Unable to encrypt drives with bitlocker after deploying image with Fog
-
Hello. I have a problem with Fog deployed images that I could not figure out. I’ve installed a fresh copy of WIndows 11 from scratch, installed Office, fog agent and antivirus. During installation Windows 11 by default encrypted the C drive using bitlocker, I’ve decrypted the drive, Sysprep the system, captured the image with Fog and deployed it.
The deploy worked without errors, Windows 11 was installed, joined to domain and printers deployed. The problem appears when I try to encrypt the drive of a deployed Windows using Bitlocker, it ends up with error “The path specified in the Boot Configuration Data (BCD) for a BitLocker Drive Encryption
integrity-protected application is incorrect”…
I was able to reproduce this error in multiple configurations:- capturing from different physical laptops with TPM and secure boot (HP, Lenovo, Dell)
- capturing from different virtual machine with TPM and secure boot
- using Windows 11 Enterprise or Professional.
The image always creates 3 partitions, boot/EFI, system and recovery. I could not find any obvious erros in BCD by checking bcdedit.
Can someone help here? thank you so very much!
-
@dtiganas said in Unable to encrypt drives with bitlocker after deploying image with Fog:
The path specified in the Boot Configuration Data (BCD) for a BitLocker Drive Encryption
integrity-protected application is incorrectPlease try the information here:
https://support.microsoft.com/en-us/topic/error-message-when-you-try-to-run-the-bitlocker-drive-encryption-program-cannot-run-39e3c3f5-4f5f-242c-504a-ee55e5015eeeMaybe here as well:
https://www.mcbsys.com/blog/2019/01/bitlocker-wizard-initialization-has-failed/FOG isn’t the “reason” this is happening though it, I suspect, is playing a small part.
Ultimately I think it boils down to the bcd thinking this is one drive, but you’ve cloned it so bcd needs a resync to find the actual drive it’s sitting on.
I think BCD is using a unique identifier to find the paths and that unique identifier isn’t that actual information on that newly deployed system. so This article should help fix that, I hope.
-
Unfortunately nor the links provided or any other info from internet helped. I’ve edited the BCD, updated it, changed the volumes order, even erase it completely (don’t try this at home!) Bitlocker would not work.
I suspect the issue is caused by the partclone. The next step is to try different configurations, like Single Disk not resizable or raw, using partclone alone (without fog). I will keep you updated, if interested.
Thank you very much! -
@dtiganas Did you get anywhere with this? I’m having the same issue on our machines and am getting no where with fixing it…
-
This post is deleted! -
I too am trying to get this working its new problem for us on Windows 11 24H2 our older win 11 images were fine so is our win 10 22H2 images.
other than trying the bcd edits in the post i have also tried below but still no joy
Tried separately and together these changes which are suggestions I came across on the net.
group policy editor -> computer config -> admin templates -> windows components -> bitlocker drive encryption -> os drives -> config TPM for UEFI.
PCR 0,2,11 Ticked (i.e. remove 4)
AND OR
group policy editor -> computer config -> admin templates -> windows components -> bitlocker drive encryption -> os drives -> Allow Secure Boot for integrity validation
DisableEnabling some combinations in the Event log looks like the c drive is encrypting but on restart it then just goes into automatic recovery mode.
If we leave neither of these options set it doesn’t encrypt with the error message reported in this thread about the BCD SettingsThese are the sort of Event logs we get (in this is with PCR 4 Removed)
Application and Service Logs > Microsoft > Windows > BitLocker-APIBefore the GPO is applied lots of these
BitLocker cannot use Secure Boot for integrity because it is disabled.After the GPO is applied . with lots of this inbetween the ones below
BitLocker cannot use Secure Boot for integrity because it is disabled in Group Policy.BitLocker cannot use Secure Boot for integrity because it is disabled in Group Policy. BitLocker Drive Encryption is using software-based encryption to protect volume C:. The identification field was changed. Identification GUID: {ID} A BitLocker key protector was created. Protector GUID: {ID} Identification GUID: {ID} BitLocker encryption was started for volume C: using XTS-AES 128 algorithm. Device Encryption initialized automatically for volume C:. BitLocker Drive Encryption recovery information was backed up successfully to Active Directory Domain Services. Protector GUID: {ID} Identification GUID: {ID} A BitLocker key protector was created. Protector GUID: {ID} Identification GUID: {ID} BitLocker was resumed for volume C:. BitLocker successfully sealed a key to the TPM. PCRs measured include [0,2,11]. The source for these PCRs was: Group Policy. BitLocker was resumed for volume C:.And in windows no padlock on the c drive… restart (even after being idle for 30 mins) no adds to the event log either… Windows Automatic repair.
Just to add I have tried it with and without the recovery partition on the end.
-
just to update I downloaded windows 11 23H2 from MS admin console and then made a new image with fog and deployed it and whilst for some reason the GPO that should auto encrypt the c drive doesn’t appear to be working, if I right click it and choose encrypt with BitLocker and chose allow windows to unlock the drive automatically (which is what the GPO should do) it encrypts just fine. So its definitely something new with Windows 11 24H2 I suspect its to do with secure boot being disabled.
Edit ignore the bit about the gpo not working I moved the pc to a diferent OU for testing and it simply wasn’t applied. I have since now forced windows update to install Win11 24H2 and the drive remains encrypted. so this for a while will be a workaround for our staff laptops that need to be encrypted.
-
I have just found this issue, Anyone have a fix?
-
@ITCC Someone much more cleverer than me (from ANME) has worked out how to fix it and it is due to sysprep sealed images rather than Fog persay as Tom suggested. the Fix is to add the following to your sysprep SetupComplete.cmd file
for /f "tokens=2 delims={}" %%a in ('bcdedit /enum {bootmgr} /v ^| find "identifier"') do set prep-bcdid={%%a} bcdedit -set {current} device partition=c: bcdedit -set {current} osdevice partition=c: bcdedit -set {memdiag} device partition=\Device\HarddiskVolume1 bcdedit -set %prep-bcdid% device partition=c:
