Pre-provisioned Bitlocker

Similar Messages

• MBAM Agent Key Escrow Issue After Pre-Provisioning Bitlocker in SCCM TS

  Hello, I'm having an issue with MBAM key escrow now that we have moved to using pre-provisioned Bitlocker. After imaging completes the initial key escrow works properly (the MBAM Agent transmits the Numerical Password key protector to the MBAM server) however
  the MBAM Agent no longer automatically changes the Numerical Password when the recovery code is revealed in the
  MBAM Drive Recovery console. As far as I can tell MBAM is supposed to change this on the user's computer within 90 minutes by default and this behavior cannot be changed.
  I have tested this using a previously-imaged computer that didn't use pre-provisioned Bitlocker. After revealing the recovery code in the MBAM console, the computer's Numerical Password protector was automatically changed as is expected. However
  on the computers imaged with the pre-provisioned Bitlocker this does not happen.
  Here are the versions of the software we're using:
  SCCM 2012 R2
  Windows 7 Enterprise SP1 x64
  MBAM Agent v2.0.5301.1
  The task sequence steps we are using consist of:
  Ensure TPM is activated
  Format and partition drive 
  Pre-provision Bitlocker, Encrypt Used Space Only mode
  Apply Windows 7 image, install drivers and software, etc
  Use manage-bde to set key protectors (-TPM and -RecoveryPassword)
  Run the MBAM activation script
  Use manage-bde to turn on Bitlocker on the drive
  There are no error messages displayed and I can't see anything in the Event Viewer which would point to the root cause. The MBAM logs in Event Viewer are all Operational logs which simply state that the
  'MBAM policies were applied successfully'.
  Is this a known issue with pre-provisioned Bitlocker and MBAM? I haven't been able to find any information regarding this issue so any help would be greatly appreciated.
  Thanks,
  Justin.

  According to the
  MBAM TechNet documentation the client should log in the Microsoft-Windows-MBAM/Operational
  section of Event Viewer. However:
  The test computers do not show any error messages in the MBAM Operational log section. The only entries present are Information events
  that state "The MBAM policies were applied successfully"
  The test computers also don't seem to show any general Security or System Error logs related to Bitlocker or MBAM
  According to the TechNet documentation listed above, when a machine has its Numerical Password reset there should be a
  'RecoveryKeyReset' event logged. However on the laptop where MBAM is changing the Numerical Password I do NOT see this event (though I have confirmed with manage-bde that the recovery password was changed successfully). The only events I see
  are, again, Operational logs for Information events that state "The
  MBAM policies were applied successfully".
  I'm not sure why there aren't any errors logged, or why that laptop isn't generating that RecoveryKeyReset event like it should. As far as I can tell there isn't any way to change what the MBAM client logs, right? I didn't see any logs in AppData or Program
  Data so I have to assume everything is supposed to be logged in Event Viewer.

• Pre-provision bitlocker during OSD with a Windows 7 Enterprise image fails at Enable Bitlocker - SCCM 2012 SP1 beta

  I'm trying the SP1 feature to pre-provision bitlocker during OSD, using an MDT integrated task sequence.  It seems like the pre-provision part is working, but when the task sequence tries to enable bitlocker after installing the
  OS, it fails.  ZTIBDE.log contains the following:
  Property UDI is now = ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  Microsoft Deployment Toolkit version: 6.1.2373.0 ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  The task sequencer log is located at C:\WINDOWS\CCM\Logs\SMSTSLog\SMSTS.LOG. For task sequence failures, please consult this log. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  System drive is: C: ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  The deployment method is using ConfigMgr. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  Property BdeInstallSuppress is now = NO ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  This script is not currently running in Windows PE ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  We are running a OS that supports BitLocker ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  OSDBitLockerTargetDrive= , OSDBdeTargetDriveLetter= , sOSDBitLockerTargetDrive= C: ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  This is a Refresh Build where BDE protectors were disabled. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  OS Version is Windows 7 or higher. ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  Encryptable Volume Count:1 ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  Attempting to bind to: C: ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  Success setting oBdeVol ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  BDE Instance Bind Complete ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  Attempting to enable BDE Protectors ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  FAILURE ( 6767 ): -2144272377 0x80310007: Enable BDE Protectors ZTIBde 11/14/2012 5:04:42 PM 0 (0x0000)
  This laptop is in an OU with bitlocker related settings applied via GPO, including allowing enhanced PINs, requiring backup of the recovery passwords and key packages to AD, and to require TPM+PIN for the startup authentication.  
  Bitlocker provisioning is working on my production server using only MDT (No SCCM), with a task sequence deploying Windows 7.  I copied some of the variables from the customsettings.ini over to a collection variable in SCCM for
  the collection I'm testing deployment to. Putting those same variables in collection variables should work the same as if they were in the custom settings, but only for members of that collection, right?
  The variables set in the collection variables area are
  BDEInstall - TPMPIN
  BDEInstallSuppress - NO
  BDEPin - SET
  BDERecoveryKey - AD
  BDERecoveryPassword - TRUE
  TPMOwnerPassword - SET
  OSDBitlockerMode - TPMPin (This one wasn't copied from the other MDT share, but added just for sccm. 
  I didn't copy the BDEWaitforEncryption variable, it didn't seem like that one would be necessary with the pre-provisioning.   What am I doing wrong here?

  If not you could add a set variable action to your task sequence after the UDI wizard to set OSDBitLockerPIN to %BDEPin%. You could add a condition to the action to only run if BDEPin exists.
  I don´t quite fallow, how I can switch these variables between. I admit I some time have difficulties to understand the variables. Could you mark discribe me the settings of set variable step I have to enter. Thanks!
  With Confmgr step Enable Bitlocker I have another issue - it does not allow to to enter pin code with letters.
  No problem :-). There is a task sequence action called "set task sequence variable". Just add one of these actions to the task sequence after the UDI wizard. There are only two things you have to configure in the action, the variable you want to set
  and the value you want to set that variable to. The UDI wizard will create the variable BDEPin with a value equal to the PIN you enter in the UDI wizard page. So in your "set task sequence variable" action enter the variable name as OSDBitlockerPIN
  and the value as %BDEPin%. This action will then create the OSDBitlockerPIN variable with the value that was stored in BDEPin by the UDI wizard. The built in SCCM action will then use this as the PIN rather than whatever value is configured in the task sequence
  editor.
  However the best solution would probably be to get the UDI wizard to set OSDBitlockerPIN rather than BDEPin in the first place. I think you can do this in the UDI wizard editor or directly in the XML. I don't use the editor these days so can't recall offhand.
  I will take a look at this next week.
  Most of the task sequence actions support variables and it enables you to configure the action dynamically at runtime. For example the same sequence can be used to deploy systems into different domains, languages, applications etc. all by setting variables.
  It's the basis of how the UDI wizard works, it just sets variables which are then consumed by either MDT scripts or task sequence actions. The variables can be configured by UDI, collections, MDT customsettings.ini, MDT database or scripts. Dynamic deployment
  is definitely the way to go :-).
  I think you are correct about the built-in action not supporting enhanced PIN. I think it only supports standard numeric PIN. Whether setting the PIN via the variable works around a restriction in the task sequence editor I am not sure, I suspect not.
  Mark.

• Pre-provision BitLocker and Server 2008 R2

  Hi,
  I am trying to pre-provision BitLocker during WinPE and then install Windows Server 2008 R2. This results in a BSOD after the operating system image has been applied. Does anyone know if pre-provisioning bitlocker is supported or works on Server 2008 R2
  (like it works on Windows 7 SP1)?
  On technet I found the following regarding Server 2012: http://technet.microsoft.com/en-us/library/jj612864.aspx
  There it states:
  For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before
  the server operating system is installed as part of your deployment.
  Has anyone pre-provisioned BitLocker on Server 2008 R2?
  Regards,
  Carl

  I am creating the BDE partition as mentioned and have used pre-provisioning of bitlocker without issues on win7, but the same thing does not seem to work on server 2008 r2 and results in BSOD. I suspect it could be related to the fact that BitLocker is not
  installed on server 2008 r2 by default, so I'll try to add bitlocker using DISM and see if it makes any difference. 
  Another issue is that I have to create 2 partitions on the drive besides the BDEDrive (so 3 partitions in total), this messes up SCCM and it looks for the media from the wrong location, more info in this thread:
   http://social.technet.microsoft.com/Forums/en-US/0b24b745-b890-494e-993c-1f1f307af960/configmgr-client-does-not-install-during-osd-trying-to-use-wrong-setup-path?forum=configmanagerosd#a4914c0d-1f56-4ba2-a745-b43fb0005e55
  Carl

• OSD: bitlocker pre-provisioning, what's the mechanism?

  Hi,
  Please clarify the mechanism behind bitlocker preprovisioning. We got it working fine but in the pre-provisioining step the disk does NOT seem to be bitockered. Only the step to enable bitlocker it seems bitlocker is enabled.
  Where is the time gain then? Is there an article which could shed some light?
  Please advise.
  J.
  Jan Hoedt

  Hi,
  Niall describes the process here:
  http://www.windows-noob.com/forums/index.php?/topic/6451-how-can-i-pre-provision-bitlocker-in-winpe-for-windows-8-deployments-using-configuration-manager-2012-sp1/
  The biggest benefit is that the disk is encrypted when it is empty using used-space-only encryption so that when the image is applied the disk is already encrypted so there is no time to wait in the end of the TS for the disk encryption to complete..
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Prestaged Media and Bitlocker Pre-Provisioning

  Hi all
  I am working on a project right now that requires all computers to be pre-provisioned with bitlocker
  I have managed to get pre-provisioning working with no issues. the pre-provisioning kicks in directly after the disk formatting and the Enable Bitlocker step works perfectly after the domain join.
  I have also been able to get pre-staging of media working (after a short fight with it) and I can deploy my task sequence to a pre-staging WIM. I can then deploy that to a disk as a data image and the build proceeds after the first boot.
  What I cant get to work, it both together.
  In an ideal world, I would pre-provision the bitlocker in the pre-staging task sequence before deploying the data image. bit I cant get it to work.
  If I partition with more than one partition (so I have a BDE partition) and use the small partition as a boot disk, the machine fails to boot.
  If I make the larger partition the boot partition, the bitlocker pre-provisioning task tells me that the disk os the os image and fails to work
  has anyone done this or have any ideas?
  thanks
  Stephen

  I guess the pre-provision bitlocker cannot work for booting Windows PE. This is why the system cannot boot.
  The screenshot is a capture of the prestage disk bcd store. We can see the system boots from a ramdisk mouted from boot.wim. The process is different from a traditional system boot, the wim cannot be booted from anencrypted disk.
  Juke Chou
  TechNet Community Support

• Can not install Windows 8.1 to a Bitlocker Pre-Provisioned volume

  Hello,
  I'll come straight to the point. What I'm trying to do is to install Windows 8.1 Enterprise to a Pre-Provisioned volume but Windows does not let me do that. The steps I've performed are.
  With Microsoft ADK I created me a WinPE media which has the components installed to get the manage-bde command working. I used the article hxxp://technet.microsoft.com/en-us/library/hh824926.aspx for that.
  I prepared an USB stick with the manage-bde components on it and booted my test laptop with it.
  Started diskpart and used commens in order to get a new clean partition:
  Select Disk 0
  clean
  Create Partition Primary
  Format fs=ntfs quick
  Assign letter=c
  exit
  After that I pre-provisioned the volume with the command:
  manage-bde -on -used c:
  When I check with manage-bde -status it states that:
  Conversion Status: Used Space Only encrypted
  Percentage: 100
  Protection Status: Protection Off
  Lock Status: Unlocked
  Identification Field: Unknown
  Automatic Unlock: Disabled
  Key Protectors: None Found
  OK. After that I use the net use command to map a network share with the Windows 8.1 x64 Enterprise installation media itself. I execute setup.exe without any parameters.
  I can navigate all the way through the dialog "Where do you want to install Windows?". I can see there now "Drive0Partition 1" with a Total size of 119.2 GB and almost as many free space BUT when I select it and click next there comes
  only a warning dialog saying:
  We couldn't not create a new partition or locate an existing one. For more information, see the Setup log files."
  The best description of the problem I've found from the file x:\windows\panther\setupact.log where are lines like:
  BLOCKING reason for disk 0 offset bla bla is either "The partition is too small" (????) or "Bitlocker Drive Encyption is enabled on the selected partition".
  What I am missing here? Is there a special trick how to get Windows installed on a pre-provisioned drive? I also loaded the correct driver for the disk controller but no help. As soon as I clean the disk and create the partition new without pre-provisioning
  I can install Windows without any problems.
  Sorry for the long text. Hope someone of you has an idea.
  Regards
  Robert

  We couldn't not create a new partition or locate an existing one. For more information, see the Setup log files."
  The best description of the problem I've found from the file x:\windows\panther\setupact.log where are lines like:
  BLOCKING reason for disk 0 offset bla bla is either "The partition is too small" (????) or "Bitlocker Drive Encyption is enabled on the selected partition".
  Hi,
  For this issue,when you assign letter,you need to mark a partition as active.
  Using a command line
  1.Open Command Prompt.
  2.Type: diskpart
  3.At the DISKPART prompt, type: list partition
  Make note of the number of the partition that you want to mark as active.
  4.At the DISKPART prompt, type: select partitionn
  Select the partition, n, you want to mark as active.
  5.At the DISKPART prompt, type:
  active
  Hope this helps.
  Regards,
  Kelvin Xu
  TechNet Community Support

• SCCM 2012 R2: OSD Windows 7 Bitlocker pre-provisioning

  Hi,
  I succesfully configure bitlocker for Dell laptops during our W7 task sequence (thanks to this guide: http://www.windows-noob.com/forums/index.php?/topic/3875-customising-windows-7-deployments-part-5/)
  Now I want to do the same for HP, found this link http://www.sccm.biz/2012/06/sccm-and-bitlocker-tpm-real-life.html but it seems a config for AFTER installing Windows, not in WINPE.
  During the TS, OS reboots and then says "no OS found", so I'd need to enable the TPM/bitlocker differently.
  Please advise (enabling bitlocker in TS, WINPE phase (pre-provision bitocker) for HP models).
  J.
  Jan Hoedt

  Hi,
  The pre-provisioning is the same for all vendors, it is the TPM part that is different from Vendor to Vendor so you can use these steps to enable TPM in the beggining och the Task Sequence and then let the pre-provisiong step enable bitlocker.
  Regards,
  jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Pre-Provisioning Bit Locker in MDT 2012 SP1 while using MBAM 2.5 - No Pin Required

  Does anyone have some step by step instructions for Pre-Provisioning Bit Locker. Through task sequences, we are currently able to bit locker the computers but it's the last set of tasks.  I would like to Bit Locker the computer while no data is on the
  disc so it's faster and then as its imaging, the files are already encrypted.
  Currently:
  Creates BIOS Password
  TPM turned on and enabled (using CCTK)
  Remove Password
  Registry changes
  Installing MBAM 2.5
  Removing Registry Entries
  Any help would be appreciated!
  Thanks
  Rick

  Bitlocker Pre-Provisioning is available by default on MDT Litetouch...
  If you just want to pre-provision the drive without letting MDT LiteTouch enable any protectors (let MBAM do that) then just run the following command after the "FOrmat and PArtition" step in the Task Sequence:
  x:\windows\system32\Manage-BDE.exe c: -used
  (OR whatever drive letter OS exists on in WinPE)
  AS an alternative, I would add a step just before the "ENable Bitlocker (offline)" step in the task sequence:
      BDEInstallSuppress=NO
      isBDE=YES
  then after the "Enable Bitlocker (offline)" step in the Task Sequence, I would set the following:
      isBDE=NO
  Keith Garner - Principal Consultant [owner] -
  http://DeploymentLive.com

• SCCM 2012 R2 OSD - Pre Provision Bit-Locker Drive Label Name Issues

  I am trying to image machines Pre-provisioned for BitLocker.  Everything works great in the Task Sequence except the Drive Label on Boot is "MININT-XXXXX" rather than the actual computer name.  This happens whether the computer is known
  or unknown.
  The only other post regarding this issue I can find suggested changing the OSDComputerName variable name in the TS but that will not work because the hostname is set during the WinPE setup.
  http://social.technet.microsoft.com/Forums/en-US/f9c6f565-e137-4c59-a8de-7314d9b88fe7/how-to-change-computername-on-bitlocker-pinrecovery-password-screen-drive-label?forum=mdt
  I have tried to set the OSDComputerName variable during the Pre-Start and TS but the Drive Label always remains "MININT-XXXXX".
  Any ideas?

  First in Customsettings.ini or in a TS set the %OSDComputerName%
  Then just add this to a Command in the task sequence before provisioning.
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %OSDComputerName% /f
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %OSDComputerName% /f
  SCCM now believes the name of winpe is %OSDComputerName%
  Joakim Tomren

• How to pre-provisioned N2K FEX(N2K-C2248TP-E-1GE) with Nexus 9372

  HI Team,
  Kindly assist for pre-provisioning the N2K(N2K-C2248TP-E-1GE) FEX with Nexus 9372.
  Tried using the below commands just similar to/with Nexus 5K, but no luck with Nexus 9372
  In case of 9K,
  Nexus 9372# sh fex
    FEX         FEX           FEX                       FEX              
  Number    Description      State            Model            Serial    
  103  Row C_Rack11_N2248TP                Online   N2K-C2248TP-E-1GE  
  105  Row D_Rack10_N2248TP                Online   N2K-C2248TP-E-1GE 
  Nexus 9372(config)# slot ?
  *** No matching command found in current mode, matching in (exec) mode ***
    <1>  The slot number (aka module number)
  Nexus 9372# slot ?
    <1>  The slot number (aka module number)
  In case of 5K,
  Nexus 5548(config)# slot ?
    <1-199>  Enter a slot number

  Hello GN
  2248/2224 FEX does auto-negotiate speed to either 100Mbps or 1000Mbps depending on what the far end is advertising. For duplex, the FEX only supports full duplex.
  So if you hard code speed to 100 on the FEX and auto-negotiating on the far end, the far end autonegotiating device would do 100/half.
  24-10-4948-1#sh run int gigabitEthernet 1/1
  Building configuration...
  Current configuration : 193 bytes
  interface GigabitEthernet1/1
  description ***used by prkrishn***
  no switchport
  ip address 1.1.1.100 255.255.255.0
  logging event link-status
  end
  24-10-4948-1#sh int gigabitEthernet 1/1 status
  Port      Name               Status       Vlan       Duplex  Speed Type
  Gi1/1     ***used by prkrish connected    routed     a-half  a-100 10/100/1000-TX
  24-10-4948-1#
  GC-TAC-EFT-5596-A(config-if)# sh run int eth109/1/1
  !Command: show running-config interface Ethernet109/1/1
  !Time: Wed May 23 08:41:15 2012
  version 5.2(1)N1(1)
  interface Ethernet109/1/1
    spanning-tree bpdufilter enable
    speed 100
  GC-TAC-EFT-5596-A(config-if)#
  GC-TAC-EFT-5596-A(config-if)# sh int ethernet 109/1/1 counters errors
  Port          Align-Err    FCS-Err   Xmit-Err    Rcv-Err  UnderSize OutDiscards
  Eth109/1/1         4          1          0          5          0           0
  Port         Single-Col  Multi-Col   Late-Col  Exces-Col  Carri-Sen       Runts
  Eth109/1/1         0          0          0          0          0           4
  Port          Giants SQETest-Err Deferred-Tx IntMacTx-Er IntMacRx-Er Symbol-Err
  Eth109/1/1         0          --           0           0           0          0
  TDR is not supported on any interface on the Nexus 5000 and the message you see when you try it for FEX interfaces is misleading for sure.

• Provisioning BITLocker with Windows to Go via SCCM2012

  Hello,
  I am following this document http://technet.microsoft.com/en-us/library/jj651035.aspx to provision Windows to go via Pre-Staging.
  The instructions on what to put in the pre-start command is a little wooly, as best I can make out, I am pasting this directly in in prestart command window:
  dim osd: set env = CreateObject(“Microsoft.SMS.TSEnvironment”)
  dim logPath
  logPath = env(“_SMSTSLogPath”)
  env(“OSDBitLockerPIN”) = "password"
  However, the task sequence falls flat when running the Bitlocker to go package, looking at the logs I see:
  Failed to find Passphrase
  I am running the package after the 'Configure Windows and SCCM Agent' step; OC the machine re-boots into windows here so I am not convinced it is the right place to call the package.
  Can someone who has done this before give me sa quick hand please :)

  Hello, any simple explanation for this? I´m running osdbitlocker_wtg.exe during TS in OSD, and before enabling bitlocker, I import all EVE reg settings which I exported from Bitlocker Group Policies. With those Group Polices, I´m able to enable bitlocker
  manually on a desktop on a WTG USB stick.

• Pre-provision TRK for SCCM 2012 R2 client

  Hello,
  Clients have some troubles with establishing trusted relationship with management point, I found this article http://technet.microsoft.com/en-us/library/bb680504.aspx but this for SCCM 2007, where can I find for SCCM 2012 R2?

  Do you have AD extended and is the site information properly published to AD in the System Management container?
  What happens when you manually "push" a client?
  What exactly is the entire command-line you are using to install the client?
  The message above is not about the trusted root key, it clearly shows that MP being communicated with is not in the MPLIST returned. I can't say I've ever seen that before, but it is indicative of some other configuration type error.
  Jason | http://blog.configmgrftw.com
  Hello,
  thank you for your message,
  yes, AD was extended and System Management container has site info,
  I have the same problems with push and manual installation,
  I tried this command (specify key and site server cert and without it): C:\Client\ccmsetup.exe /mp:SCCM /logon SMSSITECODE:CM1 SMSPublicRootKey=<key> SMSSIGNCERT=<path to cert>
  where <key> from a file and cert which was exported from site server.
  Where MPList is stored? We spent much time to solve this problem, even reinstalled SCCM on new servers with new site code but problem is not solved.
  After installation client tries to register on management point but there are errors in the different logs at same time:
  Failed to verify signature of message received from MP using name 'SCCM.contoso.com.'
  Failed to verify message. Sending MP [SCCM] not in cached MPLIST.
  RegTask: Failed to send registration request message. Error: 0x87d00309

• Backup TPM keys to Mbam 2.5 with Pre Provisonning not working

  Hi
  I am trying to save TPM owner password to Mbam 2.5 during TS, but can't get it to work.
  I can see the Volume recovery keys do upload fine but not the TPM.
  Basically what I do is
  Make sure TPM is enabled in BIOS
  Activate TPM in Winpe with Wmi script (objItem.SetPhysicalPresenceRequest(6)) so that the TPM is enabled and active but not owned. (this looks ok in the Task Sequence status messages)
  Pre-Provision Bitlocker step in the TS
  I install Mbam client during the Task Sequence
  When the user logs on he gets prompted for a PIN (everything fine and working at this level)
  By checking what happens with manage-bde I can see that the encryption is ok (used space only),
  but the TPM password is never uploaded.
  According to documentation,
  http://technet.microsoft.com/en-us/library/dn456883.aspx, I should set a key protector, so I tried to set TPM only. I get a policy change prompt after logon but still no TPM password.
  One problem I have is that I do not know exactly when the TPM ownership is taken by Mbam (or how to force it), as I don't see much info in the logs. Should the paths to the Mbam DB be defined during the TS so that the client at next reboot, uploads them
  (like is the case when you start encryption with Mbam without pre provisioning) ?
  I would like to keep if possible pre provisioning and used space only as I get the drives encrypted quickly and before the user gets the laptop.
  Thanks in advance for your recommendations.
  bruno
  bruno

  Hi,
  I found a similar thread for your reference.
  MBAM Manage TPM error "TPM owner password file is not found"
  http://social.technet.microsoft.com/Forums/windows/en-US/d758604d-8bad-4fa8-975f-db446f6d11de/mbam-manage-tpm-error-tpm-owner-password-file-is-not-found?forum=w7itprosecurity#a3b20284-b9d6-4ae7-920c-b533dde94618
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Bitlocker Not Enabling

  I am having trouble getting Bitlocker to start on deployment for Win7Ent and Win8Pro
  If I enable bitlocker manually from within windows it works fine
  Tpm is enabled
  Partitions:
  BDEDisk - Boot - Primary - 350 Mb - No Drive Letter
  OSDisk - Primary - 100%
  Ignore "Create Bitlocker Partition" as disabled as I am using partition step for that
  Is there a log I am overlooking, I cant seem to find anything in SMSTS.log but I am no expert in that log and cant seem to find any problems with anything when I do look.

  We enable bitlocker on our task sequences and it always works.   I do see some things that you don't have.
  1)  we do make sure tpm is already enabled (you said you have done this already)
  2)  Our partition disk step has one named "System Reserved (Primary)" and equals 350 mbs.    Then we have another partition named "Windows (Primary)"  using 100% of remaining disk space.  NTFS  (looks like
  you may have this step)
  3)  In our task sequence, before "Apply Operating System", we have "Pre-provision Bitlocker".   Destination is "Next available formatted partition".  Check skip if TPM is not enabled. (looks like you disabled
  this step)
  4)  After "Setup Windows and Configuration Manager", we have a step called "Enable Bitlocker".     We have bitlocker key set to go to Active Directory.   Be sure your active directory is setup for this.  (I see
  that you have this step enabled)
  I'm going to assume maybe you're missing the pre-provision.  re-enable that.  This will fix your "prepare your drive for BL" issue.