SCCM 2012 SP1 - Bitlocker pre-provision and encryption with mulitple disks during OSD

[Apophis]

Hi all,

 

Before I start off. This is a best-practice type of question. The situation below works but I'm unhappy because I need to enable the Continue on Error option for it to work and I was wondering if anyone has a better way of achieving my goals.

 

In our organization we normally have 1 disk per system, be it workstation or laptop. All systems are Bitlockered during OSD.

This week we purchased 2 new workstations however with 2 disks: 1 500GB SSD (Boot, OS - disk 0) and 1 2TB HDD (disk 1).

 

I built a TS for OSD. Tweaked some steps for Bitlocker. Ran OSD. Crashed and burned.

Status so far:

- Pre-provisioning works for disk 0 and disk 1

- Bitlocker fails to encrypt disk 1

 

The failure code is : 0x000000FF (255)

 

Log file and a screenshot of the TS are included.

 

Short explanation of the TS.

- Disk 0 is partitioned with a 300MB bootpart and remaining space is the OS partition. The latter receives variable: OSPART

- Disk 1 is 1 partition, variable: DISK2

- @ Enable Bitlocker OS drive has the following options: Current OS drive, TPM only, ADDS backup, wait for BL to complete...

- @ Enable Bitlocker D: Specific drive: D:, ADDS backup, wait for BL to complete...

 

The step that fails (oddly) is the Enable BL OS Drive step, with the following message:

Failed to run the action: Enable BitLocker OS Drive.
The extended attributes are inconsistent. (Error: 000000FF; Source: Windows) TSManager 29-May-2015 11:58:29 3836 (0x0EFC).

 

If you then boot to OS the funny thing you find is that the failure results in the OS drive being fully encrypted but the other disk has BL suspended. So technically it fails to encrypt the other disk.

When the Continue on Error option is ticked at the Enable BL OS drive step: All good! Everything is encypted as it should be.

Please have a look at the excerpt of the smsts.log and if anyone has any ideas: I'm all ears.

 

 

 

BL.log

[anyweb]

hi, quick question why oh why are you using two disks ? it seems that your problem has been reported before so it may just be a bug with the built in step, have you tried using the ZTIbde.wsf script instead to enable it ?

[Apophis]

Simple: because I have too. 2 3D CAD designers are going to use them. SSD for OS/apps, HDD for scratch data.

I was wondering if this was a first because I couldn't find any info. I will try the script. Thanks for that.

Any idea what triggers/causes this feature? Or if it is known @ MS?

[anyweb]

i'd just use one hdd, one large 1tb SSD, i'm not aware of the issue being 'known' or not, you'd have to ask Microsoft.

[Apophis]

Unfortunately the script does not help. And I don't know how the decision was made, but I do get to make it work or I would've probably done as you would have. And also I don't have more time to throw at this little project so I'll just keep it as is for now. Thanks for the help though.

[jHetzer]

Hey, had the same issue/ error when trying to enable Bitlocker on a dual disk device. It seems that when pre-provisioning is set for two or multiple disks, Bitlocker recognizes that and tries to check something which does not exist.

Following workaround did the trick in my scenario (Two disks):

1. Enable Pre-provision on D Drive
2. Enable Pre-provision on C/Os Drive
3. Apply Image
4. Apply Driver Package
5. (Run Command Line) cmd /c "(echo select disk 1&& echo.offline disk) > .\diskpart.txt && diskpart.exe /s .\diskpart.txt && del .\diskpart.txt"
6. Enable Bitlocker on C
7. (Run Command Line) cmd /c "(echo select disk 1&& echo.online disk) > .\diskpart.txt && diskpart.exe /s .\diskpart.txt && del .\diskpart.txt "
8. Enable Bitlocker on D

If you don't like the encapsulated cmd command create a new package with diskpart scripts.
For example:

offlineDDrive.txt:

select disk 0
offline disk

(Run Command Line) diskpart.exe /s offlineDDrive.txt

 

onlineDDrive.txt:

select disk 0
online disk

(Run Command Line) diskpart.exe /s onlineDDrive.txt

Edited November 30, 2016 by jHetzer