Friday, June 13, 2014

BitLocker fails in task sequence because of false condition

Last week I did a deployment on notebooks with BitLocker support. In my earlier posts I explained how to enable and activate TPM during a task sequence and how to save a recovery key to Active Directory. That way there's no need to configure BIOS settings and/or back-up recovery keys manually. During deployment however the task sequence failed on almost last step, which is "Enable BitLocker" in my case. Looking in settings TPM was enabled and activated, pre-provisioning was done, all seems okay. But no recovery key was set in Active Directory on the computerobject.
Looking at the deployment log (in monitoring) it was mentioning the condition on "Enable BitLocker" was false. Looking at the condition on this step (which is there by default when creating a new task sequence, but not when adding this step in an existing task sequence?) it was like "SMSTSWTG - Not equals - True".
Looking at Microsoft TechNet explains wat SMSTSWTG is doing: "Specifies if the computer is running as a Windows To Go device". In my case I was doing an deployment on a notebook, which is (as far as I know) not a Windows To Go device? 
With Manage-BDE -status in command prompt you can see that encryption is 100% done but not active. Long story short, I removed the condition on the "Enable BitLocker" step, and voila, BitLocker was running fine again and the recovery key was set in Active Directory as well. Next time I remove it immediately after creating the task sequence I guess. Still strange the condition is not set when adding this step in an existing task sequence?

Other posts on BitLocker:
How to Enable BitLocker, Automatically save Keys to Active Directory
Enable TPM for BitLocker usage during OS deployment on endpoints

Hope it helps!

No comments:

Post a Comment