Jump to content


anyweb

how can I Pre-Provision BitLocker in WinPE for Windows 8 deployments using Configuration Manager 2012 SP1 ?

Recommended Posts

With MDT integration enabled, the task sequence looks a bit different. The enable bitlocker step, in particular, doesn't offer the same options. If I create an MDT task sequence, does the pre-provisioning still work the same? Do I just need to pre-set variables for the bitlocker settings, such as BDEInstall, BDEPin, BDERecoveryKey, BDEKeyLocation, etc?

 

I ended up disabling the MDT 'enable bitlocker' step and adding a new 'enable bitlocker' step to the task sequence. That gave me the SC version of the step, and seems to be working properly.

 

Well, mostly. I can't get that step to take an enhanced bitlocker pin, but with a numeric pin it works. I wonder if it can't do it because enhanced pin has to be enabled by GPO, and SC doesn't seem to boot into the OS and run the later TS steps like MDT does... One of these days I'll get around to finding a way to set the enhanced pin automatically.

Share this post


Link to post
Share on other sites

I just wanted to say that I have followed the post (which has been a great help thank you), however, I was experiencing great problems with the TPM Activation step on a Dell Latitude E6410 in the task sequence and it failing every time. Obviously without this step succeeding, the whole Pre-Provisioning feature doesn't work! After days of trying to resolve the issue it appears the problem is with the '=' after 'valsetuppwd'. If you remove the '=' the tpmactivation step works! Here's how it should be entered:

 

x:\CCTK\X86\cctk.exe --tpmactivation=activate valsetuppwd [bIOS Password]

 

I just wanted to share it so no one else goes pulls their hair out trying to get this to work. Obviously this may be different for different Dell models and BIOS versions.

Share this post


Link to post
Share on other sites

Even though I have now got my TPM Activation sorted, when it gets to the Enable Bitlocker step it then fails the task sequence altogether. My Enable BitLocker step is currently about half way through my task sequence - do I need to move it towards the end of the sequence like it needed to be in SCCM 2007? When I go in to Windows after it fails, it says BitLocker is suspended and you cannot resume it due to it not having any keys.

Share this post


Link to post
Share on other sites

my step looks like so, and it works just fine, your logs should reveal what your issue really is, have you tried a bios upgrade on the dell ?

 

activate TPM.png

 

 

Share this post


Link to post
Share on other sites

It is strange - I have done a BIOS upgrade to the latest version. It does work without the '=' so I will stick with that. The problem I am having at the moment is it fails on the Enable BitLocker step, however, I believe this may be to do with the fact that we have no Group Policy entry for 'Choose how BitLocker-protected operating system drives can be recovered'. I'm assuming without this Group Policy step configured the computer has no idea what to do with the recover keys?

Share this post


Link to post
Share on other sites

well the logs should reveal why it's failing to enable bitlocker so what does the smsts.log file say ?

also, please re-review the guide here as it explains what you need setup in AD prior to starting the deployment.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.