Windows 10 Bitlocker Query

george1421

@Wayne-Workman Sorry we went to DM chat to work through the issues.

The .0 thing was because his primary dhcp server was still handing out dhcp 66 and 67 and there was a dhcpProxy server (dnsmasq) sending out an Offer packet, so the target computer switched over to dhcpProxy mode and my configuration did not have that part configured (because its almost never used, except in conditions like this).

We had to add this section.

# PXEClient:Arch:00000
pxe-service=X86PC, "Boot BIOS PXE", undionly.kpxe

# PXEClient:Arch:00007
pxe-service=BC_EFI, "Boot UEFI PXE-BC", ipxe.efi

# PXEClient:Arch:00009
pxe-service=X86-64_EFI, "Boot UEFI PXE-64", ipxe.efi

To create the complete config file here.

port=0

# Log lots of extra information about DHCP transactions.
log-dhcp

# Set the root directory for files available via FTP.
tftp-root=/tftpboot

# Disable re-use of the DHCP servername and filename fields as extra
# option space. That's to avoid confusing some old or broken DHCP clients.
dhcp-no-override

# inspect the vendor class string and match the text to set the tag
dhcp-vendorclass=BIOS,PXEClient:Arch:00000
dhcp-vendorclass=UEFI32,PXEClient:Arch:00006
dhcp-vendorclass=UEFI,PXEClient:Arch:00007
dhcp-vendorclass=UEFI64,PXEClient:Arch:00009

# Set the boot file name based on the matching tag from the vendor class (above)
dhcp-boot=net:UEFI32,i386-efi/ipxe.efi,,10.1.0.102
dhcp-boot=net:UEFI,ipxe.efi,,10.1.0.102
dhcp-boot=net:UEFI64,ipxe.efi,,10.1.0.102

# The boot filename, Server name, Server Ip Address
dhcp-boot=undionly.kpxe,,10.1.0.102

# PXE menu.  The first part is the text displayed to the user.  The second is the timeout, in seconds.
pxe-prompt="Booting FOG Client", 1

# PXEClient:Arch:00000
pxe-service=X86PC, "Boot BIOS PXE", undionly.kpxe

# PXEClient:Arch:00007
pxe-service=BC_EFI, "Boot UEFI PXE-BC", ipxe.efi

# PXEClient:Arch:00009
pxe-service=X86-64_EFI, "Boot UEFI PXE-64", ipxe.efi

dhcp-range=10.1.0.102,proxy

RobTitian16

@sudburr I read online that UEFI has to be enabled to run BitLocker. (Source: http://www.dell-forum.com/windows/bitlocker-cannot-be-enabled-when-changing-the-boot-sequence-to-legacy-mode/).
It does exactly what it says in that forum post - asks for a key every time the system is booted, which can be incredibly cumbersome when you have to dig out the key from a file share (using another system). I suppose we could supply everyone with USB keys, but that might not be a very good idea from a security standpoint if the USB keys are with the users all the time.

When enabling BitLocker, I enable the check and it returns after restarting saying that it could not activate BitLocker because it could not connect to the TPM chip.

RobTitian16

@Wayne-Workman I’m not trying to capture an image from a system that’s using BitLocker - I’m trying to enable it after the system has been imaged. From the forum post linked in my other reply, it says it needs to be imaged in UEFI mode (effectively) to enable BitLocker to run correctly.

RobTitian16

@george1421 We seem one step further
It now boots from the network, but gets stuck on “iPXE initialising devices…”
I’ve tried the suggestions here: (https://forums.fogproject.org/topic/6133/intel-nuc-dc53427hye-stuck-at-ipxe-initialising-devices/6) to no avail. It’s a Dell Latitude 6430 and I can see here (https://wiki.fogproject.org/wiki/index.php/WorkingDevices) that it looks like it may not work anyway.

RobTitian16

@RobTitian16 I’ve also found this has stopped my ability to image VMs on Hyper-V:

0_1480672488015_upload-f55fc67f-b107-457c-baa6-9dfba5bbe4e4

george1421

@RobTitian16 Lets remove the dhcp options 66 and 67 from your primary dhcp server. Let dnsmasq supply these values. If that doesn’t work grab another pcap of the hyper-v pxe booting. Lets see what’s flying down the wire then.

RobTitian16

@george1421 Yep, I removed those this morning.
I had to revert back to a previous build of my FOG server as I needed to image a VM for our production environment. I’ll go through the dnsmasq set-up again and then provide a pcap when the issue occurs again (likely to be on Monday now).

RobTitian16

@george1421

Sorry about the delay - it’s been hectic this past week. Here’s the latest pcap:

0_1481287363618_output.pcap

Interestingly, what @sudburr said earlier rings true as the very system I was trying to get Bitlocker to work on earlier died and had the motherboard replaced by Dell. Once the motherboard was replaced, Bitlocker could then be enabled without any issue.

sudburr

I have a growing hatred for Dell systems.

george1421

@RobTitian16 said in Windows 10 Bitlocker Query:

@george1421

Sorry about the delay - it’s been hectic this past week. Here’s the latest pcap:

0_1481287363618_output.pcap

… Once the motherboard was replaced, Bitlocker could then be enabled without any issue.

If the tpm chip was initialized by another OS and then a new OS was overlaid onto the system with the activated tpm chip, I can understand why bitlocker would not init, because the system identity would have been changed. The information in the TPM chip would not match the current computing environment. From what I understand you must blank out and reset the TPM chip to enable it on the new OS.

<edit>Ref: http://www.dell.com/support/article/us/en/4/SLN155219/en </edit>

RobTitian16

@george1421 Thanks, George. I’ll give this a go with one of the other laptops to see if I can get it to work.

RobTitian16

@george1421 Still no dice with getting this to run with the legacy boot option.
I’ve cloned my FOG server for UEFI testing but the laptops don’t boot using IPV4 - they just hang. or say that the file is not found (going by the previous posts).

EDIT:
It seems to be working on a Dell E7270. I’ll test after the holidays with the other Dell laptop
Thanks for the help, George and everyone else! Much appreciated as always!

Windows 10 Bitlocker Query

237

12.0k

17.3k

155.1k