Here’s another of these posts where I’ll whine about what happened to me and how to avoid that.
Bitlocker is not a new technology, it has been introduced with Vista and I’ve done multiple projects where I built deployment solutions to enable Bitlocker on Windows Vista or 7 workstations. The tricky part is when you want to store the recovery information in Active Directory and delegate a console to your helpdesk analysts to let them retrieve those. But, everything is well described in this technet article : http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx
This time, I wasn’t involved in the project when AD considerations were discussed. Then when I started to work on the enabling of Bitlocker with deployment solution , I first checked the AD status and discovered that the Schema was extended but the permissions needed to store TPM information were not added (by default, Bitlocker Recovery information can be stored in AD, but not the TPM ownershsip information)
Since the schema was extended, I thought that it was no big deal and then I tried to enable bitlocker during a standard MDT Task Sequence in SCCM. result : access denied
The cause is quite simple here, if you tell the standard SCCM Bitlocker task to store the recovery info in AD, it does the following :
- Check if TPM is active and enabled
- Check if TPM is owned, if not take ownership and store information in AD
- Enable Bitlocker
- Store Bitlocker recovery information in AD
Since the permissions to store TPM owner information in AD were not added then the task failed.
Obviously the fix is to run that script http://gallery.technet.microsoft.com/ScriptCenter/b4dee016-053e-4aa3-a278-3cebf70d1191/ as mentioned in the technet article. But in my case, it meant that I would had to go through a very long change management process and my customer had to move quickly because they were trying to ship computers to field recovery teams after Hurricane Sandy.
We then had to find a solution without storing TPM owner information in AD. To achieve this, we used manage-bde.exe (http://technet.microsoft.com/en-us/library/ff829849(v=ws.10).aspx) to turn on and take ownership of the TPM Chip using a given password (we chose the computer name because we needed to be able to find it even if not stored in AD)
that way, SCCM noticed that the TPM chip was already on and owned and just tried to store the recovery key in AD !