none
1803 failing to Encrypt drive with Bitlocker at the end of TS?

    Question

  • Hi All,

    Ive successfully captured an image and upon testing deployment of it, everything works fine except encrypting the drive with BitLocker. The error message at the end of the deployment in the summary is "Error 6720: Encrypt the drive." I have installed the 1803 ADK and am running MDT 8450.

    I read that creating a brand new TS and copying over necessary steps (such as applications, scripts etc) would be beneficial so have done that and it hasnt made a difference.

    I never had this issue with deploying our custom 1709 image so can only assume that theres either new variables i need to declare in the CustomSettings or somewhere else, or settings have since been deprecated and are now causing issues???


    Current settings ive got in my CustomSettings.ini file relating to bitlocker are as follows:

    BDEInstallSuppress=NO
    OSDBitLockerCreateRecoveryPassword=AD 
    OSDBitLockerMode=TPM 
    OSDBitLockerWaitForEncryption=NO

    Has anyone seen this yet or can help?

    Thanks.

    Tuesday, May 8, 2018 8:18 AM

All replies

  • I haven't encountered any issues myself, but I'll try to help you narrow this down. Are you using BitLocker pre-provisioning? Have you taken a look at the ZTIBde.log if it contains any clues?

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Wednesday, May 9, 2018 11:56 AM
  • I've been encountering the same. It seems that the release version of 1803, as well as the first cumulative, has an issue writing the bit locker recovery keys to AD while logged in as a local user. If you login as a domain user (doesn't have to have any special domain permissions) the keys get written fine manually. Really hoping this gets resolved soon. 
    Friday, May 18, 2018 5:16 PM
  • Please post your ZTIBDE.log - I haven‘t seen any issues with BitLocker in the field, even when using 1803.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Friday, May 18, 2018 5:19 PM
  • There is definately an issue with MDT and Bitlocker on 1803. It has been talked about in the thread below.

    https://www.reddit.com/r/sysadmin/comments/8i6v32/bitlocker_with_adstored_keys_broken_on_new_1803/

    I am using manual commands "manage-bde" to set the pin and then turn on bitlocker. This worked fine in 1709 but is now giving the error....

    ERROR: An error occurred (code 0x8031000a):
    The Active Directory Domain Services forest does not contain the required attributes and classes to host BitLocker Drive Encryption or Trusted Platform Module information. Contact your domain administrator to verify that any required BitLocker Active Directory schema extensions have been installed.

    As per the thread linked, post MDT deployment if you reboot and log on with a domain account the Bitlocker commands work fine. However, they still will not work if you "runas" the domain account during MDT deployment.

    The commands I have been successfully in MDT until 1803 are...

    manage-bde.exe -protectors -add c: -TP "12345678" -recoverypassword
    manage-bde.exe -on C:

    Tuesday, May 22, 2018 7:03 AM
  • Would just like to add that i am experiencing the same problem as i have posted in this thread. - https://social.technet.microsoft.com/Forums/windows/en-US/33af998d-116a-4150-8f80-b92f81504d4e/bitlocker-on-windows-10-1803?forum=win10itprosecurity 
    Tuesday, May 22, 2018 3:12 PM
  • Is there still no fix for this yet?
    Tuesday, June 5, 2018 6:27 AM
  • Same is happening to me!

    I happened to get one good deployment of an image captured with 1709, but deployed with 1803 ADK/updates, but with an image created with 1803 its failing with the same "6720 failure to encrypt drive" error.

    If I log in as a domain admin and run my test "BitLocker Only" TS, it works fine.  If I run that same TS under a local account, it doesn't work and produces the 6720 failure.

    C'mon Microsoft, fix it up.



    Tuesday, June 5, 2018 7:43 PM
  • Hi,

    I am seeing the same issue today when trying to deploy 1803. Has anyone found a way around this?

    Thanks, 

    Thursday, June 14, 2018 10:17 AM
  • I haven't been able to find one at all.  My work around(s), although they barely qualify are...

    1) Use the 1709 WIM in the TS rather than 1803 and let WSUS (or whatever) handle the update

    2) Manually enable BL afterwards

    Neither option is great.

    Thursday, June 14, 2018 3:23 PM
  • Hi,

    I found a workaround thanks to this thread in reddit: https://www.reddit.com/r/sysadmin/comments/8i6v32/bitlocker_with_adstored_keys_broken_on_new_1803/

    Basically:

    disable the Bitlocker tasks in your TS

    create a batch file which will enable bitlocker on the necessary drives, mine has this in:

    manage-bde -on C: -skiphardwaretest -recoverypassword
    manage-bde -on D: -skiphardwaretest -recoverypassword
    manage-bde -autounlock -enable D:

    create a task to copy your .bat file and psexec to the computer your building

    create a task to execute the script on the computer as the system account (c:\temp\psexec.exe -s -accepteula c:\temp\bitlocker.bat)

    This works for me. Big thanks to wrkacc who posted this on the above reddit thread!


    • Edited by perryjames Friday, June 15, 2018 9:57 AM
    • Proposed as answer by JiteshKumar Friday, June 15, 2018 3:39 PM
    Friday, June 15, 2018 9:56 AM
  • Thanks for the info! I actually came across that thread a while ago and never tried the fix.

    I ended up having a TS for each of these tasks:

    #1 (cmd) - Copy Files

    md "C:\Temp"
    copy %SCRIPTROOT%\APM\BitLocker\PsExec.exe C:\Temp
    copy %SCRIPTROOT%\APM\BitLocker\EnableBL.cmd C:\Temp

    #2 (cmd) Enable BitLocker

    manage-bde -on c: -startupkey d: -recoverypassword -skiphardwaretest

    #3 (ps1) Clean Up

    Start-Sleep 5

    Remove-Item -Path C:\Temp-Force-Recurse



    Monday, June 18, 2018 5:57 PM
  • Thank you for this, quick question if i want to add pin is this the correct command?

    manage-bde -on C: -tpmandpin "123456" -skiphardwaretest -recoverypassword

    Monday, August 13, 2018 3:04 PM