question

ismpearson-9898 avatar image
0 Votes"
ismpearson-9898 asked MikeCroft-8379 commented

Windows 10 Enterprise 2019 LTSC - BitLocker Not Working

Hello,

I am building a Windows 10 Enterprise 2019 LTSC v1809 system using the Windows System Image Manager. I have run into a problem where BitLocker will not run. I get an error that says "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it". I have checked the BitLocker service and although it is set to Manual I can start it without a problem. I did try changing it to Automatic but that did not fix the issue.

If I install the full version of Windows 10 Enterprise 2019 LTSC v1809 BitLocker runs correctly.

So what I am wondering is if anyone knows if there is something specific that needs to be added to my answer file in Windows System Image Manager to get BitLocker to run?

Thanks.

windows-10-securitywindows-10-application-compatibility
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Dgorter avatar image Dgorter ·

Hello,
What options do you have in your answer file?
when you state full version of Windows 10 Enterprise LTSC, what do you mean? Have you removed components?
Posting your answer file may help determining what the issue is.

0 Votes 0 ·
JennyFeng-MSFT avatar image JennyFeng-MSFT ·

Hi,

Just checking in to see if the information provided was helpful.

If the reply helped you, please remember to accept as answer.
If no, please reply and tell us the current situation in order to provide further help.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

3 Answers

JennyFeng-MSFT avatar image
0 Votes"
JennyFeng-MSFT answered

Hi,

BitLocker in Windows 10 has two requirements in regard to an operating system deployment:

A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you can also use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password.
Multiple partitions on the hard drive.

For more information, please refer to the following article:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker

Hope above information can help you.
---Please Accept as answer if the reply is helpful---

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ismpearson-9898 avatar image
0 Votes"
ismpearson-9898 answered MikeCroft-8379 commented

Hello,

Sorry, for the delay, I had lost the link to this page and didn't setup email replies!

Anyway, so first yes, we have a TPM on this system.

So when I say full version, I mean I download a copy of Windows 10 Enterprise LTSC v1809 and install it. When I do that i can run BitLocker.

The issue is when I use the Windows System Image Manager and create the answer file. Then BitLocker does not work.

I have attached a copy of the Answer File (i have removed the product key).24912-answerfile-09-15-2020-no-key.xml



answerfile-09-15-2020-no-key.xml (8.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikeCroft-8379 avatar image MikeCroft-8379 ·

Did you happen to find a solution for this? we are in a similar situation

0 Votes 0 ·
Sean-Liming avatar image
0 Votes"
Sean-Liming answered

There is no component setting in the answer file that needs to be added for BitLocker to run. The device driver for the TPM chip has to be running. Please make sure you see the TPM driver under Security Feature in Device manager. Also, go to Control Panel->Administrative Tools->Services, and check the settings for BitLocker Drive Encryption Service. Make sure it is running, and set to auto start. If the services is disabled for some reason, the you can add a Pass7 sync command to start teh service using sc.exe.

Do you see BitLocker Drive Encryption in Control Panel?
From a command prompt, if you run manage-dbe -on c: -skipthardwaretest, does the encryption process start?

If you are deploying the image to multiple systems, each system has to run BitLocker since the TPM chip is unique for each system. BitLocker has to be disabled in the master image, and using a Pass7 sync command, you can kick of the encryption using manage-dbe.exe utility. Sometimes BitLocker kicks off automatically for some systems, but that doesn't sound like what is happening here.

Regards,

Sean Liming

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.