MDT 2013 Update 1 changed the behavior. Before, there was a hard-coded TPM
owner password, but that was considered a security risk:
iRetVal =
SetTpmOwner("M0nksH00d!4T3al")
So now the logic generates an error to tell you what you need to set:
oLogging.CreateEntry "TPM P@ssword missing. Please provide P@ssword via
TpmOwnerP@ssword or AdminP@ssword", LogTypeInfo
So if you want the exact same TPM owner password as before, you can specify
this in CustomSettings.ini:
TpmOwnerPassword=M0nksH00d!4T3al
You could also set the AdminPassword variable too; that will be used if
specified. Most people set this (either via the wizard or CustomSettings),
which is why you don't see more people running into this change.
Thanks,
-Michael
From: [email protected] [mailto:[email protected]] On
Behalf Of Patrick Jamieson
Sent: Tuesday, October 20, 2015 10:20 AM
To: [email protected]
Subject: [MDT-OSD] Bitlocker Encryption not working
Hi all,
Recently our machines have been unable to encrypt their drives during the build
process. BDE fails, and the build completes but with an unencrypted drive.
However, this only happens on machines right out of the box. If I rebuild the
same machine, or manually encrypt the drive, it works fine. I can also
reproduce this if I manually clear the TPM information before rebuilding.
The last few lines of ZTIBDE.log on a failed machine are:
[cid:[email protected]]
It's pretty obvious that the TPM Password is not set on our new machines. What
I'm confused about is what changed in the past few months that caused this.
Drives encrypted fine for years before this.
The timing seems to be roughly correlated with updating our MDT environment
from 2013 to 2013 Update 1, though I can't be 100% sure because it took a few
weeks for our techs to notify me BitLocker was having issues. However, I can't
find anything about BitLocker issues in the known issues list.
Has anyone else seen this?
Thanks for your help,
Patrick
