cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
alee0
Paper Tape
Posts: 5
Registered: ‎11-07-2018
Location: US
Views: 3,139
Message 1 of 10

Enabling BitLocker with SCCM Fails

I am imaging ThinkPad X230, X240, X250, and X260 using SCCM.

They all fail at the Enable BitLocker fails.

 

Here is the SMSTS.log

The condition for the action (Enable BitLocker) is evaluated to be true
Expand a string: OSDBitLocker.exe /enable  /wait:False /mode:TPM /pwd:AD /full:False
Expand a string: 
Start executing the command line: OSDBitLocker.exe /enable  /wait:False /mode:TPM /pwd:AD /full:False
!--------------------------------------------------------------------------------------------!
Expand a string: FullOS
Executing command line: OSDBitLocker.exe /enable  /wait:False /mode:TPM /pwd:AD /full:False
==============================[ OSDBitLocker.exe ]==============================
Command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD /full:False
Initialized COM
Command line for extension .exe is "%1" %*
Set command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD /full:False
Target volume not specified, using current OS volume
Current OS volume is 'C:'
Succeeded loading resource DLL 'C:\WINDOWS\CCM\1033\TSRES.DLL'
Protection is OFF
FALSE, HRESULT=80004005 (..\bitlocker.cpp,1541)
Encryption in progress
pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait, argInfo.bFull), HRESULT=80004005 (..\main.cpp,401)
Process completed with exit code 2147500037
!--------------------------------------------------------------------------------------------!
Failed to run the action: Enable BitLocker. Unspecified error (Error: 80004005; Source: Windows)
Not in SSL
Set a global environment variable _SMSTSLastActionRetCode=-2147467259
Set a global environment variable _SMSTSLastActionSucceeded=false
Clear local default environment
Let the parent group (BitLocker) decides whether to continue execution
Let the parent group (Setup Operating System) decide whether to continue execution
The execution of the group (Setup Operating System) has failed and the execution has been aborted. An action failed. Operation aborted (Error: 80004004; Source: Windows)
Failed to run the last action: Enable BitLocker. Execution of task sequence failed. Unspecified error (Error: 80004005; Source: Windows)

The command "manage-bde - status" returns the following:

 

Bitlocker Error.jpg

 

If I log into the machine and it states that BitLocker is waiting for activation.

 

BitLocker.jpg

 

This is the task sequence I am using.

I have steps to convert legacy boot to UEFI and also to turn on TPM.

 

bitlocker TS.jpg

Highlighted
Lenovo Staff
Lenovo Staff
Posts: 5,156
Registered: ‎10-29-2009
Location: NC
Views: 3,085
Message 2 of 10

Re: Enabling BitLocker with SCCM Fails

manage-bde.exe output shows that you have no key protectors and the "BitLocker waiting for activation" usually means that BitLocker was not able to contact your AD server to backup the recovery key so that a key protector can be added.  What happens if you click "Turn on BitLocker" after deployment?

alee0
Paper Tape
Posts: 5
Registered: ‎11-07-2018
Location: US
Views: 3,054
Message 3 of 10

Re: Enabling BitLocker with SCCM Fails

If I click on "Turn on BitLocker" after deployment, I am able to activate BitLocker.

 

Upon more testing, this task sequence finishes no problem with model X270, X1 Yoga, and T480.

It is only the ThinkPad X230, X240, X250, and X260 that fails enabling BitLocker.

 

What step am I missing?

Lenovo Staff
Lenovo Staff
Posts: 5,156
Registered: ‎10-29-2009
Location: NC
Views: 3,045
Message 4 of 10

Re: Enabling BitLocker with SCCM Fails

What TPM are you using on X260 vs X270?  Look in TPM.msc -> TPM Manufacturer Information -> Specification Version

alee0
Paper Tape
Posts: 5
Registered: ‎11-07-2018
Location: US
Views: 3,037
Message 5 of 10

Re: Enabling BitLocker with SCCM Fails

X260 = TPM 1.2

X270 = TPM 2.0

 

In my next test, in the bios of X260, I changed the security chip to Intel PTT so that the version is 2.0.

I re-run the task sequence and it still fails at the step of "Enable TPM"

Lenovo Staff
Lenovo Staff
Posts: 5,156
Registered: ‎10-29-2009
Location: NC
Views: 3,018
Message 6 of 10

Re: Enabling BitLocker with SCCM Fails


@alee0 wrote:

X260 = TPM 1.2

X270 = TPM 2.0

 

In my next test, in the bios of X260, I changed the security chip to Intel PTT so that the version is 2.0.

I re-run the task sequence and it still fails at the step of "Enable TPM"


I'm confused.  In your latest post you said it fails at "Enable TPM" but previously you said it fails at "Enable BitLocker".

alee0
Paper Tape
Posts: 5
Registered: ‎11-07-2018
Location: US
Views: 2,973
Message 7 of 10

Re: Enabling BitLocker with SCCM Fails

Sorry for the confusion.

It failed at "Enable BitLocker" not TPM...

Lenovo Employee tlawson
Lenovo Employee
Posts: 902
Registered: ‎03-03-2016
Location: US
Views: 2,950
Message 8 of 10

Re: Enabling BitLocker with SCCM Fails

@alee0,

 

Looking through the information provided in your initial post and comparing the log to a system here, the failure occurs after it declares Protection OFF.  This is where our logs differ.  The log here shows the following:

 

==============================[ OSDBitLocker.exe ]==============================    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD /full:False    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Initialized COM    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Command line for extension .exe is "%1" %*    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Set command line: "OSDBitLocker.exe" /enable /wait:False /mode:TPM /pwd:AD /full:False    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Target volume not specified, using current OS volume    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Current OS volume is 'C:'    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Succeeded loading resource DLL 'C:\WINDOWS\CCM\1033\TSRES.DLL'    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Protection is OFF    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Volume is fully encrypted    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Creating key protectors    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Tpm is enabled    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Tpm is activated    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Tpm is owned    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Tpm ownership is allowed    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Tpm has compatible SRK    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Tpm has EK pair    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Initial TPM state: 63    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
TPM is already owned.    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Creating recovery password and escrowing to Active Directory    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Set FVE group policy registry keys to escrow recovery password    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Set FVE group policy registry key in Windows 7    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Set FVE OSV group policy registry keys to escrow recovery password    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Using random recovery password    OSDBitLocker    10/23/2018 11:57:45 AM    5080 (0x13D8)
Protecting key with TPM only    OSDBitLocker    10/23/2018 11:57:47 AM    5080 (0x13D8)
Process completed with exit code 0    TSManager    10/23/2018 11:57:48 AM    5500 (0x157C)
!--------------------------------------------------------------------------------------------!    TSManager    10/23/2018 11:57:48 AM    5500 (0x157C)
Successfully completed the action (Enable BitLocker) with the exit win32 code 0    TSManager    10/23/2018 11:57:48 AM    5500 (0x157C)

As @someotherguy has already asked, is the computer joined to the domain at this point?  It is almost like the computer cannot reach AD to backup the keys.

The other possibility is that in your TS, you have the BitLocker grouping with the Enable Bitlocker step directly after the Setup Windows and Configuration Manager step, where there is not much time for the HDD to be ready for encryption.  Most instances of this Enable Bitlocker step are set to occur as one of the very last steps of the TS.  You may want to move it down the TS directly above the Restart Computer task.

 

TLawson

jeffdfield
What's DOS?
Posts: 1
Registered: ‎11-16-2018
Location: US
Views: 2,850
Message 9 of 10

Re: Enabling BitLocker with SCCM Fails

I'm having the same problem, it seems to only happen on some models. Were you able to resolve it?

alee0
Paper Tape
Posts: 5
Registered: ‎11-07-2018
Location: US
Views: 2,707
Message 10 of 10

Re: Enabling BitLocker with SCCM Fails

I had this issue only on the model types that I mentioned in the first post. I had other computers that didn't have this issue.

 

I think my issue is now resolved. By moving the "Enable TPM" step to the end helps.

I also added a "sleep" command line step to wait for encryption. This step is just above the "Enable TPM" step:

 

powershell "while ( (Get-BitLockerVolume | where { $_.VolumeType -eq 'OperatingSystem' }).EncryptionPercentage -ne 100 ) { sleep 20 }"

Check out current deals!


Shop current deals

Top Kudoed Authors