Bitlocker Issues

Author	Message

chiners_68

Total Posts : 809
Scores: 5
Reward points : 76850
Joined: 10/31/2007

Bitlocker Issues - Wednesday, May 02, 2012 11:55 AM

Hi Guys,
Having issues just getting the drive to encrypt from a TS. This is on an Dell Optiplex 760 & using windows update driver for TPM 1.2.
AD schema is extended etc to accept key store & recovery

On 760 manually
Dell OMCI installed
Configure BIOS settings including setting BIOS password
Turn on TPM in BIOS (Powershell for dell OMCI (gwmi DCIM_BIOSService -namespace root\dcim\sysman).SetBIOSAttributes($null,$null,"Trusted Platform Module","1","BIOSPW")
reboot
Enable TPM in BIOS (powershell for OMCI (gwmi DCIM_BIOSService -namespace root\dcim\sysman).SetBIOSAttributes($null,$null,"Trusted Platform Module Activation","2","BIOSPW")
reboot
Prep Drive for Bitlocker (%windir%\system32\bdeHdCfg.exe -target default -size 300 -quiet)
Reboot

Task Sequence
Run Enable Bitlocker TS (OSDBitLocker.exe /enable /wait:False /mode:TPM /pwd:AD)

I get the following error

'IsEndorsementKeyPairPresent' failed (2150105095)
TPM cannot be enabled without physical presence
Failed to run the action: Enable BitLocker.
Unspecified error (Error: 80004005; Source: Windows)

once the i know the enable works ill go back to TS'ing the lot but at present the last stage dosent work. i dont think playing with legacy hardware without windows 7 drivers is helping but TPM.msc says that TPM is OK & ready to initialize after the manual steps.

Riser Total Posts : 218 Scores: 6 Reward points : 64760 Joined: 4/21/2010	Re:Bitlocker Issues - Wednesday, May 02, 2012 3:19 PM 0 You may need to update the BIOS firmware to support the OMCI. In my testing 745s have issues. No issues with 980/990s.

dhedges Total Posts : 14 Scores: 4 Reward points : 19830 Joined: 9/30/2009 Location: Austin, TX	Re:Bitlocker Issues - Wednesday, May 02, 2012 5:32 PM 0 We are using the CCTK to do this for us and we had to set a temporary BIOS password before Activating TPM in BIOS. So the process we use is: 1. Enable TPM 2. Set Temporary Bios Password 3. Reboot 4. Activate TPM 5. Reboot 6. Remove Temporary BIOS Password Hope this helps! -Dustin

chiners_68

Total Posts : 809
Scores: 5
Reward points : 76850
Joined: 10/31/2007

Re:Bitlocker Issues - Thursday, May 03, 2012 3:59 AM

BIOS is on the latest version A13. Im thinking its a an issue with the 760's which is basically a newer 745.
ill try a nice new 990 & see if that helps.

dhedges,
I dont really want to use another app to do something OMCI can do which is installed. As you can see above ive got the powershell commands for OMCI to turn on & activate TPM.

I have a BIOS password set. Why do you set one then remove it? what does this do for the process?

chiners_68 Total Posts : 809 Scores: 5 Reward points : 76850 Joined: 10/31/2007	Re:Bitlocker Issues - Thursday, May 03, 2012 4:02 AM 0 Are others preping the drive for bitlocker or are you doing this when setting partition for the drive during OSD? Prep Drive for Bitlocker (%windir%\system32\bdeHdCfg.exe -target default -size 300 -quiet)

chiners_68 Total Posts : 809 Scores: 5 Reward points : 76850 Joined: 10/31/2007	Re:Bitlocker Issues - Thursday, May 03, 2012 7:46 AM 0 Seems to be working fine on a 990. lesson learnt. Dont use old hardware although states TPM 1.2 but dosent have support drivers for your OS.

Riser

Total Posts : 218
Scores: 6
Reward points : 64760
Joined: 4/21/2010

Re:Bitlocker Issues - Thursday, May 03, 2012 9:12 AM

Yeah that was the issue I was having. I have old hardware to test on (phasing out 745s, replaced with 980/990s). Testing didn't go well and at this point I'm not going to bother with the older equipment.

If you did have to support older hardware, you may want to look at the CCTK though as it might be a solution.

I have it easy with bitlocker as all encrypted devices are after the fact. Working on implementing within OSD by setting partitions. Any system that is deployed that requires encryption I plan on using the bitlocker prep tool. I honestly had not thought about using it in the initial OSD deployment.

chiners_68

Total Posts : 809
Scores: 5
Reward points : 76850
Joined: 10/31/2007

Re:Bitlocker Issues - Thursday, May 03, 2012 10:18 AM

most of my steps ive done manually so far but now I know it works im adding to my TS. To save having to do the bitlocker prep ive creaded the 300Mb partition on the TS partition stage. I will also add the TPM on to my BIOS settings package. I then only need to ad some reboots, TPM activate & Bitlocker encrption TS and im away.

one question

Do you need to Disable bitlocker or change the Activation level in the BIOS before reinstalling via OSD?

Riser

Total Posts : 218
Scores: 6
Reward points : 64760
Joined: 4/21/2010

Re:Bitlocker Issues - Thursday, May 03, 2012 11:37 AM

You will need to disable bitlocker to reinstall I believe. Not sure offhand about the BIOS but that could likely be a step in the TS to reset it with the OMCI/CCTK?

You can download what is called the 'filter' drive for Bitlocker (or other encryption products). I was reading an article months ago talking about laying down an encrypted image using the filter drive. Basically it allows winpe to read/write in encryption.
Edit:
???Search ?CC732725 on Microsoft and look at Step 7 for some info.

chiners_68 Total Posts : 809 Scores: 5 Reward points : 76850 Joined: 10/31/2007	Re:Bitlocker Issues - Thursday, May 03, 2012 11:54 AM 0 Ive reinstalled succesfully without having to disable bitlocker. as its formating the drive it will just wipe the current encrypted partition. do you know if I need to deactivate or clear the TPM in BIOS before reactivating to enable bitlocker again?

Riser Total Posts : 218 Scores: 6 Reward points : 64760 Joined: 4/21/2010	Re:Bitlocker Issues - Thursday, May 03, 2012 3:28 PM 0 I don't know offhand but if you used the same password I would think it should work fine.