Unable to encrypt drives with bitlocker after deploying image with Fog
-
Hello. I have a problem with Fog deployed images that I could not figure out. I’ve installed a fresh copy of WIndows 11 from scratch, installed Office, fog agent and antivirus. During installation Windows 11 by default encrypted the C drive using bitlocker, I’ve decrypted the drive, Sysprep the system, captured the image with Fog and deployed it.
The deploy worked without errors, Windows 11 was installed, joined to domain and printers deployed. The problem appears when I try to encrypt the drive of a deployed Windows using Bitlocker, it ends up with error “The path specified in the Boot Configuration Data (BCD) for a BitLocker Drive Encryption
integrity-protected application is incorrect”…
I was able to reproduce this error in multiple configurations:- capturing from different physical laptops with TPM and secure boot (HP, Lenovo, Dell)
- capturing from different virtual machine with TPM and secure boot
- using Windows 11 Enterprise or Professional.
The image always creates 3 partitions, boot/EFI, system and recovery. I could not find any obvious erros in BCD by checking bcdedit.
Can someone help here? thank you so very much!
-
@dtiganas said in Unable to encrypt drives with bitlocker after deploying image with Fog:
The path specified in the Boot Configuration Data (BCD) for a BitLocker Drive Encryption
integrity-protected application is incorrectPlease try the information here:
https://support.microsoft.com/en-us/topic/error-message-when-you-try-to-run-the-bitlocker-drive-encryption-program-cannot-run-39e3c3f5-4f5f-242c-504a-ee55e5015eeeMaybe here as well:
https://www.mcbsys.com/blog/2019/01/bitlocker-wizard-initialization-has-failed/FOG isn’t the “reason” this is happening though it, I suspect, is playing a small part.
Ultimately I think it boils down to the bcd thinking this is one drive, but you’ve cloned it so bcd needs a resync to find the actual drive it’s sitting on.
I think BCD is using a unique identifier to find the paths and that unique identifier isn’t that actual information on that newly deployed system. so This article should help fix that, I hope.
-
Unfortunately nor the links provided or any other info from internet helped. I’ve edited the BCD, updated it, changed the volumes order, even erase it completely (don’t try this at home!) Bitlocker would not work.
I suspect the issue is caused by the partclone. The next step is to try different configurations, like Single Disk not resizable or raw, using partclone alone (without fog). I will keep you updated, if interested.
Thank you very much! -
@dtiganas Did you get anywhere with this? I’m having the same issue on our machines and am getting no where with fixing it…
-
I’m having similar issues on a newly created Windows 11 24H2 FOG image. (Please note that the sysprep answer file I created is bypassing the Secure Boot check allowing FOG to pxeboot from the VM for capture). Once I bring the image down on a physical device and try to encrypt the drive I get the identical error shown above. If I go into the BIOS and enable Secure Boot the device begins encrypting automatically after a restart. NOTE: The drive will fully encrypt and the recovery key is populated successfully in Active Directory. I was feeling confident until I restarted again, then got a BSOD (unrecoverable). Windows 10/11 without secure boot enabled at the time of installation/imaging does not like having secure boot suddenly enabled.
So, if my thinking is correct this has something to do with secure boot, or more precisely the act of bypassing the secure boot check during Windows setup that was done in the sysprep answer file.
FOG can’t pxe boot on devices with secure boot enabled, but those same machines can’t be encrypted without secure boot and enabling secure boot after imaging only ends in a BSOD (unrecoverable).
FOG 1.5.10 on Ubuntu 2204