Bitlocker on system drive failing - Win10 LTSB 1607

F

Filippotosi

Member
Dear Nuhi,
for the first time I tried to enable Bitlocker on system drive in my 1607 LTSB installation and I got a strange error: "The specified procedure could not be found".
My hardware has TPM.

Attached is used preset.
Please consider that original source image has been updated with W10UI (and resetbased) with following packages:
- windows10.0-kb4033393-x64.cab
- Windows10.0-KB4035631-x64.msu
- Windows10.0-KB4041688-x64.msu
- windows10.0-kb4051613-x64_baa8164a0d8f30d5979930999c39b91c1791ab2f.msu

Maybe you can check if it is working on your side?
Thank you,
Fil
 
Try to keep:

Device Lockdown (Embedded Experience)
Enterprise Data Protection (EDP/WIP)
Windows Provisioning

Use of searchbox is recommended
 
Dear Kasual,
thank you for your suggestions.
I can't understand what you mean with "use of searchbox is recommended": maybe I'm wrong but I can't find any explicit relation between the suggested components and Bitlocker.
Please also consider that Bitlocker is working fine on VM (which cannot detect TPM), so this could be found only in real deployment.

Has this topic already been discussed before?

Fil
 
Filippotosi said:
I can't understand what you mean with "use of searchbox is recommended": maybe I'm wrong but I can't find any explicit relation between the suggested components and Bitlocker.
Click to expand...

Searchbox is recommended to find specific components.

Despite "Device Lockdown (Embedded Experience)", this is something not related.

This component seems to be related:
Kasual said:
Enterprise Data Protection (EDP/WIP)
Click to expand...
Description:
Also known as 'Windows Information Protection', protects data that belongs to an organization by enforcing policies that are defined by the organization.
Click to expand...
https://blogs.technet.microsoft.com...9/introducing-windows-information-protection/

Provisioning seems to be related to EDP.

Have you tested keeping those components yet?
 
@Filippotosi, let me ask you a few questions, as I'm having trouble enabling TPM on full Win10 as well.

Did you install in UEFI non-legacy (secureboot) mode?
Did you confirm that full Windows are working correctly in the same situation?
What is your TPM status, is it with reduced functionality? In start - run - tpm.msc

Thanks.
 
Dear Nuhi,
- install was in legacy mode, no secureboot
- honestly I don't know, I do not have the chance to test with a full W10 soon on that hardware
- same as above, I do not have access to that hardware for the next 2/3 weeks, sorry

Are you getting same error on your machine even with full Win10?

Fil
 
OK, let me know when you confirm that hardware is working.

I got this issue on full and lite with your preset.
I always check "run Bitlocker system check", it reboots and I get that message.

Now reinstalled with Secureboot, and full Windows passed that, so it's confirmed fix for my issue.

Now will reinstall your preset on a second partition and report back.
 
Seems to be working fine, I aborted the encryption after the reboot, it passed where the issue I saw was.

Your turn :)
 
So it seems that it requires secureboot (UEFI) to be enabled?
If I can ask you, how can I force the installation to be UEFI? I remember there were some limitations about source installation media, to be FAT32?

Fil
 
As mentioned on that Dell link above, if it's TPM 2.0 then it requires SecureBoot (non-legacy) UEFI for system partition encryption.
Btw you could play with built-in manage-bde.exe, but careful, it allows encryption in many more situations without checking first, make sure to specify recovery file and put it on an USB stick.

Yes, the Rufus NTFS USB stick booting does not work with secureboot enabled, at least it didn't before.
I format the USB stick with diskpart method, FAT32. If the install.wim is more than 4GB, use ESD compression in NTLite - Apply page - Image tasks.
 
Hello Nuhi,
I had the chance to try again a system disk encryption on another system. This time I am using Win10 RS3, preset attached. My laptop has TPM 2.0 (see attached for status), UEFI and secure boot enabled. Partition scheme is GPT.

I tried to enable Bitlocker with standard wizard, I got "the specified procedure could not be found" error.
Then I tried enabling with command line utility manage-bde, I could encrypt volume but then same error when I had to finalize the operation via wizard.
No errors are present in event viewer.

I also tried running manage-be -status and output looks stange: i cannot see information about volumes. Maybe this is related to my issue?

I have some options for BDE in registry: maybe you need them to replicate the issue.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"UseAdvancedStartup"=dword:00000001
"EnableBDEWithNoTPM"=dword:00000001
"UseTPM"=dword:00000002
"UseTPMPIN"=dword:00000002
"UseTPMKey"=dword:00000002
"UseTPMKeyPIN"=dword:00000002
"UseEnhancedPin"=dword:00000001
;"RequireActiveDirectoryBackup"=dword:00000001
;"ActiveDirectoryBackup"=dword:00000001
;"ActiveDirectoryInfoToStore"=dword:00000001

Activating bitlocker on a "non system" drive works correctly.

Thank you for your support,
Fil
 
@Filippotosi, ok, let me ask you, did you try the same tweaks and procedure on full Windows?
Because at this point we don't know if we're debugging Bitlocker or NTLite, as far as I know, especially since I tried your preset and it worked.
But I'm willing to retest if you confirm it works on full Windows.

Thanks.
 
Ciao Nuhi,
No, I had no chance to test on full Windows. Honestly I would be surprised if such a function is bugged in original version but please try again.

Thank you,
Fil
 
Nuhi,
This is a little off-topic but with attached preset above I cannot open PDF files in Edge. It loads Edge but then it just fails showing the file.
Can you please check this one too?

Fil
 
Fil, not a solution to your pdf problem, but an alternative. Sumatra PDF, 32 and 64 bit versions. Installer and Portable, a basic pdf reader.

If you need advanced pdf features then try Foxit. :)
 
You must log in or register to reply here.
Back
Top