Bitlocker Task Sequence Procedure without TPM? RRS feed

  • Question

  • Greetings,

    In a recent test I was unable to get Win7 installs to install without a TPM chip being present.

    The task sequence I was using is very basic and comprises of the following:

    - Format and Partition Disk
        Partition1: Primary, 150MB, Make this the Boot Partition, NTFS, Variable: BDE
        Partition2: Primary, 100% Remaining free space, NTFS, Variable: OSDisk

    - Apply operating system Image.
        Destination: Logical drive letter stored in a Variable = OSDisk

    - Apply Windows Settings

    - Apply Network Settings

    - Apply Device Drivers

    - Setup Windows and ConfigMgr

    - Restart Computer

    - Enable Bitlocker
        Drive to encrypt: Current OS Drive
        Key management: Startup Key on USB only = First available

    When run on a physical machine with a TPM chip the tasks sequence runs without error and starts encrypting the disk as requested. The recovery key is stored both in AD and on the local USB key.

    However, if I then run this same task sequence on a virtual machine or a physical PC without a TPM chip the task sequence halts on the Enable Bitlocker task with an error that a TPM chip can not be found. This makes perfect sense however the task is set to use a USB key and not the TPM chip.

    Is this just a basic misunderstanding on my part of the way Bitlocker works?
    Do all Bitlocker encrypted machines need a TPM chip to store the encryption key?
    Is the task sequence settings referencing the standard encryption key or the recovery key? Is only the recovery key stored on the USB device and the encryption key stored in TPM?

    Brett Moffett
    Monday, May 24, 2010 5:00 AM

All replies

  • Did you check Smsts.log?
    Tuesday, May 25, 2010 8:33 AM
  • The SMSTS.log file reports that it can not continue with Bitlocker because there is No TPM chip available.

    Being a virtual machine I would expect there to be no TPM but I expected the Bitlocker process to use the USB key rather than TPM.

    Brett Moffett
    Tuesday, May 25, 2010 11:31 PM
  • With no TPM 1.2 chip on board the computer, then a USB drive is an option to store the required information (keys for booting).  Only problem, if this USB drive is unprotected, and you keep it close to your computer... or in your laptop bag, then the bad guys will have no problem.  I use a drive produced by Biogy Inc - Biometric with hardware encryption... I have to be there for the Bitlocker system to boot....  I don't worry any more....
    Thursday, August 12, 2010 11:31 AM
  • Bitlocker can use a USB key to store this information when you start Bitlocker manually, but through the OSD task sequence it is not possible.
    I am sure this is just the way the OSD calls the Bitlocker installer.

    However, it still remains that if you want to use OSD to image a machine without a TPM chip, you can not use the "Enable Bitlocker" task to do so.

    If someone knows what the command line would be to tun on Bitlocker for a drive, store the boot info in AD and on a USB drive without using TPM please post it here.

    Brett Moffett
    Friday, August 13, 2010 12:00 AM
  • Yes, I know this is an old post, I'm trying to clean them up.

    Did you figure this out yet?

    Garth Jones

    Blog: http://www.enhansoft.com/blog Old Blog: http://smsug.ca/blogs/garth_jones/default.aspx

    Twitter: @GarthMJ Book: System Center Configuration Manager Reporting Unleased

    Thursday, August 24, 2017 3:30 PM