Pre-provisioned Bitlocker
SCCM 2012 SP1 with MDT 2013 doing Windows 7 SP1 images. Can somebody who successfully sets up Bitlocker give me some guidance here. I'm looking at Niall's Noob article
http://www.niallbrady.com/2012/09/23/how-can-i-pre-provision-bitlocker-in-winpe-for-windows-8-deployments-using-configuration-manager-2012-sp1/ about using pre-provisioning. I realise about setting up AD, and turning on the TPM chip etc. , but my
confusion is with the BDE variables needed if using the MDT client task sequence which I use
I see articles about adding variable into the customsettings.ini such as
bdedriverletter=S
bdedrivesize = 30000
etc. but isn't this handled by the MDT TS which creates hidden partition for Bitlocker anyway ??
I have also seem some articles saying NOT to use the MDT version of enable bitlocker step which I believe runs ztibde rather to use the SCCM step enable bitlocker
Also if using pre-provisioning which seems to make sense is it sensible to put the client files such as the Dell CCTK into the boot image
Thanks
Ian Burnell, London (UK)
Hi,
I normally let the builtin format step create the BDEdrive partition, and I normally put the Dell CCTK files in a package instead and reference that package from the task sequence step instead of putting it in the WinPe image, it makes it much easier to
update if a new model requires a new version of the CCTK.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec
Similar Messages
-
MBAM Agent Key Escrow Issue After Pre-Provisioning Bitlocker in SCCM TS
Hello, I'm having an issue with MBAM key escrow now that we have moved to using pre-provisioned Bitlocker. After imaging completes the initial key escrow works properly (the MBAM Agent transmits the Numerical Password key protector to the MBAM server) however
the MBAM Agent no longer automatically changes the Numerical Password when the recovery code is revealed in the
MBAM Drive Recovery console. As far as I can tell MBAM is supposed to change this on the user's computer within 90 minutes by default and this behavior cannot be changed.
I have tested this using a previously-imaged computer that didn't use pre-provisioned Bitlocker. After revealing the recovery code in the MBAM console, the computer's Numerical Password protector was automatically changed as is expected. However
on the computers imaged with the pre-provisioned Bitlocker this does not happen.
Here are the versions of the software we're using:
SCCM 2012 R2
Windows 7 Enterprise SP1 x64
MBAM Agent v2.0.5301.1
The task sequence steps we are using consist of:
Ensure TPM is activated
Format and partition drive
Pre-provision Bitlocker, Encrypt Used Space Only mode
Apply Windows 7 image, install drivers and software, etc
Use manage-bde to set key protectors (-TPM and -RecoveryPassword)
Run the MBAM activation script
Use manage-bde to turn on Bitlocker on the drive
There are no error messages displayed and I can't see anything in the Event Viewer which would point to the root cause. The MBAM logs in Event Viewer are all Operational logs which simply state that the
'MBAM policies were applied successfully'.
Is this a known issue with pre-provisioned Bitlocker and MBAM? I haven't been able to find any information regarding this issue so any help would be greatly appreciated.
Thanks,
Justin.According to the
MBAM TechNet documentation the client should log in the Microsoft-Windows-MBAM/Operational
section of Event Viewer. However:
The test computers do not show any error messages in the MBAM Operational log section. The only entries present are Information events
that state "The MBAM policies were applied successfully"
The test computers also don't seem to show any general Security or System Error logs related to Bitlocker or MBAM
According to the TechNet documentation listed above, when a machine has its Numerical Password reset there should be a
'RecoveryKeyReset' event logged. However on the laptop where MBAM is changing the Numerical Password I do NOT see this event (though I have confirmed with manage-bde that the recovery password was changed successfully). The only events I see
are, again, Operational logs for Information events that state "The
MBAM policies were applied successfully".
I'm not sure why there aren't any errors logged, or why that laptop isn't generating that RecoveryKeyReset event like it should. As far as I can tell there isn't any way to change what the MBAM client logs, right? I didn't see any logs in AppData or Program
Data so I have to assume everything is supposed to be logged in Event Viewer. -
I'm trying the SP1 feature to pre-provision bitlocker during OSD, using an MDT integrated task sequence. It seems like the pre-provision part is working, but when the task sequence tries to enable bitlocker after installing the
OS, it fails. ZTIBDE.log contains the following:
Property UDI is now = ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
Microsoft Deployment Toolkit version: 6.1.2373.0 ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
The task sequencer log is located at C:\WINDOWS\CCM\Logs\SMSTSLog\SMSTS.LOG. For task sequence failures, please consult this log. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
System drive is: C: ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
The deployment method is using ConfigMgr. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
Property BdeInstallSuppress is now = NO ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
This script is not currently running in Windows PE ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
We are running a OS that supports BitLocker ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
OSDBitLockerTargetDrive= , OSDBdeTargetDriveLetter= , sOSDBitLockerTargetDrive= C: ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
This is a Refresh Build where BDE protectors were disabled. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
OS Version is Windows 7 or higher. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
Encryptable Volume Count:1 ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
Attempting to bind to: C: ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
Success setting oBdeVol ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
BDE Instance Bind Complete ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
Attempting to enable BDE Protectors ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
FAILURE ( 6767 ): -2144272377 0x80310007: Enable BDE Protectors ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
This laptop is in an OU with bitlocker related settings applied via GPO, including allowing enhanced PINs, requiring backup of the recovery passwords and key packages to AD, and to require TPM+PIN for the startup authentication.
Bitlocker provisioning is working on my production server using only MDT (No SCCM), with a task sequence deploying Windows 7. I copied some of the variables from the customsettings.ini over to a collection variable in SCCM for
the collection I'm testing deployment to. Putting those same variables in collection variables should work the same as if they were in the custom settings, but only for members of that collection, right?
The variables set in the collection variables area are
BDEInstall - TPMPIN
BDEInstallSuppress - NO
BDEPin - SET
BDERecoveryKey - AD
BDERecoveryPassword - TRUE
TPMOwnerPassword - SET
OSDBitlockerMode - TPMPin (This one wasn't copied from the other MDT share, but added just for sccm.
I didn't copy the BDEWaitforEncryption variable, it didn't seem like that one would be necessary with the pre-provisioning. What am I doing wrong here?If not you could add a set variable action to your task sequence after the UDI wizard to set OSDBitLockerPIN to %BDEPin%. You could add a condition to the action to only run if BDEPin exists.
I don´t quite fallow, how I can switch these variables between. I admit I some time have difficulties to understand the variables. Could you mark discribe me the settings of set variable step I have to enter. Thanks!
With Confmgr step Enable Bitlocker I have another issue - it does not allow to to enter pin code with letters.
No problem :-). There is a task sequence action called "set task sequence variable". Just add one of these actions to the task sequence after the UDI wizard. There are only two things you have to configure in the action, the variable you want to set
and the value you want to set that variable to. The UDI wizard will create the variable BDEPin with a value equal to the PIN you enter in the UDI wizard page. So in your "set task sequence variable" action enter the variable name as OSDBitlockerPIN
and the value as %BDEPin%. This action will then create the OSDBitlockerPIN variable with the value that was stored in BDEPin by the UDI wizard. The built in SCCM action will then use this as the PIN rather than whatever value is configured in the task sequence
editor.
However the best solution would probably be to get the UDI wizard to set OSDBitlockerPIN rather than BDEPin in the first place. I think you can do this in the UDI wizard editor or directly in the XML. I don't use the editor these days so can't recall offhand.
I will take a look at this next week.
Most of the task sequence actions support variables and it enables you to configure the action dynamically at runtime. For example the same sequence can be used to deploy systems into different domains, languages, applications etc. all by setting variables.
It's the basis of how the UDI wizard works, it just sets variables which are then consumed by either MDT scripts or task sequence actions. The variables can be configured by UDI, collections, MDT customsettings.ini, MDT database or scripts. Dynamic deployment
is definitely the way to go :-).
I think you are correct about the built-in action not supporting enhanced PIN. I think it only supports standard numeric PIN. Whether setting the PIN via the variable works around a restriction in the task sequence editor I am not sure, I suspect not.
Mark. -
Pre-provision BitLocker and Server 2008 R2
Hi,
I am trying to pre-provision BitLocker during WinPE and then install Windows Server 2008 R2. This results in a BSOD after the operating system image has been applied. Does anyone know if pre-provisioning bitlocker is supported or works on Server 2008 R2
(like it works on Windows 7 SP1)?
On technet I found the following regarding Server 2012: http://technet.microsoft.com/en-us/library/jj612864.aspx
There it states:
For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before
the server operating system is installed as part of your deployment.
Has anyone pre-provisioned BitLocker on Server 2008 R2?
Regards,
CarlI am creating the BDE partition as mentioned and have used pre-provisioning of bitlocker without issues on win7, but the same thing does not seem to work on server 2008 r2 and results in BSOD. I suspect it could be related to the fact that BitLocker is not
installed on server 2008 r2 by default, so I'll try to add bitlocker using DISM and see if it makes any difference.
Another issue is that I have to create 2 partitions on the drive besides the BDEDrive (so 3 partitions in total), this messes up SCCM and it looks for the media from the wrong location, more info in this thread:
http://social.technet.microsoft.com/Forums/en-US/0b24b745-b890-494e-993c-1f1f307af960/configmgr-client-does-not-install-during-osd-trying-to-use-wrong-setup-path?forum=configmanagerosd#a4914c0d-1f56-4ba2-a745-b43fb0005e55
Carl -
OSD: bitlocker pre-provisioning, what's the mechanism?
Hi,
Please clarify the mechanism behind bitlocker preprovisioning. We got it working fine but in the pre-provisioining step the disk does NOT seem to be bitockered. Only the step to enable bitlocker it seems bitlocker is enabled.
Where is the time gain then? Is there an article which could shed some light?
Please advise.
J.
Jan HoedtHi,
Niall describes the process here:
http://www.windows-noob.com/forums/index.php?/topic/6451-how-can-i-pre-provision-bitlocker-in-winpe-for-windows-8-deployments-using-configuration-manager-2012-sp1/
The biggest benefit is that the disk is encrypted when it is empty using used-space-only encryption so that when the image is applied the disk is already encrypted so there is no time to wait in the end of the TS for the disk encryption to complete..
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
Prestaged Media and Bitlocker Pre-Provisioning
Hi all
I am working on a project right now that requires all computers to be pre-provisioned with bitlocker
I have managed to get pre-provisioning working with no issues. the pre-provisioning kicks in directly after the disk formatting and the Enable Bitlocker step works perfectly after the domain join.
I have also been able to get pre-staging of media working (after a short fight with it) and I can deploy my task sequence to a pre-staging WIM. I can then deploy that to a disk as a data image and the build proceeds after the first boot.
What I cant get to work, it both together.
In an ideal world, I would pre-provision the bitlocker in the pre-staging task sequence before deploying the data image. bit I cant get it to work.
If I partition with more than one partition (so I have a BDE partition) and use the small partition as a boot disk, the machine fails to boot.
If I make the larger partition the boot partition, the bitlocker pre-provisioning task tells me that the disk os the os image and fails to work
has anyone done this or have any ideas?
thanks
StephenI guess the pre-provision bitlocker cannot work for booting Windows PE. This is why the system cannot boot.
The screenshot is a capture of the prestage disk bcd store. We can see the system boots from a ramdisk mouted from boot.wim. The process is different from a traditional system boot, the wim cannot be booted from anencrypted disk.
Juke Chou
TechNet Community Support -
Can not install Windows 8.1 to a Bitlocker Pre-Provisioned volume
Hello,
I'll come straight to the point. What I'm trying to do is to install Windows 8.1 Enterprise to a Pre-Provisioned volume but Windows does not let me do that. The steps I've performed are.
With Microsoft ADK I created me a WinPE media which has the components installed to get the manage-bde command working. I used the article hxxp://technet.microsoft.com/en-us/library/hh824926.aspx for that.
I prepared an USB stick with the manage-bde components on it and booted my test laptop with it.
Started diskpart and used commens in order to get a new clean partition:
Select Disk 0
clean
Create Partition Primary
Format fs=ntfs quick
Assign letter=c
exit
After that I pre-provisioned the volume with the command:
manage-bde -on -used c:
When I check with manage-bde -status it states that:
Conversion Status: Used Space Only encrypted
Percentage: 100
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: Unknown
Automatic Unlock: Disabled
Key Protectors: None Found
OK. After that I use the net use command to map a network share with the Windows 8.1 x64 Enterprise installation media itself. I execute setup.exe without any parameters.
I can navigate all the way through the dialog "Where do you want to install Windows?". I can see there now "Drive0Partition 1" with a Total size of 119.2 GB and almost as many free space BUT when I select it and click next there comes
only a warning dialog saying:
We couldn't not create a new partition or locate an existing one. For more information, see the Setup log files."
The best description of the problem I've found from the file x:\windows\panther\setupact.log where are lines like:
BLOCKING reason for disk 0 offset bla bla is either "The partition is too small" (????) or "Bitlocker Drive Encyption is enabled on the selected partition".
What I am missing here? Is there a special trick how to get Windows installed on a pre-provisioned drive? I also loaded the correct driver for the disk controller but no help. As soon as I clean the disk and create the partition new without pre-provisioning
I can install Windows without any problems.
Sorry for the long text. Hope someone of you has an idea.
Regards
RobertWe couldn't not create a new partition or locate an existing one. For more information, see the Setup log files."
The best description of the problem I've found from the file x:\windows\panther\setupact.log where are lines like:
BLOCKING reason for disk 0 offset bla bla is either "The partition is too small" (????) or "Bitlocker Drive Encyption is enabled on the selected partition".
Hi,
For this issue,when you assign letter,you need to mark a partition as active.
Using a command line
1.Open Command Prompt.
2.Type: diskpart
3.At the DISKPART prompt, type: list partition
Make note of the number of the partition that you want to mark as active.
4.At the DISKPART prompt, type: select partitionn
Select the partition, n, you want to mark as active.
5.At the DISKPART prompt, type:
active
Hope this helps.
Regards,
Kelvin Xu
TechNet Community Support -
SCCM 2012 R2: OSD Windows 7 Bitlocker pre-provisioning
Hi,
I succesfully configure bitlocker for Dell laptops during our W7 task sequence (thanks to this guide: http://www.windows-noob.com/forums/index.php?/topic/3875-customising-windows-7-deployments-part-5/)
Now I want to do the same for HP, found this link http://www.sccm.biz/2012/06/sccm-and-bitlocker-tpm-real-life.html but it seems a config for AFTER installing Windows, not in WINPE.
During the TS, OS reboots and then says "no OS found", so I'd need to enable the TPM/bitlocker differently.
Please advise (enabling bitlocker in TS, WINPE phase (pre-provision bitocker) for HP models).
J.
Jan HoedtHi,
The pre-provisioning is the same for all vendors, it is the TPM part that is different from Vendor to Vendor so you can use these steps to enable TPM in the beggining och the Task Sequence and then let the pre-provisiong step enable bitlocker.
Regards,
jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
Pre-Provisioning Bit Locker in MDT 2012 SP1 while using MBAM 2.5 - No Pin Required
Does anyone have some step by step instructions for Pre-Provisioning Bit Locker. Through task sequences, we are currently able to bit locker the computers but it's the last set of tasks. I would like to Bit Locker the computer while no data is on the
disc so it's faster and then as its imaging, the files are already encrypted.
Currently:
Creates BIOS Password
TPM turned on and enabled (using CCTK)
Remove Password
Registry changes
Installing MBAM 2.5
Removing Registry Entries
Any help would be appreciated!
Thanks
RickBitlocker Pre-Provisioning is available by default on MDT Litetouch...
If you just want to pre-provision the drive without letting MDT LiteTouch enable any protectors (let MBAM do that) then just run the following command after the "FOrmat and PArtition" step in the Task Sequence:
x:\windows\system32\Manage-BDE.exe c: -used
(OR whatever drive letter OS exists on in WinPE)
AS an alternative, I would add a step just before the "ENable Bitlocker (offline)" step in the task sequence:
BDEInstallSuppress=NO
isBDE=YES
then after the "Enable Bitlocker (offline)" step in the Task Sequence, I would set the following:
isBDE=NO
Keith Garner - Principal Consultant [owner] -
http://DeploymentLive.com -
SCCM 2012 R2 OSD - Pre Provision Bit-Locker Drive Label Name Issues
I am trying to image machines Pre-provisioned for BitLocker. Everything works great in the Task Sequence except the Drive Label on Boot is "MININT-XXXXX" rather than the actual computer name. This happens whether the computer is known
or unknown.
The only other post regarding this issue I can find suggested changing the OSDComputerName variable name in the TS but that will not work because the hostname is set during the WinPE setup.
http://social.technet.microsoft.com/Forums/en-US/f9c6f565-e137-4c59-a8de-7314d9b88fe7/how-to-change-computername-on-bitlocker-pinrecovery-password-screen-drive-label?forum=mdt
I have tried to set the OSDComputerName variable during the Pre-Start and TS but the Drive Label always remains "MININT-XXXXX".
Any ideas?First in Customsettings.ini or in a TS set the %OSDComputerName%
Then just add this to a Command in the task sequence before provisioning.
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %OSDComputerName% /f
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %OSDComputerName% /f
SCCM now believes the name of winpe is %OSDComputerName%
Joakim Tomren -
How to pre-provisioned N2K FEX(N2K-C2248TP-E-1GE) with Nexus 9372
HI Team,
Kindly assist for pre-provisioning the N2K(N2K-C2248TP-E-1GE) FEX with Nexus 9372.
Tried using the below commands just similar to/with Nexus 5K, but no luck with Nexus 9372
In case of 9K,
Nexus 9372# sh fex
FEX FEX FEX FEX
Number Description State Model Serial
103 Row C_Rack11_N2248TP Online N2K-C2248TP-E-1GE
105 Row D_Rack10_N2248TP Online N2K-C2248TP-E-1GE
Nexus 9372(config)# slot ?
*** No matching command found in current mode, matching in (exec) mode ***
<1> The slot number (aka module number)
Nexus 9372# slot ?
<1> The slot number (aka module number)
In case of 5K,
Nexus 5548(config)# slot ?
<1-199> Enter a slot numberHello GN
2248/2224 FEX does auto-negotiate speed to either 100Mbps or 1000Mbps depending on what the far end is advertising. For duplex, the FEX only supports full duplex.
So if you hard code speed to 100 on the FEX and auto-negotiating on the far end, the far end autonegotiating device would do 100/half.
24-10-4948-1#sh run int gigabitEthernet 1/1
Building configuration...
Current configuration : 193 bytes
interface GigabitEthernet1/1
description ***used by prkrishn***
no switchport
ip address 1.1.1.100 255.255.255.0
logging event link-status
end
24-10-4948-1#sh int gigabitEthernet 1/1 status
Port Name Status Vlan Duplex Speed Type
Gi1/1 ***used by prkrish connected routed a-half a-100 10/100/1000-TX
24-10-4948-1#
GC-TAC-EFT-5596-A(config-if)# sh run int eth109/1/1
!Command: show running-config interface Ethernet109/1/1
!Time: Wed May 23 08:41:15 2012
version 5.2(1)N1(1)
interface Ethernet109/1/1
spanning-tree bpdufilter enable
speed 100
GC-TAC-EFT-5596-A(config-if)#
GC-TAC-EFT-5596-A(config-if)# sh int ethernet 109/1/1 counters errors
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards
Eth109/1/1 4 1 0 5 0 0
Port Single-Col Multi-Col Late-Col Exces-Col Carri-Sen Runts
Eth109/1/1 0 0 0 0 0 4
Port Giants SQETest-Err Deferred-Tx IntMacTx-Er IntMacRx-Er Symbol-Err
Eth109/1/1 0 -- 0 0 0 0
TDR is not supported on any interface on the Nexus 5000 and the message you see when you try it for FEX interfaces is misleading for sure. -
Provisioning BITLocker with Windows to Go via SCCM2012
Hello,
I am following this document http://technet.microsoft.com/en-us/library/jj651035.aspx to provision Windows to go via Pre-Staging.
The instructions on what to put in the pre-start command is a little wooly, as best I can make out, I am pasting this directly in in prestart command window:
dim osd: set env = CreateObject(“Microsoft.SMS.TSEnvironment”)
dim logPath
logPath = env(“_SMSTSLogPath”)
env(“OSDBitLockerPIN”) = "password"
However, the task sequence falls flat when running the Bitlocker to go package, looking at the logs I see:
Failed to find Passphrase
I am running the package after the 'Configure Windows and SCCM Agent' step; OC the machine re-boots into windows here so I am not convinced it is the right place to call the package.
Can someone who has done this before give me sa quick hand please :)Hello, any simple explanation for this? I´m running osdbitlocker_wtg.exe during TS in OSD, and before enabling bitlocker, I import all EVE reg settings which I exported from Bitlocker Group Policies. With those Group Polices, I´m able to enable bitlocker
manually on a desktop on a WTG USB stick. -
Pre-provision TRK for SCCM 2012 R2 client
Hello,
Clients have some troubles with establishing trusted relationship with management point, I found this article http://technet.microsoft.com/en-us/library/bb680504.aspx but this for SCCM 2007, where can I find for SCCM 2012 R2?Do you have AD extended and is the site information properly published to AD in the System Management container?
What happens when you manually "push" a client?
What exactly is the entire command-line you are using to install the client?
The message above is not about the trusted root key, it clearly shows that MP being communicated with is not in the MPLIST returned. I can't say I've ever seen that before, but it is indicative of some other configuration type error.
Jason | http://blog.configmgrftw.com
Hello,
thank you for your message,
yes, AD was extended and System Management container has site info,
I have the same problems with push and manual installation,
I tried this command (specify key and site server cert and without it): C:\Client\ccmsetup.exe /mp:SCCM /logon SMSSITECODE:CM1 SMSPublicRootKey=<key> SMSSIGNCERT=<path to cert>
where <key> from a file and cert which was exported from site server.
Where MPList is stored? We spent much time to solve this problem, even reinstalled SCCM on new servers with new site code but problem is not solved.
After installation client tries to register on management point but there are errors in the different logs at same time:
Failed to verify signature of message received from MP using name 'SCCM.contoso.com.'
Failed to verify message. Sending MP [SCCM] not in cached MPLIST.
RegTask: Failed to send registration request message. Error: 0x87d00309 -
Backup TPM keys to Mbam 2.5 with Pre Provisonning not working
Hi
I am trying to save TPM owner password to Mbam 2.5 during TS, but can't get it to work.
I can see the Volume recovery keys do upload fine but not the TPM.
Basically what I do is
Make sure TPM is enabled in BIOS
Activate TPM in Winpe with Wmi script (objItem.SetPhysicalPresenceRequest(6)) so that the TPM is enabled and active but not owned. (this looks ok in the Task Sequence status messages)
Pre-Provision Bitlocker step in the TS
I install Mbam client during the Task Sequence
When the user logs on he gets prompted for a PIN (everything fine and working at this level)
By checking what happens with manage-bde I can see that the encryption is ok (used space only),
but the TPM password is never uploaded.
According to documentation,
http://technet.microsoft.com/en-us/library/dn456883.aspx, I should set a key protector, so I tried to set TPM only. I get a policy change prompt after logon but still no TPM password.
One problem I have is that I do not know exactly when the TPM ownership is taken by Mbam (or how to force it), as I don't see much info in the logs. Should the paths to the Mbam DB be defined during the TS so that the client at next reboot, uploads them
(like is the case when you start encryption with Mbam without pre provisioning) ?
I would like to keep if possible pre provisioning and used space only as I get the drives encrypted quickly and before the user gets the laptop.
Thanks in advance for your recommendations.
bruno
brunoHi,
I found a similar thread for your reference.
MBAM Manage TPM error "TPM owner password file is not found"
http://social.technet.microsoft.com/Forums/windows/en-US/d758604d-8bad-4fa8-975f-db446f6d11de/mbam-manage-tpm-error-tpm-owner-password-file-is-not-found?forum=w7itprosecurity#a3b20284-b9d6-4ae7-920c-b533dde94618
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
I am having trouble getting Bitlocker to start on deployment for Win7Ent and Win8Pro
If I enable bitlocker manually from within windows it works fine
Tpm is enabled
Partitions:
BDEDisk - Boot - Primary - 350 Mb - No Drive Letter
OSDisk - Primary - 100%
Ignore "Create Bitlocker Partition" as disabled as I am using partition step for that
Is there a log I am overlooking, I cant seem to find anything in SMSTS.log but I am no expert in that log and cant seem to find any problems with anything when I do look.We enable bitlocker on our task sequences and it always works. I do see some things that you don't have.
1) we do make sure tpm is already enabled (you said you have done this already)
2) Our partition disk step has one named "System Reserved (Primary)" and equals 350 mbs. Then we have another partition named "Windows (Primary)" using 100% of remaining disk space. NTFS (looks like
you may have this step)
3) In our task sequence, before "Apply Operating System", we have "Pre-provision Bitlocker". Destination is "Next available formatted partition". Check skip if TPM is not enabled. (looks like you disabled
this step)
4) After "Setup Windows and Configuration Manager", we have a step called "Enable Bitlocker". We have bitlocker key set to go to Active Directory. Be sure your active directory is setup for this. (I see
that you have this step enabled)
I'm going to assume maybe you're missing the pre-provision. re-enable that. This will fix your "prepare your drive for BL" issue.
Maybe you are looking for
-
SRM 7.0: Classic Scenario no PO is created only PR is generated
Hi Gurus, I am working on SRM 7.0 - Classic scenario. When a shopping cart is complete in terms of price, vendor (assigned) and other required data, item stays in transfer process. If a SC is incomplete a PR document is created in backend without a p
-
Upgrade from Snow Leopard to Mavericks failed - disk is damaged and can't be repaired.
Hello, I'm afraid the answer is exactly what I don't want. But here is my situation. I've been trying to download and install Mavericks - I was running Snow Leopard. My system was working fine - I wanted to upgrade so that I could run a game on
-
Install on a new PC after a hard disk failure on original install?
I lost the hard disk on my desktop, with Adobe X Pro installed (an update). Purchased a new desktop, and installing my applications. I can't access the failed hard disk, now only useful as a doorstop. What are the correct steps to follow to get my
-
I can open itunes on my new computer but I can't use it...
Hi everyone, I hope you can help me with an irritating problem I have with itunes on my new computer. I'm not american so I hope I can explane it... I installed itunes and thought it worked fine. I copied a couple of cd´s I wantet to put on my ipod b
-
How do I get all the photos in an album to sync to my iPad?
Only some of the photos in an album sync successfully to my ipad.