Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


BitLocker Deployment Failed

Posted on 2013-12-05
Medium Priority
Last Modified: 2013-12-23
I tried to push out BitLocker to a new laptop via Group Policy.  I went into the laptop's BIOS and enabled and activated TPM.  Then I set up the group policy using instructions here:  I applied the GPO to the OU that I put the laptop in.  I did a gpupdate /force and rebooted.  Nothing seemed to change.  I opened the rsop.msc and saw that the policy's effects are there.  I also ran "manage-bde -status c:" and it shows that the Conversion Status is Fully Decrypted and the Protection Status is Off.

I'm not sure why it's not working.  My System Reserved partition is 350MB, formatted as NTFS.  Microsoft says here ( that the minimum size for the system partition should be 350MB and that it should be formatted as NTFS if BIOS or FAT32 if UEFI.  I'm pretty sure I had to use legacy boot to get the motherboard to recognize the 3rd-party SSD.

Can someone help me solve this?  Is there a way to find out WHY it's not working?  Is there some log entry that I should be looking for?
Question by:silver1386
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 10

Accepted Solution

JonLambert earned 2000 total points
ID: 39716427
So the short answer is you cannot enable BitLocker via group policy.  You can configure and control how BitLocker functions with Group Policy, but you cannot enable it.  You can enable BitLocker through such processes as using Manage-BDE, through the Control Panel or tasks in the Microsoft Deployment Toolkit or SCCM task sequences.

Author Comment

ID: 39722290

If that is the case, then let's say I set it up through the GUI in Control Panel.  Part of the process is it giving me a key (recovery password, I think) to write down / keep track of.  If I set the Group Policy to store BitLocker keys in AD would the key that the wizard gives me be irrelevant?  Or would it be the same key that gets stored in AD (and I can therefore not manually document it?  Or is it used for a different purpose (and I therefore still need to document it?  Sorry for the confusion, but this is my first shot at BitLocker.

LVL 10

Expert Comment

ID: 39732981
So the short is that realistically you want to store the key in AD, where it is easily recoverable for any machine.

Good practice is to configure group policy to store in key in AD, and not allow the disk to be encrypted  until the recovery key is successfully  stored in Active Directory.  

You would then not need to record in local key provided to you (from memory, it is different from the one stored by in AD, as it is a different key protector.)
LVL 10

Expert Comment

ID: 39732989
So from the logs the client is successfully installed, next logs to look at are CCMEXEC.LOG, CLIENTIDMANAGERSTARTUP.LOG, CLIENTLOCATION.LOG and LOCATIONSERVICES.LOG.  CCMEXEC.LOG will show any major problems with the service starting up etc, and CLIENTIDMANAGERSTARTUP.LOG will tell you whether the client is registering successfully with the management point,  The other two logs will help you work out wether the clients are having trouble locating services.

Author Comment

ID: 39736149

It seems like you may have posted that last comment in the wrong question.

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question