Solved

BitLocker Deployment Failed

Posted on 2013-12-05
7
547 Views
Last Modified: 2013-12-23
I tried to push out BitLocker to a new laptop via Group Policy.  I went into the laptop's BIOS and enabled and activated TPM.  Then I set up the group policy using instructions here: http://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx.  I applied the GPO to the OU that I put the laptop in.  I did a gpupdate /force and rebooted.  Nothing seemed to change.  I opened the rsop.msc and saw that the policy's effects are there.  I also ran "manage-bde -status c:" and it shows that the Conversion Status is Fully Decrypted and the Protection Status is Off.

I'm not sure why it's not working.  My System Reserved partition is 350MB, formatted as NTFS.  Microsoft says here (http://technet.microsoft.com/en-us/library/jj592683.aspx) that the minimum size for the system partition should be 350MB and that it should be formatted as NTFS if BIOS or FAT32 if UEFI.  I'm pretty sure I had to use legacy boot to get the motherboard to recognize the 3rd-party SSD.

Can someone help me solve this?  Is there a way to find out WHY it's not working?  Is there some log entry that I should be looking for?
0
Comment
Question by:silver1386
  • 3
  • 2
7 Comments
 
LVL 10

Accepted Solution

by:
JonLambert earned 500 total points
Comment Utility
So the short answer is you cannot enable BitLocker via group policy.  You can configure and control how BitLocker functions with Group Policy, but you cannot enable it.  You can enable BitLocker through such processes as using Manage-BDE, through the Control Panel or tasks in the Microsoft Deployment Toolkit or SCCM task sequences.
0
 

Author Comment

by:silver1386
Comment Utility
Jon,

If that is the case, then let's say I set it up through the GUI in Control Panel.  Part of the process is it giving me a key (recovery password, I think) to write down / keep track of.  If I set the Group Policy to store BitLocker keys in AD would the key that the wizard gives me be irrelevant?  Or would it be the same key that gets stored in AD (and I can therefore not manually document it?  Or is it used for a different purpose (and I therefore still need to document it?  Sorry for the confusion, but this is my first shot at BitLocker.

Mike
0
 
LVL 10

Expert Comment

by:JonLambert
Comment Utility
So the short is that realistically you want to store the key in AD, where it is easily recoverable for any machine.

Good practice is to configure group policy to store in key in AD, and not allow the disk to be encrypted  until the recovery key is successfully  stored in Active Directory.  

You would then not need to record in local key provided to you (from memory, it is different from the one stored by in AD, as it is a different key protector.)
0
 
LVL 10

Expert Comment

by:JonLambert
Comment Utility
So from the logs the client is successfully installed, next logs to look at are CCMEXEC.LOG, CLIENTIDMANAGERSTARTUP.LOG, CLIENTLOCATION.LOG and LOCATIONSERVICES.LOG.  CCMEXEC.LOG will show any major problems with the service starting up etc, and CLIENTIDMANAGERSTARTUP.LOG will tell you whether the client is registering successfully with the management point,  The other two logs will help you work out wether the clients are having trouble locating services.
0
 

Author Comment

by:silver1386
Comment Utility
Jon,

It seems like you may have posted that last comment in the wrong question.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Detailed instructions on how to install an Access add-in in recent versions of Office and Windows (with screen shots)
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now