question

VivekPremachandranUSTIN-6220 avatar image
0 Votes"
VivekPremachandranUSTIN-6220 asked VivekPremachandranUSTIN-6220 commented

Cannot enable bitlocker in fixed drive during OSD on desktops

Hi All,

i use the built in bitlocker steps twice for enabling c drive and D drive in SCCM task sequence with only one condition SMSTSWTG not equql True. In laptops it got successfully encrypted in both drives. But in desktops its a different story only c drive got successfully encrypted in d drive its not encrypted. In SMSTS log we cant find any error. Please help If have missed anything

Thanks

Vivek

mem-cm-osd
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ColinFord-6663 avatar image
0 Votes"
ColinFord-6663 answered VivekPremachandranUSTIN-6220 commented

Can you post a snippet of the Enable BitLocker steps for C: and D: in the smsts.log from a non-working device?

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Collin


We cant find the bitlocker completion steps in SMSTS log. In preprovision step we given the destination as next available format and enabled wait option for bit locker steps.

Attaching the smsts log for your reference

Thanks

Vivek



0 Votes 0 ·
ColinFord-6663 avatar image ColinFord-6663 VivekPremachandranUSTIN-6220 ·

Can you please attach?

0 Votes 0 ·
0 Votes 0 ·
smsts.log (2.5 MiB)
ColinFord-6663 avatar image
0 Votes"
ColinFord-6663 answered VivekPremachandranUSTIN-6220 commented

Have you got the "Configure use of passwords for fixed data drives" GPO setting enabled, and require passwords? If so, remove that GPO setting and try again.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Colin

Above settings is enabled in GPO, but this issue is random. Fixed drive successfully got encrypted in laptops and in some desktops.

Regards
Vivek





0 Votes 0 ·
ColinFord-6663 avatar image ColinFord-6663 VivekPremachandranUSTIN-6220 ·

It could be possible that some devices are not receiving the GPO in time for encryption and others are. There are cases where this is possible depending on how your AD is set up and how you join devices to the domain and move them into the correct OU where the GPO lives. The error code when encryption fails is 2150695019, which according to this site means "Group Policy settings require the creation of a password". https://thewintelpro.co.uk/sccm-error-code-bible/

When it comes to BitLocker, if you have a GPO setting that requires a config and you can't or don't set it then encryption won't start. The task sequence is trying to set the D: drive to auto unlock, which makes the most sense. I would experiment with removing at least the "Require password for fixed data drive" within that GPO setting in a test OU and see if you can get devices to consistently work without it.

0 Votes 0 ·

Thanks Much Colin.

Will check and get back to you if needed

1 Vote 1 ·
Show more comments