none
MDT 8443 - Bitlocker Windows 10 RRS feed

  • Question

  • When testing some new deployments for Win 10 v1709 Enterprise x64, I am having issues with getting Bitlocker to automatically enable via the task sequence (default Standard Client Task Sequence). It was working a couple of months ago when we started to build an MDT environment. In the deployment share rules, I have it set to "SkipBitLocker=YES" so that it doesn't prompt a user to select anything (trying to get as automated as possible). When it is like that, deployment completes successfully (no warnings or errors), but when I look at the new computer object in ADUC, there is no recovery key and BitLocker administration on the target PC shows OFF.

    If I change the rules to "SkipBitLocker=NO" forcing me to select TPM and store in AD, once the deployment completes successfully, I can see the recovery key in ADUC and Bitlocker shows ON on the target PC.

    Any idea where to start on solving this?

    Monday, November 13, 2017 11:11 PM

Answers

  • I was able to get it to work by turning off the built-in Enable Bitlocker step and using PowerShell to enable. Since our GPO for Windows 10 devices set to store recovery info in AD, I was able to run a script to enable. It enables during my TS and stores the recovery password in AD.

    Thanks for your help!

    <#
    Solution: Enable BitLocker Drive Encryption (BDE)
    Purpose: Enable BDE on the C: drive.
    Version: 1.0 - November 16, 2017
     
    Author - HDH2
    #>
    Initialize-Tpm -AllowClear -AllowPhysicalPresence
    Initialize-Tpm
    .\manage-bde.exe -protectors -add C: -tpm
    Enable-BitLocker -MountPoint “C:” -EncryptionMethod Aes256 -UsedSpaceOnly -RecoveryPasswordProtector


    • Marked as answer by hdh2 Thursday, November 16, 2017 6:24 PM
    Thursday, November 16, 2017 6:24 PM

All replies

  • Monday, November 13, 2017 11:24 PM
  • Add to your customsettings.ini
    BDERecoveryKey=AD


    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.

    Tuesday, November 14, 2017 1:46 AM
    Moderator
  • Are you setting either AdminPassword or TpmOwnerPassword property? Either way, being able to review your ZTIBde.log would really help with troubleshooting.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Tuesday, November 14, 2017 5:47 AM
  • Just a short question to complicate things :)

    Is there a way in MDT to 'prompt' for Bitlocker? If I'm going to image a pc that I don't need Bitlocker on vs one I do, can one be prompted to execute Bitlocker, or is it just a fixed task for every pc in that TS? This may be moot since we clone in one OU but Bitlocker only works in a different one...but worth looking into.
    Thanks

    Wednesday, November 15, 2017 7:12 PM
  • You could set SkipBitlocker Property to NO in your CS.ini :-)

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Wednesday, November 15, 2017 7:15 PM
  • Thanks! I had thought that might be the option. At that point, are you aware of what you're presented with? I guess I can just set up a TS and find out.

    I'm betting it will still fail since our pc's must be in a policy-free OU (or the admin will not auto-signon), while we then move the pc to a Bitlocker OU. Might be more work than needed...but, it's a slow time for me :)

    Wednesday, November 15, 2017 7:19 PM
  • Your AD schema must support Bitlocker and computer accounts must have sufficient permissions to write recovery keys into corresponding computer objects. You might also need to configure CS.ini to perform BitLocker encryption by default. Also, make sure to use pre-provisioning to save encryption time (TPM chip must be enabled and activated. You also have to set either TpmOwnerPassword or AdminPassword for pre-provisioning to work).

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Wednesday, November 15, 2017 7:27 PM
  • Oh yes, all of that is in place before starting MDT on each pc. What I meant was, if you set SkipBitlocker to NO, what are you prompted with during the TS? Again, I can set it up to find out but wondered if you knew.
    Wednesday, November 15, 2017 7:30 PM
  • You can choose to bitlocker or not to bitlcker :)

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Wednesday, November 15, 2017 7:33 PM
  • I added that to the default section and it still doesn't work. Below is ZTIBDE.LOG. Why does it say "BDE installation not selected"?
    <![LOG[Microsoft Deployment Toolkit version: 6.3.8443.1000]LOG]!><time="11:33:26.000+000" date="11-15-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[The task sequencer log is located at X:\WINDOWS\TEMP\SMSTSLog\SMSTS.LOG.  For task sequence failures, please consult this log.]LOG]!><time="11:33:26.000+000" date="11-15-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[Write all logging text to \\CHWPDPLYSITE01\DEPLOYMENTSHARE$\Logs\MCT-RHA05B0632]LOG]!><time="11:33:26.000+000" date="11-15-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[Validating connection to \\CHWPDPLYSITE01\DEPLOYMENTSHARE$\Logs\MCT-RHA05B0632]LOG]!><time="11:33:26.000+000" date="11-15-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[Mapping server share: \\CHWPDPLYSITE01\DEPLOYMENTSHARE$]LOG]!><time="11:33:26.000+000" date="11-15-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[Already connected to server CHWPDPLYSITE01 as that is where this script is running from.]LOG]!><time="11:33:26.000+000" date="11-15-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[System drive is: X:]LOG]!><time="11:33:26.000+000" date="11-15-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[The deployment method is not using ConfigMgr.]LOG]!><time="11:33:26.000+000" date="11-15-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[BDE installation not selected]LOG]!><time="11:33:26.000+000" date="11-15-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[ZTIBDE processing completed successfully.]LOG]!><time="11:33:26.000+000" date="11-15-2017" component="ZTIBDE" context="" type="1" thread="" file="ZTIBDE">
    <![LOG[Microsoft Deployment Toolkit version: 6.3.8443.1000]LOG]!><time="11:44:41.000+000" date="11-15-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[The task sequencer log is located at C:\Users\ADMINI~1\AppData\Local\Temp\SMSTSLog\SMSTS.LOG.  For task sequence failures, please consult this log.]LOG]!><time="11:44:41.000+000" date="11-15-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Write all logging text to \\CHWPDPLYSITE01\DEPLOYMENTSHARE$\Logs\MCT-RHA05B0632]LOG]!><time="11:44:41.000+000" date="11-15-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Validating connection to \\CHWPDPLYSITE01\DEPLOYMENTSHARE$\Logs\MCT-RHA05B0632]LOG]!><time="11:44:41.000+000" date="11-15-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Mapping server share: \\CHWPDPLYSITE01\DEPLOYMENTSHARE$]LOG]!><time="11:44:41.000+000" date="11-15-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[Already connected to server CHWPDPLYSITE01 as that is where this script is running from.]LOG]!><time="11:44:41.000+000" date="11-15-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[System drive is: C:]LOG]!><time="11:44:41.000+000" date="11-15-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[The deployment method is not using ConfigMgr.]LOG]!><time="11:44:42.000+000" date="11-15-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[BDE installation not selected]LOG]!><time="11:44:42.000+000" date="11-15-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    <![LOG[ZTIBde processing completed successfully.]LOG]!><time="11:44:42.000+000" date="11-15-2017" component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
    

    Wednesday, November 15, 2017 11:20 PM
  • Also, the BDD.log.

    http://www.filedropper.com/bdd

    Wednesday, November 15, 2017 11:29 PM
  • By default, does MDT encrypt the entire drive, and encrypt as New Encryption?

    The options we manually choose are:
    Encrypt entire Drive, and
    New Encryption Mode.

    Are these the default settings MDT uses? If not, any way of modifying them to do these two preferences?
    Thanks


    • Edited by the1rickster Thursday, November 16, 2017 4:24 PM
    Thursday, November 16, 2017 4:24 PM
  • I was able to get it to work by turning off the built-in Enable Bitlocker step and using PowerShell to enable. Since our GPO for Windows 10 devices set to store recovery info in AD, I was able to run a script to enable. It enables during my TS and stores the recovery password in AD.

    Thanks for your help!

    <#
    Solution: Enable BitLocker Drive Encryption (BDE)
    Purpose: Enable BDE on the C: drive.
    Version: 1.0 - November 16, 2017
     
    Author - HDH2
    #>
    Initialize-Tpm -AllowClear -AllowPhysicalPresence
    Initialize-Tpm
    .\manage-bde.exe -protectors -add C: -tpm
    Enable-BitLocker -MountPoint “C:” -EncryptionMethod Aes256 -UsedSpaceOnly -RecoveryPasswordProtector


    • Marked as answer by hdh2 Thursday, November 16, 2017 6:24 PM
    Thursday, November 16, 2017 6:24 PM