BitLocker activation fails during OSD

Hey,

I am having a problem with BitLocker activation during SCCM OSD deployment.
The setup I have is the following:

Two task sequence steps specifiy the BitLocker activation:

The GPO settings applied are the following (even I read in some forum posts that the GPOs are note applied during OSD):

The Error I receive is the following:

The task sequence execution engine failed executing the action (Enable BitLocker) in the group (BitLocker Encryption) with the error code 2147500037
Action output: ==============================[ OSDBitLocker.exe ]==============================
Command line: "OSDBitLocker.exe" /enable /wait:True /mode:TPM /pwd:AD
Initialized COM
Command line for extension .exe is "%1" %*
Set command line: "OSDBitLocker.exe" /enable /wait:True /mode:TPM /pwd:AD
Target volume not specified, using current OS volume
Current OS volume is 'C:'
Succeeded loading resource DLL 'C:\WINDOWS\CCM\1033\TSRES.DLL'
Protection is OFF
FALSE, HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1502)
pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait ), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\main.cpp,382)
Encryption in progress. The operating system reported error 2147500037: Unspecified error

After restart the Drive seems to be encrypted with BitLocker, but BitLocker is suspended.
When I now try to activate the BitLocker I receive the message:

"Group Policy settings require that a recovery password be specified before encrypting the drive."

I know I could save the recovery key manually into active directory and activate afterwards but that would not resolve the problem during Task Sequence.
I already checked TPM is activated and and initialized.

Thanks for help.

June 11th, 2015 7:03am

We got similar issues and fixed them!

We had to set required permissions for backing up the Information:

https://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx#BKMK_1

Free Windows Admin Tool Kit Click here and download it now
June 11th, 2015 8:09am

Hey,

Thanks for reply.

Which account requires this permissions?
I assume NAA? Or the SCCM Server account itself?

June 11th, 2015 8:28am
Ist the account "self". The computeraccount itself needs the right to store the Information.
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2015 9:40am

Hey thanks,

permissions for 'self' are set like described here:
http://blogs.technet.com/b/bitlocker/archive/2010/09/14/access-denied-error-0x80070005-message-when-initializing-tpm-for-bitlocker.aspx
Additionally this does problem not happen to all devices - just some.
(Sorry I forgot to write this in my first post)

Having a look at the error message it informs us: "Encryption in progress" based on this I think this happens if encryption is not finished but BitLocker tries to save the key to AD.

Unfortunately the required checkbox in this case "Wait for BitLocker to complete the drive encryption process on all drives  before Configuration Manager continues to run the task sequence" is already set.. :(

June 11th, 2015 10:34am

We are getting the exact same error.  So any help would be appreciated.  We also have the same settings. 

Update: I added a pause command after the "Pre-Provision Bitlocker" task.  When I run manage-bde -status I see that it is slowly encrypting the drive.  Only 2.3% thus far, so it will probably take about 20 minutes or so to complete this.  I was under the impression that the Pre-Provision BitLocker step was there to encrypt the drive when it was empty to speed this up.  This does not seem to be the case and I suspect what caused the error at the end of the script as the drive was not yet completely encrypted.

So this begs to question that the "Wait for Bitlocker to complete the drive encrytion process" check box is broke?
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2015 1:25pm

We are getting the exact same error.  So any help would be appreciated.  We also have the same settings. 

Update: I added a pause command after the "Pre-Provision Bitlocker" task.  When I run manage-bde -status I see that it is slowly encrypting the drive.  Only 2.3% thus far, so it will probably take about 20 minutes or so to complete this.  I was under the impression that the Pre-Provision BitLocker step was there to encrypt the drive when it was empty to speed this up.  This does not seem to be the case and I suspect what caused the error at the end of the script as the drive was not yet completely encrypted.

So this begs to question that the "Wait for Bitlocker to complete the drive encrytion process" check box is broke?
  • Edited by Jon Barnes Thursday, June 11, 2015 8:13 PM
June 11th, 2015 5:25pm

Using the pause I was able to wait until encryption reached 100%.  After this the Enable-BitLocker task ran successfully.  I checked AD and the key was listed there to confirm.  No errors were given during this image test.  This does not solve the underlying problem but does provide a work around.  Hopefully the OP can report back if this worked correctly to bypass the issue.  I will look into the check box not applying and post here if I find a better fix.

There is also a way to use the ping command with -count and a number which would be one ping per second.  This would allow you to pause for the during needed in time to allow bitlocker to encrypt.  I will also test this out tomorrow.


Free Windows Admin Tool Kit Click here and download it now
June 11th, 2015 5:27pm

There are a couple of things to verify. Is your partitioning step configured properly for Bitlocker?

If you have command support enabled in your Boot Image try to pause the Task Sequence after the step "Pre-provision BitLocker" and use the command "manage-bde -status" to check the time the computer needs to finish this step.

Add a pause step to your Task Sequence and try again.

 
June 12th, 2015 2:11am

Hey,

I can confirm that waiting for the encryption to finish helps...
(Using a script to wait for the OSDBitLocker.exe to finish as step previously to writing the Key to active directory makes the situation acceptable)

Unfortunately I do not have this problem with every device.
(Looks like this problem depends on how fast the HDD which is used is)

Something I do not understand yet is that the command line uses the "/wait:True " switch fully correctly...so this seems to be related not to the "Wait for Bitlocker to complete the drive encrytion process" check box being broken but to the OSDBitLocker.exe itself....


  • Edited by MK-Maddin 12 hours 18 minutes ago
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 3:21pm

Hey,

I can confirm that waiting for the encryption to finish helps...
(Using a script to wait for the OSDBitLocker.exe to finish as step previously to writing the Key to active directory makes the situation acceptable)

Unfortunately I do not have this problem with every device.
(Looks like this problem depends on how fast the HDD which is used is)

Something I do not understand yet is that the command line uses the "/wait:True " switch fully correctly...so this seems to be related not to the "Wait for Bitlocker to complete the drive encrytion process" check box being broken but to the OSDBitLocker.exe itself....


  • Edited by MK-Maddin 12 hours 18 minutes ago
June 17th, 2015 3:21pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics