none
Bitlocker encrypted but not enabling protectors RRS feed

  • Question

  • Seeing an odd behavior.  On some Windows 7 devices, after being imaged with SCCM and being told to encrypt with Bitlocker (key stored in AD) the device completes the encryption, but the protectors are never enabled automatically.  I can easily enabled them manually through manage-bde or using the GUI.

    Any ideas why the protectors would not kick in once the drive is 100% encrypted?

    Wednesday, June 12, 2019 9:56 PM

Answers

  • Appears it was related to a BIOS update happening in the Task Sequence.  Once we removed that it returned to working as expected.

    Thanks,

    William

    Monday, August 12, 2019 2:26 PM

All replies

  • Hi,

    Does your pc have TPM chip installed?

    On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde:

    manage-bde -on C:

    This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command:

    manage-bde -protectors -get <volume>

    Only with the protectors enabled on the volume, we can then turn BitLocker on.

    More information, please refer to: 

    https://docs.microsoft.com/en-us/powershell/module/bitlocker/enable-bitlocker?view=win10-ps

    https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker

    Best regards,

    Yilia 



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 13, 2019 5:55 AM
    Moderator
  • Hi Yilia, yes the computer has a TPM which is active and ownership has been taken.  I see the TPM ID when when running manage-bde -protectors -get <volume>

    Bitlocker is started through the step in the SCCM Task Sequence (as it always has) with the following two steps

    This step matches what encryption method is defined in GPO

    Followed by this step.  

    To the best of my knowledge these steps have not changed, at least in the last 3-4 years that I have been working with this client and we now getting intermittent reports of drives not being locked after the encryption completes.

    Here's an example of one from yesterday:

    Any other ideas?

    Thanks!
    William

    Thursday, June 13, 2019 2:41 PM
  • Just a more info, I see where the device backed up the recovery info to AD so know that's working as well:

    Thursday, June 13, 2019 2:52 PM
  • Anyone have any ideas what I might be missing here?

    Thanks!

    William

    Tuesday, June 18, 2019 5:32 PM
  • Hi,

    From the screenshot you provided, the Protection Status is 0 : Protection OFF.

    When the bitlocker is not enabled ,we will get a status "0 "(Protection OFF), all the data is not encrypted .

    Please check the following blog:

    Enabling Bitlocker with an SCCM Task Sequence

    https://blogs.technet.microsoft.com/chuck_kiessling/2012/02/03/enabling-bitlocker-with-an-sccm-task-sequence/

    For further help, I suggest you submit a new case on SCCM forum as they will be more professional on your issue: 

    This is the SCCM forum link: https://social.technet.microsoft.com/Forums/en-US/home?category=ConfigMgrCB

    Thanks for your understanding.

    Best regards,

    Yilia 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 21, 2019 6:38 AM
    Moderator
  • Hi Yilia, I am little confused your response.  Bitlocker is indeed enabled, thus the 100% Encrypted.  The protection being off simply means the protectors are not enabled, which is the exact issue I am trying to overcome.  This issue isn't effecting every machine, only a minority of devices that are imaged with the same Task Sequence, and I have confirmed that the machines working/not working are being placed in the same OU and getting the same policies.

    I will try over at the SCCM forums to see if anyone has seen this behavior.

    Thank you for the responses!

    Monday, June 24, 2019 1:58 PM
  • Appears it was related to a BIOS update happening in the Task Sequence.  Once we removed that it returned to working as expected.

    Thanks,

    William

    Monday, August 12, 2019 2:26 PM