none
Bitlocker not activating when imaging with MDT RRS feed

  • Question

  • So we're switch from KACE to MDT and I am now modifying our environment to run WDS/MDT (this will be important later

    I would like to see if someone can review my work (based off of Johan's "Deployment Fudamentals - Vol 6" book. I have followed his instructions (and listed below) but I cannot seem to get the device to send the Bitlocker TPM recover key to AD.

    DC Settings:

    Features added:

    1. Bitlocker Drive Encryption Administration Utility
    2. Bitlocker Drive Encryption Tools
    3. Bitlocker Recovery Password Viewer
    4. Create a GPO with the following settings:
    5. Choose how Bitlocker- protected operating system drives can be recovered:
      1. a) Allow data recovery agent
      2. Do not enable Bitlocker until recovery information is stored in AD DS for OS drives
    6. Configure TPM platform validation profile for BIOS-Based firmware configuration
    7. Configure TPM platform validation profile for (Windows Vista, Windows Server 2008, Windows 7 Windows Server 2008 R2)
    8. Configure TPM platform validation profile for native UEFI Firmware configurations
      1. Enabled Turn on TPM Backup to AD DS
      2. Ran the Add-TPMSelfWriteACE.vbs script located at: http://go.microsoft.com/fwlink/?LinkId=167133

    MDT Settings:

    1. Added rules to the customsetting.ini under default:
      1. BDEInstall=TPM
      2. BDERecoveryKey=AD
      3. In the TS I want trun, I added the following TS
      4. In state Restore group, before Enable Bitlocker action add a new group with the following settings:
        1. Name: Bitlocker
        2. Option: Add a TS condition with the following settings:

    (1)  Variable: BDEInstallSuppress

    (2)  Condition: not equals

    (3)  Value: YES

    1. In the Bitlocker group, add a Run Command Line action with the following settings:
      1. Name Check TPM Status
      2. Command line: cscript.exe “%ScriptRoot%ZTICheckforTPM_v2.wsf”  ß That script does not exist in the location it’s asking for. Could be a problems?
      3. In the State Restore group, select the Enable BitLocker action and move it after the Check TPM Status action. Then configure the options for the Enable BitLocker action with the following settings:
      4. Add an if statement set to All Conditions
      5. Select if all condition are true, add a Task Sequence Variable condition with the following settings:

    (1)  Variable: TPMReady

    (2)  Condition: equals

    (3)  Value: TRUE

    1. Select Task sequence variable TMPReady equals TRUE and add a Task Sequence Variable condition with the following settings:

    (1)  Variable: TPMActivated

    (2)  Condition: equals

    (3)  Value: TRUE

    1. In the State Restore group, after the Apply Local GPO Package action, add a Run Command Line action with the following settings:
      1. Name: Remove BDE Recovery File
      2. Command line: PowerShell.exe –executionPolicy Bypass –File “%SCRIPTROOT%\Remove-BDERecoveryFile.ps1”

    (1)  Options / Continue on error: Selected

    There are not errors reported when the image finished. The device does join to the domain and goes to the correct testing OU I have created. 

    Currently with KACE, I run this powershell script as a Post-Installation task (equivalent what a TS is for running an installation or command-line in MDT) with the following code:

    Initialize-Tpm
    BdeHdCfg.exe -target %SystemDrive% shrink -quiet –restart
    manage-bde.exe -protectors -add c: -recoverypassword=AD
    manage-bde -on C: -rp -used 

    to kick off the bitlocker encryption. It will add the Recovery key to AD then asks the for the device to reboot to start the encryption (which I run another Post-Installation task to reboot) and works fine. However, if I run this powershell script in MDT, it adds the key to AD but when the device reboots, it requires me to enter the recovery key. The key that was provided to AD does not work.

    I'm stuck and at a loss.

    Specs: DC = Server 2012r2

    MDT/WDS Server 2016 with: MDT 2013u2 build: 8450

    OS: Win 10 Pro x64 1703

    "Start BitLocker" was the PS file I was running as a test but is currently disabled along with pausing the encryption TS.

    Please note in the rules, I have tried with the JUST the highlighted and also with the extra rules.

    End Result.


    • Edited by TheUsD Wednesday, January 23, 2019 4:21 PM Modified layout and adjusted Server Specs
    Wednesday, January 23, 2019 4:13 PM

Answers

  • Issue resolved.

    I needed to clear out the TPM chip. This was most likely the cause because of the PS script I used to initiate the TPM and send to AD. I also created a PS command to clear out the TPM on every re-image and turned on PPI Provisioning and Deprovisioning in the Dell Bios settings.

    Created a command line task and entered:
    powershell.exe -command "& {(Get-WMIObject -Namespace root/cimv2/Security/MicrosoftTPM -class Win32_TPM).SetPhysicalPresenceRequest(10)}"

    Then a reboot command followed by the Enable Bitlocker TS. 

    • Marked as answer by TheUsD Thursday, January 24, 2019 6:55 PM
    Thursday, January 24, 2019 6:55 PM

All replies

  • We set SkipBitlocker=NO in cutomsettings.ini then choose bitlocker enable in the deployment wizard after selecting the task sequence and naming the computer, etc. We do not modify the task sequence whatsoever except for DriverGroup001 variable and custom tasks to create local accounts and install some apps. We do verify that the key is written to the ADUC computer object as part of an imaging checklist. If the key is not there (occasionally happens) we decrypt then re-encrypt manually.
    Wednesday, January 23, 2019 5:12 PM
  • Issue resolved.

    I needed to clear out the TPM chip. This was most likely the cause because of the PS script I used to initiate the TPM and send to AD. I also created a PS command to clear out the TPM on every re-image and turned on PPI Provisioning and Deprovisioning in the Dell Bios settings.

    Created a command line task and entered:
    powershell.exe -command "& {(Get-WMIObject -Namespace root/cimv2/Security/MicrosoftTPM -class Win32_TPM).SetPhysicalPresenceRequest(10)}"

    Then a reboot command followed by the Enable Bitlocker TS. 

    • Marked as answer by TheUsD Thursday, January 24, 2019 6:55 PM
    Thursday, January 24, 2019 6:55 PM