Hello all, 

I am running SCCM2012 R2 CU2. Scenario is a new computer (no AD or SCCM objects) in WinPe with UDI. Running TPM Bitlocker. My issue is that the recovery keys are not being backed up to AD when the Enable Bitlocker step occurs in the State Restore group. Manually running manage-bde to backup from within Windows works as expected. Domain is 2008 R2. Laptop is Latitude 7240.

As per the Technote I can confirm all settings and permissions are correct: http://technet.microsoft.com/en-us/library/dd875529(v=WS.10).aspx. I have read various articles here and think that maybe this is similar to my issue, but I'm not sure: https://social.technet.microsoft.com/Forums/en-US/59346b4e-b8c0-4dae-9699-8fdf9ff8f8d0/deploying-bitlocker-w-mdtudi?forum=configmanagerosd. 

I also checked the status before the Enable Bitlocker step was executed and after:

C: (OS DISK) - BEFORE
Size: 118.32gb
Bitlocker Version: Windows 7
Conversion Status: Fully Encrypted
Percent Encrypted:100%
Encryption Method: AES 128
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Key Protectors: None Found

C: (OS DISK) - AFTER
Size: 118.32gb
Bitlocker Version: Windows 7
Conversion Status: Fully Encrypted
Percent Encrypted:100%
Encryption Method: AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: None
Key Protectors: TPM, Numerical Password

ZTIBde.log Log that might help is attached. Happy to add more...any help gratefully received. Thank you.

ZTIBde.log: 

Property UDI is now =
ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)

Microsoft Deployment Toolkit version: 6.2.5019.0 ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
The task sequencer log is located at C:\WINDOWS\CCM\Logs\SMSTSLog\SMSTS.LOG.  For task sequence failures, please consult this log. ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
System drive is: C: ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
The deployment method is using ConfigMgr. ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Property BdeInstallSuppress is now = NO ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
This script is not currently running in Windows PE ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
We are running a OS that supports BitLocker ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
OSDBitLockerTargetDrive= , OSDBdeTargetDriveLetter= , sOSDBitLockerTargetDrive= C: ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
About to perform variable rationalization. ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
BitLocker Mode set to: TPM ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Starting search for removable drive ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
The search for a USB drive failed ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
BitLocker Startup Key Drive Value set to: C: ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
BitLocker Create Recovery P@ssword Status: AD ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
BitLocker Wait For Encryption Status set to: FALSE ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
BitLocker Recovery P@ssword set. ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
The current autorun setting is - ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Disabling Autorun ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Find the boot drive (if any) [False] [0.0.0.0] [False] ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
New ZTIDisk : \\UKH114414\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0" ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
No boot drives found. None. ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Reverting autorun setting to - 0 ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Setting BDE Drive letter to nothing as we are unable to get the boot drive. ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Property BdeDriveLetter is now = ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Running first pass.. ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
New ZTIDisk : \\UKH114414\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0" ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
   Partition Count: 3 ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
ZTIDiskUtility!GetDiskFreeSpace should be deprecated, does not handle avaible space for a new partition ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
New ZTIDisk : \\UKH114414\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0" ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
GetPartitions: 3 ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
New ZTIDiskPartition : \\UKH114414\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"    \\UKH114414\root\cimv2:Win32_LogicalDisk.DeviceID="C:" ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
   Free Disk Space: 128 ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Existing Bitlocker: ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
The current autorun setting is - 0 ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Disabling Autorun ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Find the boot drive (if any) [False] [0.0.0.0] [False] ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
New ZTIDisk : \\UKH114414\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0" ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
No boot drives found. None. ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Reverting autorun setting to - 0 ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Existing Boot Drive: 1 ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
The current autorun setting is - 0 ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Disabling Autorun ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Find the boot drive (if any) [False] [0.0.0.0] [False] ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
New ZTIDisk : \\UKH114414\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0" ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
No boot drives found. None. ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Reverting autorun setting to - 0 ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Windows has a hidden system partition, no disk actions are necessary ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Configuring protectors. ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Success TPM Enabled ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Success TPM Is Activated ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Success TPM Is Owned ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Success TPM Ownership Allowed ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Check for Ensorsement Key Pair Present = 0 ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
TpmEnabled: True ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
TpmActivated: True ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
TpmOwned: True ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
TpmOwnershipAllowed: True ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
EndorsementKeyPairPresent: True ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
TPM Validation Complete ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Encryptable Volume Count:2 ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Attempting to bind to: C: ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Success setting oBdeVol ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
BDE Instance Bind Complete ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Performing ProtectKeyWithTpm Installation ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Attempting to enable BitLocker TPM ZTIBde 11/12/2014 11:57:15 AM 0 (0x0000)
Recovery P@ssword being saved to C:\UKH114414-{42A7FC55-DD28-40B8-9C6A-9C3013B75E03}.txt ZTIBde 11/12/2014 11:57:16 AM 0 (0x0000)
Attempting to intiate ProtectKeyWithNumericalP@ssword ZTIBde 11/12/2014 11:57:16 AM 0 (0x0000)
Success protecting Key with numerical p@ssword ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
Attempting to retrieve numerical p@ssword ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
Saving numerical p@ssword to file. ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
Success P@ssword Key file written ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
ProtectKeyWithNumericalP@ssword success ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
Begining drive encryption ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
Attempting to start BDE encryption ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
Success starting encryption ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
Enabling protectors. ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
Encryptable Volume Count:2 ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
Attempting to bind to: C: ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
Success setting oBdeVol ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
BDE Instance Bind Complete ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
Attempting to enable BDE Protectors ZTIBde 11/12/2014 11:57:17 AM 0 (0x0000)
Success enabling protectors. ZTIBde 11/12/2014 11:57:18 AM 0 (0x0000)
ZTIBde processing completed successfully. ZTIBde 11/12/2014 11:57:18 AM 0 (0x0000)

Hello,

Thank you for your question.

I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

Thank you for your understanding and support.

Hi Nick,

If the Bitlocker was already enabled, check the following blog and see if this helps.

http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx

Also check if the schema was extended in AD.

If you move/postpone the Enable Bitlocker action to the end of the Task sequence, does it work?

Thanks.

I have a suggestion. It doesn't help you with your issue, but, enterprise encryption should be managed with MBAM. There are two major issues with storing keys in AD.

1. The keys are not secured in a database. They are available to anyone that can log on to Active Directory Users and Computers.

2. The recovery key can be re-used indefinitely. This is an issue for the user that writes down the recovery key and saves it in their laptop case after using it (they might as well not have encryption).

I never closed this one off - sorry. It seems the MDT2013 step and the ConfigMgr2012 steps aren't quite the same in what I thought they should do. Using the ConfigMgr step in the TS - rather than the MDT one - resolved this for me.