BitLocker Deployment Failed

Posted on 2013-12-05
Last Modified: 2013-12-23
I tried to push out BitLocker to a new laptop via Group Policy.  I went into the laptop's BIOS and enabled and activated TPM.  Then I set up the group policy using instructions here:  I applied the GPO to the OU that I put the laptop in.  I did a gpupdate /force and rebooted.  Nothing seemed to change.  I opened the rsop.msc and saw that the policy's effects are there.  I also ran "manage-bde -status c:" and it shows that the Conversion Status is Fully Decrypted and the Protection Status is Off.

I'm not sure why it's not working.  My System Reserved partition is 350MB, formatted as NTFS.  Microsoft says here ( that the minimum size for the system partition should be 350MB and that it should be formatted as NTFS if BIOS or FAT32 if UEFI.  I'm pretty sure I had to use legacy boot to get the motherboard to recognize the 3rd-party SSD.

Can someone help me solve this?  Is there a way to find out WHY it's not working?  Is there some log entry that I should be looking for?
Question by:silver1386
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 10

Accepted Solution

JonLambert earned 500 total points
ID: 39716427
So the short answer is you cannot enable BitLocker via group policy.  You can configure and control how BitLocker functions with Group Policy, but you cannot enable it.  You can enable BitLocker through such processes as using Manage-BDE, through the Control Panel or tasks in the Microsoft Deployment Toolkit or SCCM task sequences.

Author Comment

ID: 39722290

If that is the case, then let's say I set it up through the GUI in Control Panel.  Part of the process is it giving me a key (recovery password, I think) to write down / keep track of.  If I set the Group Policy to store BitLocker keys in AD would the key that the wizard gives me be irrelevant?  Or would it be the same key that gets stored in AD (and I can therefore not manually document it?  Or is it used for a different purpose (and I therefore still need to document it?  Sorry for the confusion, but this is my first shot at BitLocker.

LVL 10

Expert Comment

ID: 39732981
So the short is that realistically you want to store the key in AD, where it is easily recoverable for any machine.

Good practice is to configure group policy to store in key in AD, and not allow the disk to be encrypted  until the recovery key is successfully  stored in Active Directory.  

You would then not need to record in local key provided to you (from memory, it is different from the one stored by in AD, as it is a different key protector.)
LVL 10

Expert Comment

ID: 39732989
So from the logs the client is successfully installed, next logs to look at are CCMEXEC.LOG, CLIENTIDMANAGERSTARTUP.LOG, CLIENTLOCATION.LOG and LOCATIONSERVICES.LOG.  CCMEXEC.LOG will show any major problems with the service starting up etc, and CLIENTIDMANAGERSTARTUP.LOG will tell you whether the client is registering successfully with the management point,  The other two logs will help you work out wether the clients are having trouble locating services.

Author Comment

ID: 39736149

It seems like you may have posted that last comment in the wrong question.

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question