Bitlocker failing - previously working

[Spaghetti]

Hi

 

We have recently had issues with Bitlocker deployments, as per attached screenshot. There is not much in either the smsts log or the ccmexec that points to the cause. I have compared both smsts and ccmexec logs to those from successful builds.

 

What would be the best way to troubleshoot this? Are there other log files that I should be looking at?

 

Many thanks for your help

[anyweb]

has someone changed the disk partitioning steps in the task sequence, you need a BDE Drive in addition to the OSDisk

[Spaghetti]

Nope, there has been no change to the Task Sequence - I'll get hold of a laptop without bitlocker issues next week to verify that the 2 partitions is correct. The task sequence is showing what we see above, which would be expected behaviour

 

Disk Manager and manage-bds are both confirming that the drive is encrypted though?

[Rafaelvazquez]

It looks like you are pre-provisioning bitlocker during your task sequence but the "Enable Bitlocker" step is not running at all. This step, which typically would be towards the end of your TS, sets up the "protectors" and actually enables bitlocker.

 

You can try running the following commands to see if you can get bitlocker enabled on a unit. If it works, check the step in your TS that enables bitlocker.

 

manage-bde -protectors -add c: -tpm -rp

manage-bde -on c:

 

I hope this helps.

[Rocket Man]

You haven't imported any new W7 drivers recently and using them now in your deployments. Had similar issues when 1st deploying bitlocker to W7 clients. Turned out to be the TPM driver that I had in my DELL driver package that was causing a similar issue to what you have.

[Spaghetti]

@ anyweb
The Disk management snapin is showing eactly the same setup as the non-working system

 

@Rocket Man
No changes at all to any drivers

@Rafaelvazquez
The Disk is encrypted, it just will not resume via the GUI

manage-bde -protectors -add c: -tpm -rp turns the Protection back on:

Output:
Key Protectors Added:
Numerical Password:
ID: {11X5XXX7-X6XX-4X33-X484-X81362251232}
Password:
123456-678901-789012-345678-123456-123456-123456-123456
TPM:
ID: {Random String}

ACTIONS REQUIRED:
1. Save this numerical recovery password in a secure location away from
your computer:
123456-678901-789012-345678-123456-123456-123456-123456

To prevent data loss, save this password immediately. This password helps
ensure that you can unlock the encrypted volume.

 

manage-bde -on c:Output:

C:\Windows\system32>manage-bde -status C:
BitLocker Drive Encryption: Configuration Tool version 6.1.7601
Copyright © Microsoft Corporation. All rights reserved.

Volume C: [Windows]
[OS Volume]

Size: 118.90 GB
BitLocker Version: Windows 7
Conversion Status: Fully Encrypted
Percentage Encrypted: 100%
Encryption Method: AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: None
Key Protectors:
Numerical Password
TPM

 

So, at the end of the SCCM build, there are no Key Protectors available in order to resume protection. Is there an SCCM log file that would maybe point me in the direction of where the issue may lie?

The "Enable BitLocker" step at the end of the task sequence is set to create the Recovery Key in ADDS - if this has not happenned, would we see the issues above?

 

Or alternatively, how would you recommend that I troubleshoot this?

Thanks for you help so far everybody!

[anyweb]

can you attach the smsts*.log files so we can see if it has actually logged the Enable BitLocker step and determine it's success (or failure)

[Spaghetti]

Hi

 

smsts attached

 

Thanks

smsts-20141222-110840.log

[anyweb]

nope it's missing the step, it only showed the parsing Enabling BitLocker step, that isn't actually the step running,

 

either increase your logging capability or find the correct log,

 

see this post for how to do that.

[Spaghetti]

Ah, interesting, I'll investigate further, thank you