BitLocker Deployment Failed

Posted on 2013-12-05
Last Modified: 2013-12-23
I tried to push out BitLocker to a new laptop via Group Policy.  I went into the laptop's BIOS and enabled and activated TPM.  Then I set up the group policy using instructions here:  I applied the GPO to the OU that I put the laptop in.  I did a gpupdate /force and rebooted.  Nothing seemed to change.  I opened the rsop.msc and saw that the policy's effects are there.  I also ran "manage-bde -status c:" and it shows that the Conversion Status is Fully Decrypted and the Protection Status is Off.

I'm not sure why it's not working.  My System Reserved partition is 350MB, formatted as NTFS.  Microsoft says here ( that the minimum size for the system partition should be 350MB and that it should be formatted as NTFS if BIOS or FAT32 if UEFI.  I'm pretty sure I had to use legacy boot to get the motherboard to recognize the 3rd-party SSD.

Can someone help me solve this?  Is there a way to find out WHY it's not working?  Is there some log entry that I should be looking for?
Question by:silver1386
  • 3
  • 2
LVL 10

Accepted Solution

JonLambert earned 500 total points
ID: 39716427
So the short answer is you cannot enable BitLocker via group policy.  You can configure and control how BitLocker functions with Group Policy, but you cannot enable it.  You can enable BitLocker through such processes as using Manage-BDE, through the Control Panel or tasks in the Microsoft Deployment Toolkit or SCCM task sequences.

Author Comment

ID: 39722290

If that is the case, then let's say I set it up through the GUI in Control Panel.  Part of the process is it giving me a key (recovery password, I think) to write down / keep track of.  If I set the Group Policy to store BitLocker keys in AD would the key that the wizard gives me be irrelevant?  Or would it be the same key that gets stored in AD (and I can therefore not manually document it?  Or is it used for a different purpose (and I therefore still need to document it?  Sorry for the confusion, but this is my first shot at BitLocker.

LVL 10

Expert Comment

ID: 39732981
So the short is that realistically you want to store the key in AD, where it is easily recoverable for any machine.

Good practice is to configure group policy to store in key in AD, and not allow the disk to be encrypted  until the recovery key is successfully  stored in Active Directory.  

You would then not need to record in local key provided to you (from memory, it is different from the one stored by in AD, as it is a different key protector.)
LVL 10

Expert Comment

ID: 39732989
So from the logs the client is successfully installed, next logs to look at are CCMEXEC.LOG, CLIENTIDMANAGERSTARTUP.LOG, CLIENTLOCATION.LOG and LOCATIONSERVICES.LOG.  CCMEXEC.LOG will show any major problems with the service starting up etc, and CLIENTIDMANAGERSTARTUP.LOG will tell you whether the client is registering successfully with the management point,  The other two logs will help you work out wether the clients are having trouble locating services.

Author Comment

ID: 39736149

It seems like you may have posted that last comment in the wrong question.

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now