I'll check that out, but I had another GPO with a startup script (.cmd) that was capturing already-configured bitlocker installations and sending the key to AD.
Perhaps an OU got missed, or something. Thanks, Kurt On Fri, Dec 8, 2017 at 11:39 AM, Damien Solodow <damien.solo...@harrison.edu > wrote: > Take a look here: https://technet.microsoft.com/ > en-us/library/dd875529(v=ws.10).aspx > > > > Your GPO looks right (comparing to mine), but you do have to make some > security changes in AD so that the computer has the necessary permissions > to save the Bitlocker key in AD. > > > > DAMIEN SOLODOW > > IT Engineering Lead > > 317.447.6033 <(317)%20447-6033> (office) > > HARRISON COLLEGE > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Kurt Buff > *Sent:* Friday, December 8, 2017 2:29 PM > *To:* ntsysadm <NTSysADM@lists.myitforum.com> > *Subject:* [NTSysADM] Still stumped by bitlocker > > > > If anyone cares to comments on this, I'd appreciate it. > > I'm working on an older laptop with a TPM 1.2 chip (Dell Latitude E6530). > I've tried with PPI provision and PPI deprovision both selected and > deselected, with no difference in my results. > > I've reset the chip multiple times, with the following results: > > After resetting the chip, if the computer is in an OU with no GPOs, and I > reboot a couple of times so that there are no applied GPOs, I can use the > following command, and it starts encrypting just fine: > > "enable-bitlocker C: -SkipHardwareCheck -TpmProtector" > > If I clear the TPM chip (either in BIOS or through tpm.msc) and put the > computer in my test OU with the GPO, it does three things: > > - A first reboot, nothing happens. No errors, and bitlocker doesn't start > > - At second reboot, if PPI Provision/Deprovision are deselected, it gets > an error with the run of the startup script: > [image: Inline image 2] > > - At second reboot, if PPI Provision/Deprovision override are selected, I > do not see the popup error above, but bitlocker stil doesn't start. > > > > In all cases after reboot while the GPO is applied, if I run the > enable-bitlocker command above, I get the following: > > [image: Inline image 1] > > After resetting the TPM chip, I do see a lot of TPM and TPM-WMI event log > entries, one of which indicates that the system is taking ownership of the > chip (eventID 1027 TPM-WMI). > > This is the relevant portion of the output from "gpresult /h" - I've had > the "Allow data recovery agent" in both states, enabled and disabled, with > no difference in the results: > > [image: Inline image 3] > > Kurt >