cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
alee0
Paper Tape
Posts: 4
Registered: ‎11-07-2018
Location: US
Views: 256
Message 1 of 8

Enabling BitLocker with SCCM Fails

I am imaging ThinkPad X230, X240, X250, and X260 using SCCM.

They all fail at the Enable BitLocker fails.

 

Here is the SMSTS.log

The condition for the action (Enable BitLocker) is evaluated to be true
Expand a string: OSDBitLocker.exe /enable  /wait:False /mode:TPM /pwd:AD /full:False
Expand a string: 
Start executing the command line: OSDBitLocker.exe /enable  /wait:False /mode:TPM /pwd:AD /full:False
!--------------------------------------------------------------------------------------------!
Expand a string: FullOS
Executing command line: OSDBitLocker.exe /enable  /wait:False /mode:TPM /pwd:AD /full:False
==============================[ OSDBitLocker.exe ]==============================
Command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD /full:False
Initialized COM
Command line for extension .exe is "%1" %*
Set command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD /full:False
Target volume not specified, using current OS volume
Current OS volume is 'C:'
Succeeded loading resource DLL 'C:\WINDOWS\CCM\1033\TSRES.DLL'
Protection is OFF
FALSE, HRESULT=80004005 (..\bitlocker.cpp,1541)
Encryption in progress
pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait, argInfo.bFull), HRESULT=80004005 (..\main.cpp,401)
Process completed with exit code 2147500037
!--------------------------------------------------------------------------------------------!
Failed to run the action: Enable BitLocker. Unspecified error (Error: 80004005; Source: Windows)
Not in SSL
Set a global environment variable _SMSTSLastActionRetCode=-2147467259
Set a global environment variable _SMSTSLastActionSucceeded=false
Clear local default environment
Let the parent group (BitLocker) decides whether to continue execution
Let the parent group (Setup Operating System) decide whether to continue execution
The execution of the group (Setup Operating System) has failed and the execution has been aborted. An action failed. Operation aborted (Error: 80004004; Source: Windows)
Failed to run the last action: Enable BitLocker. Execution of task sequence failed. Unspecified error (Error: 80004005; Source: Windows)

The command "manage-bde - status" returns the following:

 

Bitlocker Error.jpg

 

If I log into the machine and it states that BitLocker is waiting for activation.

 

BitLocker.jpg

 

This is the task sequence I am using.

I have steps to convert legacy boot to UEFI and also to turn on TPM.

 

bitlocker TS.jpg

Highlighted
Lenovo Staff
Lenovo Staff
Posts: 4,822
Registered: ‎10-29-2009
Location: NC
Views: 202
Message 2 of 8

Re: Enabling BitLocker with SCCM Fails

manage-bde.exe output shows that you have no key protectors and the "BitLocker waiting for activation" usually means that BitLocker was not able to contact your AD server to backup the recovery key so that a key protector can be added.  What happens if you click "Turn on BitLocker" after deployment?

alee0
Paper Tape
Posts: 4
Registered: ‎11-07-2018
Location: US
Views: 171
Message 3 of 8

Re: Enabling BitLocker with SCCM Fails

If I click on "Turn on BitLocker" after deployment, I am able to activate BitLocker.

 

Upon more testing, this task sequence finishes no problem with model X270, X1 Yoga, and T480.

It is only the ThinkPad X230, X240, X250, and X260 that fails enabling BitLocker.

 

What step am I missing?

Lenovo Staff
Lenovo Staff
Posts: 4,822
Registered: ‎10-29-2009
Location: NC
Views: 162
Message 4 of 8

Re: Enabling BitLocker with SCCM Fails

What TPM are you using on X260 vs X270?  Look in TPM.msc -> TPM Manufacturer Information -> Specification Version

alee0
Paper Tape
Posts: 4
Registered: ‎11-07-2018
Location: US
Views: 154
Message 5 of 8

Re: Enabling BitLocker with SCCM Fails

X260 = TPM 1.2

X270 = TPM 2.0

 

In my next test, in the bios of X260, I changed the security chip to Intel PTT so that the version is 2.0.

I re-run the task sequence and it still fails at the step of "Enable TPM"

Lenovo Staff
Lenovo Staff
Posts: 4,822
Registered: ‎10-29-2009
Location: NC
Views: 135
Message 6 of 8

Re: Enabling BitLocker with SCCM Fails


@alee0 wrote:

X260 = TPM 1.2

X270 = TPM 2.0

 

In my next test, in the bios of X260, I changed the security chip to Intel PTT so that the version is 2.0.

I re-run the task sequence and it still fails at the step of "Enable TPM"


I'm confused.  In your latest post you said it fails at "Enable TPM" but previously you said it fails at "Enable BitLocker".

alee0
Paper Tape
Posts: 4
Registered: ‎11-07-2018
Location: US
Views: 90
Message 7 of 8

Re: Enabling BitLocker with SCCM Fails

Sorry for the confusion.

It failed at "Enable BitLocker" not TPM...

Lenovo Employee tlawson
Lenovo Employee
Posts: 735
Registered: ‎03-03-2016
Location: US
Views: 67
Message 8 of 8

Re: Enabling BitLocker with SCCM Fails

@alee0,

 

Looking through the information provided in your initial post and comparing the log to a system here, the failure occurs after it declares Protection OFF.  This is where our logs differ.  The log here shows the following:

 

==============================[ OSDBitLocker.exe ]==============================    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD /full:False    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Initialized COM    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Command line for extension .exe is "%1" %*    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Set command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD /full:False    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Target volume not specified, using current OS volume    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Current OS volume is 'C:'    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Succeeded loading resource DLL 'C:\WINDOWS\CCM\1033\TSRES.DLL'    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Protection is OFF    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Volume is fully encrypted    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Creating key protectors    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Tpm is enabled    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Tpm is activated    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Tpm is owned    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Tpm ownership is allowed    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Tpm has compatible SRK    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Tpm has EK pair    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Initial TPM state: 63    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
TPM is already owned.    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Creating recovery password and escrowing to Active Directory    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Set FVE group policy registry keys to escrow recovery password    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Set FVE group policy registry key in Windows 7    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Set FVE OSV group policy registry keys to escrow recovery password    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Using random recovery password    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Protecting key with TPM only    OSDBitLocker    10/23/2018 11:57:47 AM    5080 (0x13D8)
Process completed with exit code 0    TSManager    10/23/2018 11:57:48 AM    5500 (0x157C)
!--------------------------------------------------------------------------------------------!    TSManager    10/23/2018 11:57:48 AM    5500 (0x157C)
Successfully completed the action (Enable BitLocker) with the exit win32 code 0    TSManager    10/23/2018 11:57:48 AM    5500 (0x157C)

As @someotherguy has already asked, is the computer joined to the domain at this point?  It is almost like the computer cannot reach AD to backup the keys.

The other possibility is that in your TS, you have the BitLocker grouping with the Enable Bitlocker step directly after the Setup Windows and Configuration Manager step, where there is not much time for the HDD to be ready for encryption.  Most instances of this Enable Bitlocker step are set to occur as one of the very last steps of the TS.  You may want to move it down the TS directly above the Restart Computer task.

 

TLawson

Top Kudoed Authors