Jump to content


impulse101

Pre-Provisioning Bitlocker fails because encryption not fast enough

Recommended Posts

Hello, i've had some success deploying WIndows 7 / 8.1 with bitlocker pre-provisioning. However today i've tried to bitlocker a Dell Latitude E6540 laptop and noticed the bitlocker pre provisioning step taking very long. After the wim file and the drivers are applied the disk is only encrypted to 8 % or so. After the setup configuration manager reboot the enable bitlocker ts step fails because the encryption is not completed.

 

I've seen this behavior on older models (eg. Optiplex 960) but i would not have expected this to happen on new hardware. Has anyone experienced something similar ?

 

I'm using:

SCCM 2012 R2 on Windows Server 2008 R2

Windows ADK 8.1 Boot Images with MDT Integration (64-Bit)

 

Models i've successfully bitlockered so far:

Dell Venue Pro 11 7130

Dell Latitude E7440

Dell Latitude E6520

 

At first i was suspecting missing cpu features, however it might also be larger and slower disks. On working models the disk is already encrypted when maybe 10 % of the wim file is downloaded. It looks like the encryption initially (after the pre provsion step) does not complete fast enough and when the download starts the system does not keep up downloading, applying and encrypting. If i pause the the task sequence before the first reboot the encryption completes and the task sequence completes successfully.

Share this post


Link to post
Share on other sites


can you post a smsts.log file from one machine with the problem please

Share this post


Link to post
Share on other sites

I am having the same issue. The regular Enable BitLocker step is failing and when I checked it was only 12% complete encrypting the drive. We have seen this quite a bit over the last 1-2 months, but just getting around to digging into this now. I have not been able to find an errors with the pre-provision step, only been able to find errors at the Enable BitLocker step.

 

I'm not sure if this is only happening on hardware that we are reimaging and not new stuff that's right out of the box. I am going to clear and disable the TPM in the BIOS on the machine that just failed and try again.

smsts.log

smsts-20140403-085522.log

Share this post


Link to post
Share on other sites

I haven't got a log file handy but the error is the same BrotherKen posted. On my successful runs all systems had ssds, except for the Latitude E6520 which had a slower network connection.

 

I've mitigated the problem pausing the task sequence for five minutes before the apply operating system step. The value is far to much because from what I've seen 10 or 15 seconds are enough to complete the pre-provisioning on the empty disk. Maybe we need a "wait till pre-provsioning bitlocker step completes" check-box :)

 

I'm curious about the adoption rate of pre-provisioning bitlocker because i wasn't able to dig up a whole lot of information or experience from others.

Share this post


Link to post
Share on other sites

Thanks impulse101! I added a 60 second pause to my task sequence and this Lenovo T430 with a platter drive imaged just fine. As we run other models through we will find out if we need to increase the pause.

 

We added the pre-provision as soon as we could and it had been working great up until now. However, after this simple fix I'd say this was only a minor problem but it would sure be nice it is waited until encryption was complete.

Share this post


Link to post
Share on other sites

isn\t the /wait:True command what you guys are trying to do, i.e. add a wait until done via a pause...?

 

Set command line: OSDBitLocker.exe /enable /wait:True /mode:TPM /pwd:AD

 

 

we are pre-provisioning many computers here (windows 7 and windows 8) and havn't seen this issue yet, what type of hdd's are you using ?

Share this post


Link to post
Share on other sites

Thanks impulse101! I added a 60 second pause to my task sequence and this Lenovo T430 with a platter drive imaged just fine. As we run other models through we will find out if we need to increase the pause.

 

We added the pre-provision as soon as we could and it had been working great up until now. However, after this simple fix I'd say this was only a minor problem but it would sure be nice it is waited until encryption was complete.

 

Glad i could help.

 

isn\t the /wait:True command what you guys are trying to do, i.e. add a wait until done via a pause...?

 

 

we are pre-provisioning many computers here (windows 7 and windows 8) and havn't seen this issue yet, what type of hdd's are you using ?

 

You mean in the enable bitlocker step ? This fails with the same error mentioned above (Encryption in progress).

 

Tablets usually come with SSDs and our notebooks with "normal" HDDs. Whatever make and model our oem (dell) ships.

 

What I've observed so far is it also depends how fast the apply operating system request is made and fulfilled. Sometimes the wim file starts downloading immediately after the pre-provision bitlocker step runs, sometimes the request takes a few seconds before the download starts. These few seconds seem to be the culprit and when the download starts immediately and the pre-provisioning is not yet complete the system never manages to push the encryption to 100% as more data is loaded and processed on disk.

Share this post


Link to post
Share on other sites

We are experiencing this issue also, on a 'high spec' laptop with an SSD.

 

The Enable Bitlocker step is causing a failure with the exact same errors as in the logs above. It occurs irrespective of whether we tick the "Wait for Bitlocker to complete" box or not??

 

Can someone please tell me where to add this wait command that is the supposed workaround for this issue?

 

 

Share this post


Link to post
Share on other sites

the wait command they are referring to is to add a timer (sleep for 60 seconds) step, like this , create a run command line step called Sleep 60 seconds and type the following in the run command line step

CMD.exe /c PING –n 61 127.0.0.1 

please this step before the Apply Operating system step and after the Pre Provision bitlocker step.

 

does that help ?

Share this post


Link to post
Share on other sites

Yeah, i assumed that must be where it should go, I already have a 90 second wait at that stage in the TS....

 

It makes no difference though, the Bitlocker pre-provision step succeeds (well i think it does, the TS doesnt bomb out), but fails at the enable bitlocker step.

 

Other laptops (also Lenovo) running the the same task sequence are succeeding and have been since we started using bitlocker, so I don't think the problem lies there. But this eval device we have been sent, with the same tpm settings always fails and the only real difference i think is the SSD.

 

Any other ideas Niall?

 

While waiting for a response i will try flashing the BIOS to rule it out, but I am confident thats not going to make any difference.

 

Thanks.

Share this post


Link to post
Share on other sites

well what errors are you seeing in the enable bitlocker step ? have you tried adding a pause command to the ts directly after the pre-provision bitlocker step then open a cmd prompt and issue

manage-bde -status 

and wait till it's 100% then unpause and let it continue, does it continue ok or still fail, that's what we need to know...

Share this post


Link to post
Share on other sites
Size: 233.36 GB

BitLocker Version: 2.0

Conversion Status: Used Space Only Encrypted

Percentage Encrypted: 100%

Encryption Method: AES 128

Protection Status: Protection Off

Lock Status: Unlocked

Identification Field: Unknown

Automatic Unlock: Disabled

Key Protectors: None Found


I ran the command within about 5 seconds of the wait command running, with the above - 100% encrypted, so that does not seem to be the issue (although i am confused as to why this would be an issue for anyone, surely the HDD is almost empty at this stage in a TS - isnt that the WHOLE reason why you PRE-provision?? So when the WIM is being applied, the data is already encrypted and so there is nothing to wait for?).

Share this post


Link to post
Share on other sites

Well this is annoying!!!!

 

It is now working. No changes to the TS were made except to add the 90 second delay (just a ping), which caused a number of failures on this device, but now it runs through fine.

 

Could this have been an AD issue in my case, and in no way related to the issues other users are experiencing?

 

If there were better logs for the bitlocker steps in the TS, this would be much easier.....

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...