Jump to content


anyweb

how can I Pre-Provision BitLocker in WinPE for Windows 8 deployments using Configuration Manager 2012 SP1 ?

Recommended Posts

you should pause the task sequence before that step and bring up the command prompt, then open smsts.log in cmtrace

you can download the pause script in this HTA download, the included task sequence also contains the step to pause if you want to see how its done...

Share this post


Link to post
Share on other sites

I think I've realised why my Enable BitLocker step may not be working. I imported your Task Sequence from the HTA download you provided and went through all the steps. I noticed that you have a different Enable BitLocker step for Windows 7 than you do for Windows 8. I am installing Windows 7 and have been trying to use the built in Enable BitLocker step.....I am presuming that this is only for Windows 8? For Windows 7 you have used a script.

Share this post


Link to post
Share on other sites

the built in step should work fine, have you tried doing the pause BEFORE the enable bitlocker step, and directly after ? that way you can see (in the smsts.log) exactly what the cause of your issue is

Share this post


Link to post
Share on other sites

Ok I have added the pause step before and after the Enable BitLocker step. At the pause before the Enable BitLocker step there is nothing which states that anything is wrong, however, as soon as the Enable BitLocker step runs it errors and tries dropping out of the task sequence. In the smsts.log located in C:\Windows\CCM\Logs it says

 

"Unable to find instance of 'Win32_Tpm'. Ensure that this device has a Trusted Platform Module which is enabled in the BIOS"

 

Well this can't be the case because TPM is enabled and activated. I know this because if I go into the BIOS it says that TPM is enabled and activated. One step that does fail is where is removes the BIOS password - would this affect this step?

Share this post


Link to post
Share on other sites

I have worked out what my problem is with the Enable BitLocker step - it was not applying the correct TPM driver in windows. We have been using the 'Auto Apply Drivers' step which automatically chooses the best one it thinks from a list. This has not worked in the case of TPM and applied a different driver. I turned Auto Apply Drivers off and told it to use a specific driver package and voila! I read a post where someone had exactly the same issue and they recommended to not use Auto Apply Drivers.


Thanks for all your help with this though - much appreciated :)

Share this post


Link to post
Share on other sites

thanks for posting the solution to your problem and i'm glad it's working for you now, what driver did you end up using ? broadcoms ? or Dells, please include the link (for others with the same issue)

Share this post


Link to post
Share on other sites

Using this method, is anyone able to set the TPM Owner Password and save it to the AD Attribute msTPM-OwnerInformation? So far I haven't been able to do this as it seems that the Pre-Provision Bitlocker step takes ownership, but because it hasn't joined the domain, is unable to upload the TPM Owner password (speculating). I can confirm this by clearing the attribute value (currently hashed) and then running though the Task Sequence steps. The result is a fully encrypted system, TPM is active, TPM is Enabled and the TPM is owned, but I don't know that the TPM owner password is.

 

If I try to run the manage-bde - tpm -o <password> command from a prompt, it reports an error "The TPM already has an owner."

 

I think I am missing something obvious.... TIA

Share this post


Link to post
Share on other sites

I am wondering the exact same thing as BB24. I have everything else working, but the backup of the TPM Ownership to AD is not working. It makes sense that it is unable to backup the key during Pre-Provisioning, but is there a way to force the backup to AD later?

 

I read that Microsoft made some changes in Win8 related to the way the TPM Ownership information is backed up in AD and that if your domain controller is not Server 2012 you have to extend the schema.

 

However, I'm deploying Win7 so I guess it should backup the info to the AD Attribute msTPM-OwnerInformation?

 

Any help would be greatly appreciated.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.