Hi All,

I have successfully deployed BitLocker via SCCM 2012 OSD task sequence via the following process.

 - Copy registry settings from the HKLM\Software\Polices\Microsoft\FVE registry hive in to the target computer

 - Activate C:\ via the built in SCCM task 'Enable BitLocker' with settings to use TPM and save to AD

 - Activate D:\ via a batch script that runs the following commands

        manage-bde -autounlock -enable D:

        manage-bde -on RecoveryPassword D:

My question is - should I be able to use the Enable Bitlocker SCCM task to enable a specific drive, and select the the D:\ - my task sequence fails when I do this.

Is this how other people enable BitLocker on Fixed Drives?

Also, if I use the MDT 'cscript.exe "%deployroot%\scripts\ZTIBde.wsf" /UDI' it doesn't seem to start BitLocker even if I manually set the OSDBitLockerMode task sequence variable to 'TPM' - which in my mind would be the alternative way to do things. The UDI has the BitLocker pane removed so I assume I must set the variable manually.

It is actually working so I am happy in that regard, but I would like to know other people's experience in setting Fixed Drives with BitLocker.

Kind regards,

Michael

This is Enable BitLocker step in SCCM Task squence, why don't you use that?

This is Enable BitLocker step in SCCM Task squence, why don't you use that?

• Proposed as answer by Joyce LMicrosoft contingent staff, Moderator Tuesday, September 01, 2015 8:22 AM

That's my question Sandy, it doesn't work, it works for the C:\, but not the D:\.

I get an error in the smsts.log

Command line: "OSDBitLocker.exe" /enable /drive:D: /wait:False /pwd:AD
Initialized COM
Command line for extension .exe is "%1" %
Set command line: "OSDBitLocker.exe" /enable /drive:D: /wait:False /pwd:AD
Target volume is a data volume
Succeeded loading resource DLL 'C:\WINDOWS\CCM\1033\TSRES.DLL'
Protection is OFF
Volume is fully decrypted
Creating recovery password and escrowing to Active Directory
Set FVE group policy registry keys to escrow recovery password
Set FVE group policy registry key in Windows 7
Set FVE FDV group policy registery key to escrow recovery password
Using random recovery password
Protection mode is not TPM, StartupKey, TPM+StartupKey or TPM+PIN. Use default group policy settings
Protecting key with external key
Enabling auto unlock for data volume
uProtectionStatus == TS::BitLocker::EncryptableVolume::Protection_Status_On, HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1252
Cannot enable auto unlock because OS volume is not protected
CreateKeyProtectors( keyMode, pszStartupKeyVolume ), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1293file="bitlocker.cpp:1293">
ConfigureKeyProtection( keyMode, pwdMode, pszStartupKeyVolume ), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1489
pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait ), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\main.cpp,382
Process completed with exit code 2147500037

My question is *should it work*, it doesn't look like it will as there is no option in the 'Enable Bitlocker' task for me to protect the volume before 'Enabling BitLocker'. Is the 'Enable BitLocker' command only ever used for enabling one drive, and then subsequently other drives. Or should I be entering a command line to enable protection before I BitLocker the D: drive?

Regards,

Michael

• Edited by MichaelSpencer 17 hours 45 minutes ago