jdecle02 Posted September 16, 2014 Report post Posted September 16, 2014 Hi, I'm using SCCM 2012 R2 with the latest updates and MDT2013 for OSD. In the UDIWizard, I have enabled BitLocker using TPMPIN and store the recovery key into AD. At the end of my TS, the HDD is encrypted but the RecoveryKey is not stored in AD. The RecoveryKey is stored in C:\computername-{........}.txt Can someone help me to figure out what's the problem? Thanks Jan Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted September 16, 2014 Report post Posted September 16, 2014 what does the enable bitlocker step look like in your task sequence ? can you show us, also have a read of this post it will give you some ideas of what needs to be setup in AD Quote Share this post Link to post Share on other sites More sharing options...
jdecle02 Posted September 16, 2014 Report post Posted September 16, 2014 Hi, Thanks for your quick answer! The enable bitlocker step in the task sequence runs a cscript.exe "%deployroot%\scripts\ZTIBde.wsf" /UDI but the pre-provision step earlier in my Task Sequence is set : Apply BitLocker to the specified drive = Logical drive letter stored in a variable. Variable= OSDisk Best regards, Jan Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted September 16, 2014 Report post Posted September 16, 2014 do you have a Set OSDDiskPart=true step anywhere ? see here for details Quote Share this post Link to post Share on other sites More sharing options...
jdecle02 Posted September 16, 2014 Report post Posted September 16, 2014 Yes, this parameter is configured to TRUE Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted September 16, 2014 Report post Posted September 16, 2014 well what does your smsts.log file reveal for the enable bitlocker steps ? Quote Share this post Link to post Share on other sites More sharing options...
jdecle02 Posted September 16, 2014 Report post Posted September 16, 2014 Hi, my smsts.log looks good for bitlocker or can you explain me which section I need to verify. I see at the end he write the recovery key to C:\*.txt file instead of AD BitLocker Startup Key Drive Value set to: C: InstallSoftware 15/09/2014 16:17:34 3224 (0x0C98) BitLocker Create Recovery P@ssword Status: AD InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) BitLocker Wait For Encryption Status set to: FALSE InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) BitLocker Recovery P@ssword set. InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) The current autorun setting is - InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Disabling Autorun InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Find the boot drive (if any) [False] [0.0.0.0] [False] InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) New ZTIDisk : \\PLJETFLYICT01\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0" InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) No boot drives found. None. InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Reverting autorun setting to - 0 InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Setting BDE Drive letter to nothing as we are unable to get the boot drive. InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Property BdeDriveLetter is now = InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Running first pass.. InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) New ZTIDisk : \\PLJETFLYICT01\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0" InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Partition Count: 2 InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) ZTIDiskUtility!GetDiskFreeSpace should be deprecated, does not handle avaible space for a new partition InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) New ZTIDisk : \\PLJETFLYICT01\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0" InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) GetPartitions: 2 InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) New ZTIDiskPartition : \\PLJETFLYICT01\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1" \\PLJETFLYICT01\root\cimv2:Win32_LogicalDisk.DeviceID="C:" InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Free Disk Space: 0 InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Existing Bitlocker: InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) The current autorun setting is - 0 InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Disabling Autorun InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Find the boot drive (if any) [False] [0.0.0.0] [False] InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) New ZTIDisk : \\PLJETFLYICT01\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0" InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) No boot drives found. None. InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Reverting autorun setting to - 0 InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Existing Boot Drive: 1 InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) The current autorun setting is - 0 InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Disabling Autorun InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) Find the boot drive (if any) [False] [0.0.0.0] [False] InstallSoftware 15/09/2014 16:17:35 3224 (0x0C98) New ZTIDisk : \\PLJETFLYICT01\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0" InstallSoftware 15/09/2014 16:17:36 3224 (0x0C98) No boot drives found. None. InstallSoftware 15/09/2014 16:17:36 3224 (0x0C98) Reverting autorun setting to - 0 InstallSoftware 15/09/2014 16:17:36 3224 (0x0C98) Windows has a hidden system partition, no disk actions are necessary InstallSoftware 15/09/2014 16:17:36 3224 (0x0C98) Configuring protectors. InstallSoftware 15/09/2014 16:17:36 3224 (0x0C98) Success TPM Enabled InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) Success TPM Is Activated InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) Success TPM Is Owned InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) Success TPM Ownership Allowed InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) Check for Ensorsement Key Pair Present = 0 InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) TpmEnabled: True InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) TpmActivated: True InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) TpmOwned: True InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) TpmOwnershipAllowed: True InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) EndorsementKeyPairPresent: True InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) TPM Validation Complete InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) Encryptable Volume Count:1 InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) Attempting to bind to: C: InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) Success setting oBdeVol InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) BDE Instance Bind Complete InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) Performing ProtectKeyWithTpmAndPin Installation InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) Attempting to enable BitLocker TPM InstallSoftware 15/09/2014 16:17:37 3224 (0x0C98) Recovery P@ssword being saved to C:\PLJETFLYICT01-{037CAC15-BE6F-4CAA-A941-C491173BEC10}.txt InstallSoftware 15/09/2014 16:17:39 3224 (0x0C98) Attempting to intiate ProtectKeyWithNumericalP@ssword InstallSoftware 15/09/2014 16:17:39 3224 (0x0C98) Success protecting Key with numerical p@ssword InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) Attempting to retrieve numerical p@ssword InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) Saving numerical p@ssword to file. InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) Success P@ssword Key file written InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) ProtectKeyWithNumericalP@ssword success InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) Begining drive encryption InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) Attempting to start BDE encryption InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) Success starting encryption InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) Enabling protectors. InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) Encryptable Volume Count:1 InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) Attempting to bind to: C: InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) Success setting oBdeVol InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) BDE Instance Bind Complete InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) Attempting to enable BDE Protectors InstallSoftware 15/09/2014 16:17:40 3224 (0x0C98) Process completed with exit code 0 InstallSoftware 15/09/2014 16:17:42 3224 (0x0C98) Success enabling protectors. InstallSoftware 15/09/2014 16:17:42 3224 (0x0C98) ZTIBde processing completed successfully. InstallSoftware 15/09/2014 16:17:42 3224 (0x0C98) Command line returned 0 InstallSoftware 15/09/2014 16:17:42 3224 (0x0C98) Process completed with exit code 0 TSManager 15/09/2014 16:17:42 2348 (0x092C) !--------------------------------------------------------------------------------------------! TSManager 15/09/2014 16:17:42 2348 (0x092C) Successfully completed the action (Enable BitLocker) with the exit win32 code 0 TSManager 15/09/2014 16:17:42 2348 (0x092C) Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted September 16, 2014 Report post Posted September 16, 2014 ok can you show me a screenshot of your Enable bitlocker step in the task sequence please. Quote Share this post Link to post Share on other sites More sharing options...
jdecle02 Posted September 16, 2014 Report post Posted September 16, 2014 Hi,I don't known if my screenshot is available but I can tell you I run the following command linecscript.exe "%deployroot%\scripts\ZTIBde.wsf" /UDI with a task sequence variable OSDBitLockerMode exists Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted September 16, 2014 Report post Posted September 16, 2014 and what have you set the OSDBitlockerMode task sequence varialble to ? Quote Share this post Link to post Share on other sites More sharing options...
