none
MDT/Bitlocker Win7 two partitions, 1 TPM, 1 KEY - not working RRS feed

  • Question

  • Hi,

    Now it's my turn to ask you all for any advice regarding a problem I experience at a customer where I've configured a new MDT environment which deploys Windows 7 Enterprise in combination with Bitlocker.

    Bitlocker's supposed to store the recovery keys keys in Active Directory, and although that works perfectly, it encrypts only one of the two designated partitions. And perhaps I'm overlooking something obvious here.

    I have setup my MDT environment as following:

    [Settings]
    Priority=ByLaptop, ByDesktop, Model, Default
    Properties=MDTStatus
    
    [ByLaptop]
    subsection=Laptop-%IsLaptop%
    
    [Bydesktop]
    subsection=Desktop-%IsDesktop%
    
    [VMware Virtual Platform]
    TaskSequenceID=OSD001
    OSDComputerName=WIN7VDI
    
    [Desktop-True]
    OSDComputerName=DT-%SerialNumber%
    
    [Laptop-True]
    DoNotCreateExtraPartition=YES
    TaskSequenceID=OSD002
    OSDComputerName=LAP-%SerialNumber%
    Administrators001=Local_Admins
    
    ; Domain Join Information
    JoinDomain=xxxx
    DomainAdmin=ZZDomainJoin
    DomainAdminDomain=xxxx
    DomainAdminPassword=xxxx
    MachineObjectOU=OU=Laptop,OU=Workstations,OU=xxxx,DC=xxxx,DC=elan
    
    ; Bitlocker Information
    BDEInstall=TPM
    BDEInstallSuppress=NO
    BDEDriveLetter=S:
    BDEDriveSize=500
    BDEKeyLocation=\\xxxx003\BitLockerKey$
    ; BDERecoveryKey=AD
    ; BDEWaitForEncryption=False

    And configured my task sequence like this:

    • Configure Bitlocker - TPM (Operating System Drive
    • Set TS Variable - BDEInstall=KEY
    • Set TS Variable - OSDBitLockerTargetDrive=D:
    • Configure Bitlocker - Key (D: Drive)

    In between are the two TS VAR's for drive D and then another Configure Bitlocker step, which configures Bitlocker for a specific drive (Drive D:) and also stores this recovery key in active directory.

    This results in the following: not even a single encrypted partition?

    When I look in my bdd.log I see the following:

    As we can see above the ZTIBDE.wsf checks if TPM is enabled and activated, which says it does, however 1 line later, it states that TPM is enabled and says it's FALSE (in Dutch)

    But I know for sure, TPM is enabled and activated. DELL CCTK echoes this back to me. After that I do a reboot to make sure the changes are in effect before Bitlocker is even configured.

    Here is the link to my bdd.log and smsts.log: https://onedrive.live.com/redir?resid=5BB81623DAF90351!50214&authkey=!AGcIlXVhFexoQ3M&ithint=folder%2clog

    And the strange part of it all is, the customer has a pre-existing MDT environment identically configured like I have described above, with the same bitlocker properties and rules in their customsettings.ini.

    The only difference is they use a database to store these values in, and I use customsettings.ini. And with their deployment finished, I have two nicely encrypted drives.

    And lastly, since I'm currently testing, I'm deploying with an USB boot stick, when the stick is still attached to the laptop, I'm seeing the following message: Configuring BitLocker Drive Encryption on computers with more than 1 pre-existing partition is not supported in this version.

    Any help, good suggestion or guidance in the right direction would be much appreciated.

    Many thanks :)

    Cheers! Rens


    If this post is helpful please click "Mark for answer", thanks! Kind regards


    Tuesday, February 17, 2015 2:52 PM

Answers

  • Some things.

    1. What no uEFI? I'm hurt.

    2. Multi-partition configurations are difficult (I dislike them).
    https://keithga.wordpress.com/2014/07/20/creating-a-second-large-partition-on-a-single-drive-machine/ your disk configuration in the MDT task sequence is tricking MDT into *NOT* creating the correct BDE partition, hense the reboot between BDE steps. I would revert the format and partition disk step back to a single partition, and change the size for the first partition to 80GB, then later you can run a simple diskpart script: "Sel part 0, create part pri, format FS=NTFS label=Data QUICK, assign=D"

    3. Sorry, I don't think the TPM is actually enabled on the machine. Check with the following powershell script:

    $tpm = gwmi Win32_Tpm -Namespace "root\cimv2\Security\MicrosoftTpm"
    $tpm.IsEnabled()
    $tpm.IsActivated()
    $tpm |fl *


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Tuesday, February 24, 2015 8:21 AM
    Moderator

All replies

  • Some things.

    1. What no uEFI? I'm hurt.

    2. Multi-partition configurations are difficult (I dislike them).
    https://keithga.wordpress.com/2014/07/20/creating-a-second-large-partition-on-a-single-drive-machine/ your disk configuration in the MDT task sequence is tricking MDT into *NOT* creating the correct BDE partition, hense the reboot between BDE steps. I would revert the format and partition disk step back to a single partition, and change the size for the first partition to 80GB, then later you can run a simple diskpart script: "Sel part 0, create part pri, format FS=NTFS label=Data QUICK, assign=D"

    3. Sorry, I don't think the TPM is actually enabled on the machine. Check with the following powershell script:

    $tpm = gwmi Win32_Tpm -Namespace "root\cimv2\Security\MicrosoftTpm"
    $tpm.IsEnabled()
    $tpm.IsActivated()
    $tpm |fl *


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Tuesday, February 24, 2015 8:21 AM
    Moderator
  • Hi Keith,

    Thanks, I'll go and see if TPM is enabled and try to approach the partitioning differently.

    Cheers! Rens


    If this post is helpful please click "Mark for answer", thanks! Kind regards

    Tuesday, February 24, 2015 8:31 AM