Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

Software and Operating SystemEnterprise Client Management
All Forum Topics
Options

51 Posts

07-18-2018

United States of America

62 Signins

404 Page Views

  • Posts: 51
  • Registered: ‎07-18-2018
  • Location: United States of America
  • Views: 404
  • Message 1 of 8

Cannot enable BitLocker on L490 (20Q6S18700) via MDT

2021-08-24, 17:09 PM

We use the Microsoft Deployment Toolkit to OSD devices. We are looking to enable BitLocker during OSD and find that the process works fine on most models but not on the L490 (or L480 or X1 Yoga Gen 5). We can enable BitLocker fine outside of OSD. The error the process gives is:

 

FAILURE ( 6767 ): -2144272340  0x8031002C: Enable BDE Protectors

 

This error means:

FVE_E_POLICY_PASSWORD_REQUIRED - No key protectors of the type "Numerical Password" are specified. The Group Policy requires a backup of recovery information to Active Directory Domain Services. To add at least one key protector of that type, use the ProtectKeyWithNumericalPassword method.

 

The security chip is enabled. The BIOS is at the most current version - 1.25.

 

We use the following settings in group policy to ensure BL can be enabled via MDT:

Choose how BitLocker-protected operating system drives can be recovered

---"Allow data recovery agent" is checked

---"Allow 48-digit recovery password" and "Allow 256-bit recovery key" are selected

---"Save BitLocker recovery information to AD DS for OS drives" is checked

---"Store recovery passwords and key packages" is selected

---"Do not enable BitLocker until recovery information is stored to AD DS for OS drives" is selected.

Configure TPM platform validation profile for BIOS-based firmware configurations (default PCR's enabled)

Configure TPM platform validation profile for native UEFI firmware configurations (default PCR's enabled)

 

What is it about this model that kills the BL enabling process during OSD?

 

Skip

 

 

Moderator comment: Moved to a better forum. (NateS)

Reply
Answer
Options

7182 Posts

10-29-2009

United States of America

17894 Signins

168070 Page Views

  • Posts: 7182
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 168070

Re:Cannot enable BitLocker on L490 (20Q6S18700) via MDT

2021-09-01, 18:53 PM

Windows 10 itself automatically enables "BitLocker automatic device encryption".  It sounds like this might be getting in your way.  More information here, including instructions how to disable it:  https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker

 

 

Reply

Replies(7)
Options

7182 Posts

10-29-2009

United States of America

17894 Signins

168070 Page Views

  • Posts: 7182
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 168070
  • Message 2 of 8

Re:Cannot enable BitLocker on L490 (20Q6S18700) via MDT

2021-08-24, 19:03 PM

Are the machines connected to your network and domain when this failure happens during OSD?  When "Enable BDE Protectors" fails, a common cause is not being able to backup the recovery key to your domain server.

Reply
Options

51 Posts

07-18-2018

United States of America

62 Signins

404 Page Views

  • Posts: 51
  • Registered: ‎07-18-2018
  • Location: United States of America
  • Views: 404
  • Message 3 of 8

Re:Cannot enable BitLocker on L490 (20Q6S18700) via MDT

2021-08-25, 14:14 PM
I presume so since it has connectivity just prior to and after the step that enables BitLocker. But I will have to verify. Thanks.
Reply
Options

51 Posts

07-18-2018

United States of America

62 Signins

404 Page Views

  • Posts: 51
  • Registered: ‎07-18-2018
  • Location: United States of America
  • Views: 404
  • Message 4 of 8

Re:Cannot enable BitLocker on L490 (20Q6S18700) via MDT

2021-08-31, 15:15 PM
I think the issue is that MDT thinks that the OSD process is a Refresh instead of a New Computer. When it fails, in the BDD.log, I see "This is a Refresh Build where BDE protectors were disabled." so it's like the EnableBitLocker step tries to unsuspended BitLocker instead of enabling it for the first time. I cannot find anything where the DeploymentType Variable is set to REFRESH. 3 seconds before I see the above message in the log, I see "DeploymentType = NEWCOMPUTER". Skip
Reply
Options

51 Posts

07-18-2018

United States of America

62 Signins

404 Page Views

  • Posts: 51
  • Registered: ‎07-18-2018
  • Location: United States of America
  • Views: 404
  • Message 5 of 8

Re:Cannot enable BitLocker on L490 (20Q6S18700) via MDT

2021-09-01, 18:22 PM
What I have found is that the ZTIGather script is finding that the drive is already encrypted and setting the IsBDE variable to TRUE. Thusly it simply tries to unsuspend BL instead of enabling it for the first time. The ZTIGather log shows the following when there's a failure to enable BL in the task sequence: Encrypted drive found: C:, status = 1 Encrypted drive found: C:, status = 1 Encrypted drive found: C:, status = 1 Encrypted drive found: C:, status = 2 When BL is successfully encrypted in the task squence, it shows: Encrypted drive found: C:, status = -1 Encrypted drive found: C:, status = -1 Encrypted drive found: C:, status = -1 There are no encrypted drives I am still trying to find out what the status codes mean. Do certain models/hard drives have some kind of auto encryption feature? I do not understand why 3 of our 60 or so models have some kind of encryption going on during OSD. Skip
Reply
Answer
Options

7182 Posts

10-29-2009

United States of America

17894 Signins

168070 Page Views

  • Posts: 7182
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 168070
  • Message 6 of 8

Re:Cannot enable BitLocker on L490 (20Q6S18700) via MDT

2021-09-01, 18:53 PM

Windows 10 itself automatically enables "BitLocker automatic device encryption".  It sounds like this might be getting in your way.  More information here, including instructions how to disable it:  https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker

 

 

0 person found this solution to be helpful.

This helped me too

Reply
Options

51 Posts

07-18-2018

United States of America

62 Signins

404 Page Views

  • Posts: 51
  • Registered: ‎07-18-2018
  • Location: United States of America
  • Views: 404
  • Message 7 of 8

Re:Cannot enable BitLocker on L490 (20Q6S18700) via MDT

2021-09-01, 20:01 PM
Thank you. I will look at that. Skip
Reply
Options

51 Posts

07-18-2018

United States of America

62 Signins

404 Page Views

  • Posts: 51
  • Registered: ‎07-18-2018
  • Location: United States of America
  • Views: 404
  • Message 8 of 8

Re:Cannot enable BitLocker on L490 (20Q6S18700) via MDT

2021-09-08, 19:09 PM
I modified the registry to disable it. It had to be placed after the Copy Scripts step during the PostInstall phase. Thanks.
Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms