on_new_1803/ 

    Friday, May 11, 2018 9:07 AM
  • I have been experiencing this same problem with Windows 10 1803, latest ADK. I can enable bitlocker when using a domain user account as suggested by Linkazoid however would like to know if anyone has any other solutions to continue to use a local account?

    How have people integrated using a domain account for bitlocker into their TS? 


    • Edited by KyleITW Thursday, May 17, 2018 3:36 PM
    Thursday, May 17, 2018 3:36 PM
  • Is there still no fix for this yet?
    Tuesday, June 5, 2018 6:26 AM
  • Works here without needing to change anything. Win10 1803, Server 2016 AD.
    Tuesday, June 5, 2018 7:00 AM
  • Works here without needing to change anything. Win10 1803, Server 2016 AD.
    Well thats great for you... meanwhile the rest of us with the problem are still looking for an answer.
    Tuesday, June 5, 2018 12:59 PM
  • Bump.

    We are having the same issue here with Windows 1803. Bitlocker will not active through the MDT task sequence. Instead we have to login with a domain account (with local admin access) and manually enable. We have already updated the adml and admx files on the domain.


    MCITP Windows 7 Enterprise Administrator

    Tuesday, July 10, 2018 2:16 PM
  • Updating the admx files does not seem to help here. I still get the same error.

    Hi

    Go to the BIOS and disable the TPM. Then, in Windows, open a command prompt and enter the following commands:
    set devmgr_show_nonpresent_devices = 1
    Start devmgmt.msc
    In the Hidden Device View of the Device Manager, find the TPM device and delete it. Restart and go to the BIOS and re-enable the TPM. Restart Windows. Give Windows a chance to reinstall the TPM device. You should now be able to activate the bitlocker again.

    Momominta

    Wednesday, July 11, 2018 12:29 AM
  • Updating the admx files does not seem to help here. I still get the same error.


    Hi

    Go to the BIOS and disable the TPM. Then, in Windows, open a command prompt and enter the following commands:
    set devmgr_show_nonpresent_devices = 1
    Start devmgmt.msc
    In the Hidden Device View of the Device Manager, find the TPM device and delete it. Restart and go to the BIOS and re-enable the TPM. Restart Windows. Give Windows a chance to reinstall the TPM device. You should now be able to activate the bitlocker again.

    Momominta

    Thank you, but this isn't really a suitable solution in a production environment. This worked fine before 1803.


    MCITP Windows 7 Enterprise Administrator

    • Proposed as answer by ITeasy Wednesday, July 11, 2018 12:37 PM
    • Unproposed as answer by ITeasy Wednesday, July 11, 2018 12:37 PM
    Wednesday, July 11, 2018 8:34 AM
  • I have the same issue... been working on it steady for 3 days now.

    I have narrowed it down to this:
    Error only occurs on Intel 8th Gen CPU's... We deploy BitLocker using GPO only, and saves recovery information in AD. It works great on both Win10 1803 and 1709, as long as the PC is a 7th/6th etc. Gen CPU.

    I can enable BitLocker manually on my 8th Gen machines, and then it works fine, it saves the recovery information in AD and everything, but no matter what I do, I cannot get the GPO to enable and save AD info automatically on a 8th Gen

    Wednesday, July 11, 2018 11:50 AM
  • hi there,

    we're using a script to activate BitLocker during automated setup. as with you, everything worked prior to v1803.
    our script now temporarily adds a domain user to the group of local admins, activates BitLocker, and then reverts the changes.

    a hopefully helpful code snippet:

    [...]
    # activate BitLocker, store key in AD
    # a real pain since win 10 v1803 ...
    $ScriptPath = "C:\bitlocker.ps1"
    $secretPIN = "foo"
    $password = "bar"
    net localgroup "Administrators" /add "DOMAIN\someUSER"
    sleep 2
    # create script file
    $ScriptValue = 'manage-bde -off c:;
    manage-bde -on c: -EncryptionMethod aes256 -SkipHardwareTest -UsedSpaceOnly -TPMandPIN ' + "$secretPIN" + ' -RecoveryPassword;'
    Set-Content -Path $ScriptPath -Value $ScriptValue
    $cred = New-Object System.Management.Automation.PsCredential("DOMAIN\someUSER", (ConvertTo-SecureString $password -AsPlainText -Force))
    # command line arguments
    $ArgList = 'Start-Process -FilePath powershell.exe -ArgumentList \"-ExecutionPolicy Bypass -File "{0}"\" -Verb Runas' -f $ScriptPath
    # deactivate UAC prompt for admins
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    # launch elevated process using different credentials
    Start-Process -FilePath powershell.exe -Credential $cred -ArgumentList $ArgList -Wait -NoNewWindow -WorkingDirectory C:\
    # re-activate UAC prompt for admins
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
    # clean up
    net localgroup "Administrators" /delete "DOMAIN\someUSER"
    Remove-Item -path $ScriptPath -force
    [...]

    cheers!


    • Proposed as answer by ITeasy Wednesday, July 11, 2018 12:44 PM
    • Edited by ITeasy Wednesday, July 11, 2018 12:45 PM
    Wednesday, July 11, 2018 12:43 PM
  • Hi the $password is the password for the domain user?
    Friday, August 10, 2018 11:05 PM
  • Hi the $password is the password for the domain user?

    yes, it is.

    Wednesday, August 15, 2018 11:24 AM