• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Unable to encrypt drives with bitlocker after deploying image with Fog

    Scheduled Pinned Locked Moved Unsolved
    Windows Problems
    6
    9
    2.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dtiganas
      last edited by

      Hello. I have a problem with Fog deployed images that I could not figure out. I’ve installed a fresh copy of WIndows 11 from scratch, installed Office, fog agent and antivirus. During installation Windows 11 by default encrypted the C drive using bitlocker, I’ve decrypted the drive, Sysprep the system, captured the image with Fog and deployed it.
      The deploy worked without errors, Windows 11 was installed, joined to domain and printers deployed. The problem appears when I try to encrypt the drive of a deployed Windows using Bitlocker, it ends up with error “The path specified in the Boot Configuration Data (BCD) for a BitLocker Drive Encryption
      integrity-protected application is incorrect”…
      I was able to reproduce this error in multiple configurations:

      • capturing from different physical laptops with TPM and secure boot (HP, Lenovo, Dell)
      • capturing from different virtual machine with TPM and secure boot
      • using Windows 11 Enterprise or Professional.
        The image always creates 3 partitions, boot/EFI, system and recovery. I could not find any obvious erros in BCD by checking bcdedit.
        Can someone help here? thank you so very much!
      Tom ElliottT 1 Reply Last reply Reply Quote 1
      • Tom ElliottT
        Tom Elliott @dtiganas
        last edited by Tom Elliott

        @dtiganas said in Unable to encrypt drives with bitlocker after deploying image with Fog:

        The path specified in the Boot Configuration Data (BCD) for a BitLocker Drive Encryption
        integrity-protected application is incorrect

        Please try the information here:
        https://support.microsoft.com/en-us/topic/error-message-when-you-try-to-run-the-bitlocker-drive-encryption-program-cannot-run-39e3c3f5-4f5f-242c-504a-ee55e5015eee

        Maybe here as well:
        https://www.mcbsys.com/blog/2019/01/bitlocker-wizard-initialization-has-failed/

        FOG isn’t the “reason” this is happening though it, I suspect, is playing a small part.

        Ultimately I think it boils down to the bcd thinking this is one drive, but you’ve cloned it so bcd needs a resync to find the actual drive it’s sitting on.

        I think BCD is using a unique identifier to find the paths and that unique identifier isn’t that actual information on that newly deployed system. so This article should help fix that, I hope.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        1 Reply Last reply Reply Quote 0
        • D
          dtiganas
          last edited by

          Unfortunately nor the links provided or any other info from internet helped. I’ve edited the BCD, updated it, changed the volumes order, even erase it completely (don’t try this at home!) Bitlocker would not work.
          I suspect the issue is caused by the partclone. The next step is to try different configurations, like Single Disk not resizable or raw, using partclone alone (without fog). I will keep you updated, if interested.
          Thank you very much!

          N 1 Reply Last reply Reply Quote 0
          • N
            njones46 @dtiganas
            last edited by

            @dtiganas Did you get anywhere with this? I’m having the same issue on our machines and am getting no where with fixing it…

            1 Reply Last reply Reply Quote 0
            • JYostJ
              JYost
              last edited by JYost

              This post is deleted!
              1 Reply Last reply Reply Quote 0
              • Gordon TaylorG
                Gordon Taylor
                last edited by Gordon Taylor

                I too am trying to get this working its new problem for us on Windows 11 24H2 our older win 11 images were fine so is our win 10 22H2 images.
                other than trying the bcd edits in the post i have also tried below but still no joy 😞

                Tried separately and together these changes which are suggestions I came across on the net.
                group policy editor -> computer config -> admin templates -> windows components -> bitlocker drive encryption -> os drives -> config TPM for UEFI.
                PCR 0,2,11 Ticked (i.e. remove 4)
                AND OR
                group policy editor -> computer config -> admin templates -> windows components -> bitlocker drive encryption -> os drives -> Allow Secure Boot for integrity validation
                Disable

                Enabling some combinations in the Event log looks like the c drive is encrypting but on restart it then just goes into automatic recovery mode.
                If we leave neither of these options set it doesn’t encrypt with the error message reported in this thread about the BCD Settings

                These are the sort of Event logs we get (in this is with PCR 4 Removed)
                Application and Service Logs > Microsoft > Windows > BitLocker-API

                Before the GPO is applied lots of these

                BitLocker cannot use Secure Boot for integrity because it is disabled.
                

                After the GPO is applied . with lots of this inbetween the ones below

                BitLocker cannot use Secure Boot for integrity because it is disabled in Group Policy.
                
                BitLocker cannot use Secure Boot for integrity because it is disabled in Group Policy.
                BitLocker Drive Encryption is using software-based encryption to protect volume C:.
                
                The identification field was changed.
                Identification GUID: {ID}
                
                A BitLocker key protector was created.
                Protector GUID: {ID}
                Identification GUID: {ID}
                
                
                BitLocker encryption was started for volume C: using XTS-AES 128 algorithm.
                
                Device Encryption initialized automatically for volume C:.
                
                BitLocker Drive Encryption recovery information was backed up successfully to Active Directory Domain Services.
                Protector GUID: {ID}
                Identification GUID: {ID}
                
                A BitLocker key protector was created.
                Protector GUID: {ID}
                Identification GUID: {ID}
                
                BitLocker was resumed for volume C:.
                
                BitLocker successfully sealed a key to the TPM.
                PCRs measured include [0,2,11].
                The source for these PCRs was: Group Policy.
                
                BitLocker was resumed for volume C:.
                

                And in windows no padlock on the c drive… restart (even after being idle for 30 mins) no adds to the event log either… Windows Automatic repair.

                Just to add I have tried it with and without the recovery partition on the end.

                1 Reply Last reply Reply Quote 0
                • Gordon TaylorG
                  Gordon Taylor
                  last edited by Gordon Taylor

                  just to update I downloaded windows 11 23H2 from MS admin console and then made a new image with fog and deployed it and whilst for some reason the GPO that should auto encrypt the c drive doesn’t appear to be working, if I right click it and choose encrypt with BitLocker and chose allow windows to unlock the drive automatically (which is what the GPO should do) it encrypts just fine. So its definitely something new with Windows 11 24H2 I suspect its to do with secure boot being disabled.

                  Edit ignore the bit about the gpo not working I moved the pc to a diferent OU for testing and it simply wasn’t applied. I have since now forced windows update to install Win11 24H2 and the drive remains encrypted. so this for a while will be a workaround for our staff laptops that need to be encrypted.

                  1 Reply Last reply Reply Quote 0
                  • I
                    ITCC
                    last edited by

                    I have just found this issue, Anyone have a fix?

                    Gordon TaylorG 1 Reply Last reply Reply Quote 0
                    • Gordon TaylorG
                      Gordon Taylor @ITCC
                      last edited by

                      @ITCC Someone much more cleverer than me (from ANME) has worked out how to fix it and it is due to sysprep sealed images rather than Fog persay as Tom suggested. the Fix is to add the following to your sysprep SetupComplete.cmd file

                      for /f "tokens=2 delims={}" %%a in ('bcdedit /enum {bootmgr} /v ^| find "identifier"') do set prep-bcdid={%%a}
                      bcdedit -set {current} device partition=c:
                      bcdedit -set {current} osdevice partition=c:
                      bcdedit -set {memdiag} device partition=\Device\HarddiskVolume1
                      bcdedit -set %prep-bcdid% device partition=c:
                      
                      1 Reply Last reply Reply Quote 1
                      • 1 / 1
                      • First post
                        Last post

                      195

                      Online

                      12.0k

                      Users

                      17.3k

                      Topics

                      155.2k

                      Posts
                      Copyright © 2012-2024 FOG Project