[mssms] Bitlocker key not backed up to AD by MDT integrated OSD TS

Wed, 17 Aug 2016 09:29:30 -0700 

My Windows 10 task sequence is enabling bitlocker successfully, but saving
the recovery key in the root of the system drive instead of backing it up
to AD as it should.  I vaguely remember running into a similar issue years
ago, and I think I ended up switching to use the SCCM version of the
"Enable Bitlocker" step instead of the MDT version, but that option causes
other problems, so I don't want to go that route this time.

I've double checked that my task sequence variables are set, including
"BDERecoveryKey = AD", which I believe is the relevant variable in this
case.  I've even tried adding a step just before "Enable Bitlocker" which
manually sets the registry key to require AD backup of the recovery key,
but that didn't help.

I'll include a copy of a ZTIBde.log file at the end of this message, in
case someone else might see a clue that I've missed.

Is anyone else here successfully enabling bitlocker with recovery key
backup to AD as part of an MDT Integrated OSD task sequence?

Thanks,
Steve


Begin ZtiBde.log
-----------------------------------------------
<![LOG[Property UDI is now = ]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Microsoft Deployment Toolkit version:
6.3.8330.1000]LOG]!><time="16:27:28.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[The task sequencer log is located at
C:\WINDOWS\CCM\Logs\SMSTSLog\SMSTS.LOG.  For task sequence failures, please
consult this log.]LOG]!><time="16:27:28.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[System drive is: C:]LOG]!><time="16:27:28.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[The deployment method is using
ConfigMgr.]LOG]!><time="16:27:28.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[Property BdeInstallSuppress is now =
NO]LOG]!><time="16:27:28.000+000" date="08-11-2016" component="ZTIBde"
context="" type="1" thread="" file="ZTIBde">
<![LOG[This script is not currently running in Windows
PE]LOG]!><time="16:27:28.000+000" date="08-11-2016" component="ZTIBde"
context="" type="1" thread="" file="ZTIBde">
<![LOG[We are running a OS that supports
BitLocker]LOG]!><time="16:27:28.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[OSDBitLockerTargetDrive= , OSDBdeTargetDriveLetter= ,
sOSDBitLockerTargetDrive= C:]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[About to perform variable
rationalization.]LOG]!><time="16:27:28.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[BitLocker Mode set to: TPMPin]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[BitLocker Startup Key Drive Value set to:
C:]LOG]!><time="16:27:28.000+000" date="08-11-2016" component="ZTIBde"
context="" type="1" thread="" file="ZTIBde">
<![LOG[BitLocker Create Recovery P@ssword Status:
AD]LOG]!><time="16:27:28.000+000" date="08-11-2016" component="ZTIBde"
context="" type="1" thread="" file="ZTIBde">
<![LOG[BitLocker Wait For Encryption Status set to:
]LOG]!><time="16:27:28.000+000" date="08-11-2016" component="ZTIBde"
context="" type="1" thread="" file="ZTIBde">
<![LOG[BitLocker Recovery P@ssword set.]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Variable is not a valid string (not Base64
Format)]LOG]!><time="16:27:28.000+000" date="08-11-2016" component="ZTIBde"
context="" type="1" thread="" file="ZTIBde">
<![LOG[The current autorun setting is - ]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Disabling Autorun]LOG]!><time="16:27:28.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[Find the boot drive (if any) [False] [0.0.0.0]
[False]]LOG]!><time="16:27:28.000+000" date="08-11-2016" component="ZTIBde"
context="" type="1" thread="" file="ZTIBde">
<![LOG[New ZTIDisk :
\\ComputerName\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[No boot drives found. None.]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Reverting autorun setting to - 0]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Setting BDE Drive letter to nothing as we are unable to get the boot
drive.]LOG]!><time="16:27:28.000+000" date="08-11-2016" component="ZTIBde"
context="" type="1" thread="" file="ZTIBde">
<![LOG[Property BdeDriveLetter is now = ]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Running first pass..]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[New ZTIDisk :
\\ComputerName\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[    Partition Count: 3]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[ZTIDiskUtility!GetDiskFreeSpace should be deprecated, does not
handle avaible space for a new partition]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[New ZTIDisk :
\\ComputerName\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[GetPartitions: 3]LOG]!><time="16:27:28.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[New ZTIDiskPartition :
\\ComputerName\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition
#2"
 
\\ComputerName\root\cimv2:Win32_LogicalDisk.DeviceID="C:"]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[    Free Disk Space: 122]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[ Existing Bitlocker: ]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[The current autorun setting is - 0]LOG]!><time="16:27:28.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Disabling Autorun]LOG]!><time="16:27:28.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[Find the boot drive (if any) [False] [0.0.0.0]
[False]]LOG]!><time="16:27:28.000+000" date="08-11-2016" component="ZTIBde"
context="" type="1" thread="" file="ZTIBde">
<![LOG[New ZTIDisk :
\\ComputerName\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[No boot drives found. None.]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Reverting autorun setting to - 0]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[ Existing Boot Drive: 1]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[The current autorun setting is - 0]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Disabling Autorun]LOG]!><time="16:27:29.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[Find the boot drive (if any) [False] [0.0.0.0]
[False]]LOG]!><time="16:27:29.000+000" date="08-11-2016" component="ZTIBde"
context="" type="1" thread="" file="ZTIBde">
<![LOG[New ZTIDisk :
\\ComputerName\root\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[No boot drives found. None.]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Reverting autorun setting to - 0]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Windows has a hidden system partition, no disk actions are
necessary]LOG]!><time="16:27:29.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[Configuring protectors.]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Success TPM Enabled]LOG]!><time="16:27:29.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[Success TPM Is Activated]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Success TPM Is Owned]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Success TPM Ownership Allowed]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Check for Ensorsement Key Pair Present =
0]LOG]!><time="16:27:29.000+000" date="08-11-2016" component="ZTIBde"
context="" type="1" thread="" file="ZTIBde">
<![LOG[TpmEnabled: True]LOG]!><time="16:27:29.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[TpmActivated: True]LOG]!><time="16:27:29.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[TpmOwned: True]LOG]!><time="16:27:29.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[TpmOwnershipAllowed: True]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[EndorsementKeyPairPresent: True]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[TPM Validation Complete]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Encryptable Volume Count:1]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Attempting to bind to: C:]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Success setting oBdeVol ]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[BDE Instance Bind Complete]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Performing ProtectKeyWithTpmAndPin
Installation]LOG]!><time="16:27:29.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
<![LOG[Attempting to enable BitLocker TPM]LOG]!><time="16:27:29.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Recovery P@ssword being saved to
C:\ComputerName-{483C0239-FB76-4DA2-A51E-DD75CC3318AB}.txt]LOG]!><time="16:27:32.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Attempting to intiate
ProtectKeyWithNumericalP@ssword]LOG]!><time="16:27:32.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Success protecting Key with numerical
p@ssword]LOG]!><time="16:27:34.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Attempting to retrieve numerical p@ssword]LOG]!><time="16:27:34.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Saving numerical p@ssword to file.]LOG]!><time="16:27:34.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Success P@ssword Key file written]LOG]!><time="16:27:34.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[ProtectKeyWithNumericalP@ssword
success]LOG]!><time="16:27:34.000+000" date="08-11-2016" component="ZTIBde"
context="" type="1" thread="" file="ZTIBde">
<![LOG[Begining drive encryption]LOG]!><time="16:27:34.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Attempting to start BDE encryption]LOG]!><time="16:27:34.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Success starting encryption]LOG]!><time="16:27:34.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Enabling protectors.]LOG]!><time="16:27:34.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Encryptable Volume Count:1]LOG]!><time="16:27:34.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Attempting to bind to: C:]LOG]!><time="16:27:34.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Success setting oBdeVol ]LOG]!><time="16:27:34.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[BDE Instance Bind Complete]LOG]!><time="16:27:34.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Attempting to enable BDE Protectors]LOG]!><time="16:27:34.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[Success enabling protectors.]LOG]!><time="16:27:35.000+000"
date="08-11-2016" component="ZTIBde" context="" type="1" thread=""
file="ZTIBde">
<![LOG[ZTIBde processing completed
successfully.]LOG]!><time="16:27:35.000+000" date="08-11-2016"
component="ZTIBde" context="" type="1" thread="" file="ZTIBde">
---------------------------------------
End ZtiBde.log

Reply via email to