Answered by:
MDT 2013 update 2 bitlocker issue
Question
-
I was able to update my MDT server to update two this week but on testing deployment I found that I'm not able to choose to encrypt with bitlocker. This worked with the previous version. The first reboot after it applies the image comes up to a bitlocker recovery screen that says there are no recovery options for your PC. If I choose to not encrypt the system the image completes successfully and I can then encrypt manually from windows 8.1. There were no errors in the bdd.log or the smsts.log.
I choose encrypt using TPM only.
My custom settings look like this
[Settings]
Priority=Default
Properties=MyCustomProperty
[Default]
ApplyGPOPack=NO
OSInstall=Y
SkipCapture=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerBackup=YES
BDEInstall=TPM
BdeInstallSuppress=NO
BDeWaitForEncryption=False
BDEDriveSize=2000
BDEDriveLetter=S:
BDEKeyLocation=C:
BDERecoveryKey=AD
BDEKeyLocation=C:\Windows\BDEKey
SkipTimeZone=YES
TimeZoneName=Eastern Standard Time
SkipUserData=YES
SkipLocaleSelection=YES
OSDComputername=BLAH#Right("%SerialNumber%",4)#
I noticed that the disk partitions are different on a system imaged with the previous version of mdt and encrypted. Could this be the issue?
Update 2 laptop:
499 MB EFI system
117 GB C:\
1.2 GB recovery
pre-update laptop:
300 MB recovery
1.95 GB EFI system
117 GBI found the task steps that control the partition size and changed them to be more in line with what they were pre-update:
Boot (EFI)
2000 MB
Windows (Primary)
99% of remaining
Recovery (Recovery)
1GB NTFS
This did not resolve the error though (still comes up to the recovery screen and says there are no recovery options for your computer)
Any help you could provide would be appreciated :)
Answers
-
ADK 10586 is the source of this issue. You can disable your pre-provision bitlocker step or you can go back to ADK 10240.
The reason this happens is the encryption used by the ADK when in WinPE is newer than windows 8.1 and lower understands.
Logs are very important. https://keithga.wordpress.com/2014/10/24/video-mdt-2013-log-files-basics-bdd-log-and-smsts-log/ Mention any customizations you have made.
- Marked as answer by Ty GlanderModerator Monday, January 4, 2016 9:15 PM
-
Another option is to change the encryption used (this will support downlevel OSes also): https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2016/03/30/windows-versions-prior-windows-10-build-1511-fail-to-start-after-setup-windows-and-configuration-manager-step-when-pre-provision-bitlocker-is-used-with-windows-pe-10-0-586-0-1511/
Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.
- Marked as answer by Ty GlanderModerator Wednesday, May 18, 2016 7:57 PM
All replies
-
ADK 10586 is the source of this issue. You can disable your pre-provision bitlocker step or you can go back to ADK 10240.
The reason this happens is the encryption used by the ADK when in WinPE is newer than windows 8.1 and lower understands.
Logs are very important. https://keithga.wordpress.com/2014/10/24/video-mdt-2013-log-files-basics-bdd-log-and-smsts-log/ Mention any customizations you have made.
- Marked as answer by Ty GlanderModerator Monday, January 4, 2016 9:15 PM
-
Another option is to change the encryption used (this will support downlevel OSes also): https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2016/03/30/windows-versions-prior-windows-10-build-1511-fail-to-start-after-setup-windows-and-configuration-manager-step-when-pre-provision-bitlocker-is-used-with-windows-pe-10-0-586-0-1511/
Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.
- Marked as answer by Ty GlanderModerator Wednesday, May 18, 2016 7:57 PM