manage-bde cannot set volume identifier during win 10 OS deploy
We're using SCCM 1710 to deploy 64-bit Windows 10 2016 LTSB (version 1607) .
At the very end, we enable BitLocker (successfully). We've found that the DRA protector is not enabled b/c the volume identifier is still unknown. We define the identifier via GPO. This GPO is applied to the OU where this newly imaged computer is dropped during the deploy process.
We discovered that if we run "manage-bde.exe -si c:", the identifier is assigned, and the DRA protector is then listed when you run a "manage-bde -status".
So we're trying to add a "Run command line" task to do the "manage-bde.exe -si c:" after the enable BitLocker task.
No matter what syntax we try (based on various suggestions we've found here and there), the task always fails with an "Element not found" error. The error code is 0x80070490.
We've added a pause to our task sequence after the "Enable BitLocker" ask so we can test different ideas. So far we're finding lots of ways to not create a light bulb.
We're also finding that at this stage of the deploy, "gpresult /r" does not work in the command prompt. We're thinking this could mean that BitLocker is not aware of the identifier GPO settings at this stage.
Is there a way to set the volume identifier during the OS deploy so the DRA protector is added to the disk?
Is there another way to add the DRA protector?
Any help is greatly appreciated!!
At the very end, we enable BitLocker (successfully). We've found that the DRA protector is not enabled b/c the volume identifier is still unknown. We define the identifier via GPO. This GPO is applied to the OU where this newly imaged computer is dropped during the deploy process.
We discovered that if we run "manage-bde.exe -si c:", the identifier is assigned, and the DRA protector is then listed when you run a "manage-bde -status".
So we're trying to add a "Run command line" task to do the "manage-bde.exe -si c:" after the enable BitLocker task.
No matter what syntax we try (based on various suggestions we've found here and there), the task always fails with an "Element not found" error. The error code is 0x80070490.
We've added a pause to our task sequence after the "Enable BitLocker" ask so we can test different ideas. So far we're finding lots of ways to not create a light bulb.
We're also finding that at this stage of the deploy, "gpresult /r" does not work in the command prompt. We're thinking this could mean that BitLocker is not aware of the identifier GPO settings at this stage.
Is there a way to set the volume identifier during the OS deploy so the DRA protector is added to the disk?
Is there another way to add the DRA protector?
Any help is greatly appreciated!!
ASKER
I add the computer to the domain very early in the deployment process. It just doesn't seem to take I guess.
I guess I could add a Scheduled Task that runs once.
I guess I could add a Scheduled Task that runs once.
after joining to the domain do you restart machine in the task sequence?
ASKER
Yes. There are multiple restarts along the way. WSUS updates are applied. Some additional software that's not part of the baseline wim is also installed.
My test computer is one I've re-imaged over and over w/o removing from the domain before each redo. Could it be I need to remove it from the domain before re-imaging?
(admittedly grasping at straws here)
My test computer is one I've re-imaged over and over w/o removing from the domain before each redo. Could it be I need to remove it from the domain before re-imaging?
(admittedly grasping at straws here)
If during your task sequence, the machine is AD joined and restarted, make sure it is moved to an OU where the policy that defines the security identifier is linked to.
ASKER
I confirmed it's getting dropped in an OU where the policy setting is defined.
Well, why not stop to worry and simply set it afterwards using a domain startup script or scheduled task?
ASKER
I've spent too many hours on this trying to get it to work. So I think you suggestion is the right way to go. Would it be reasonable to add a scheduled task to run "manage-bde.exe -si c:" "ONLOGON" to my GPO that sets my other BitLocker settings?
Is there any harm in that command running on every logon event? I would prefer to run it just once, but I can't (quickly) find a way to pull that off.
Is there any harm in that command running on every logon event? I would prefer to run it just once, but I can't (quickly) find a way to pull that off.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I created a test GPO with just a scheduled task and re-imaged a computer, and it worked! I will add the Scheduled Task to my existing BitLocker GPO.
The truly genius solutions are the simplest ones. Thanks for resolving something I've been battling for longer than I'd like to admit.
The truly genius solutions are the simplest ones. Thanks for resolving something I've been battling for longer than I'd like to admit.
You are welcome.
Use a scheduled Task or Startup script to do that.