Tribulations with Bitlocker, SCCM 2007 and Active Directory

Hi guys,

Here’s another of these posts where I’ll whine about what happened to me and how to avoid that.

Background

Bitlocker is not a new technology, it has been introduced with Vista and I’ve done multiple projects where I built deployment solutions to enable Bitlocker on Windows Vista or 7 workstations. The tricky part is when you want to store the recovery information in Active Directory and delegate a console to your helpdesk analysts to let them retrieve those. But, everything is well described in this technet article : http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx

Context

This time, I wasn’t involved in the project when AD considerations were discussed. Then when I started to work on the enabling of Bitlocker with deployment solution , I first checked the AD status and discovered that the Schema was extended but the permissions needed to store TPM information were not added (by default, Bitlocker Recovery information can be stored in AD, but not the TPM ownershsip information)

Issue

Since the schema was extended, I thought that it was no big deal and then I tried to enable bitlocker during a standard MDT Task Sequence in SCCM. result : access denied

Cause

The cause is quite simple here, if you tell  the standard SCCM Bitlocker task to store the  recovery info in AD,  it does the following :

  1. Check if TPM is active and enabled
  2. Check if TPM is owned, if not take ownership and store information in AD
  3. Enable Bitlocker
  4. Store Bitlocker recovery information in AD

Since the permissions to store TPM owner information in AD were not added  then the task failed.

The Fix

Obviously the fix is to run that script http://gallery.technet.microsoft.com/ScriptCenter/b4dee016-053e-4aa3-a278-3cebf70d1191/ as mentioned in the technet article. But in my case, it meant that I would had to go through a very long change management process and my customer had to move quickly because they were trying to ship computers to field recovery teams after Hurricane Sandy.

We then had to find a solution without storing TPM owner information in AD. To achieve this, we used manage-bde.exe (http://technet.microsoft.com/en-us/library/ff829849(v=ws.10).aspx) to turn on and take ownership of the TPM Chip using a given password (we chose the computer name because we needed to be able to find it even if not stored in AD)

and

 

that way, SCCM noticed that the TPM chip was already on and owned and just tried to store the recovery key in AD !


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s