• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 565
  • Last Modified:

BitLocker Deployment Failed

I tried to push out BitLocker to a new laptop via Group Policy.  I went into the laptop's BIOS and enabled and activated TPM.  Then I set up the group policy using instructions here: http://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx.  I applied the GPO to the OU that I put the laptop in.  I did a gpupdate /force and rebooted.  Nothing seemed to change.  I opened the rsop.msc and saw that the policy's effects are there.  I also ran "manage-bde -status c:" and it shows that the Conversion Status is Fully Decrypted and the Protection Status is Off.

I'm not sure why it's not working.  My System Reserved partition is 350MB, formatted as NTFS.  Microsoft says here (http://technet.microsoft.com/en-us/library/jj592683.aspx) that the minimum size for the system partition should be 350MB and that it should be formatted as NTFS if BIOS or FAT32 if UEFI.  I'm pretty sure I had to use legacy boot to get the motherboard to recognize the 3rd-party SSD.

Can someone help me solve this?  Is there a way to find out WHY it's not working?  Is there some log entry that I should be looking for?
0
silver1386
Asked:
silver1386
  • 3
  • 2
1 Solution
 
JonLambertCommented:
So the short answer is you cannot enable BitLocker via group policy.  You can configure and control how BitLocker functions with Group Policy, but you cannot enable it.  You can enable BitLocker through such processes as using Manage-BDE, through the Control Panel or tasks in the Microsoft Deployment Toolkit or SCCM task sequences.
0
 
silver1386Author Commented:
Jon,

If that is the case, then let's say I set it up through the GUI in Control Panel.  Part of the process is it giving me a key (recovery password, I think) to write down / keep track of.  If I set the Group Policy to store BitLocker keys in AD would the key that the wizard gives me be irrelevant?  Or would it be the same key that gets stored in AD (and I can therefore not manually document it?  Or is it used for a different purpose (and I therefore still need to document it?  Sorry for the confusion, but this is my first shot at BitLocker.

Mike
0
 
JonLambertCommented:
So the short is that realistically you want to store the key in AD, where it is easily recoverable for any machine.

Good practice is to configure group policy to store in key in AD, and not allow the disk to be encrypted  until the recovery key is successfully  stored in Active Directory.  

You would then not need to record in local key provided to you (from memory, it is different from the one stored by in AD, as it is a different key protector.)
0
 
JonLambertCommented:
So from the logs the client is successfully installed, next logs to look at are CCMEXEC.LOG, CLIENTIDMANAGERSTARTUP.LOG, CLIENTLOCATION.LOG and LOCATIONSERVICES.LOG.  CCMEXEC.LOG will show any major problems with the service starting up etc, and CLIENTIDMANAGERSTARTUP.LOG will tell you whether the client is registering successfully with the management point,  The other two logs will help you work out wether the clients are having trouble locating services.
0
 
silver1386Author Commented:
Jon,

It seems like you may have posted that last comment in the wrong question.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now