Windows 10 Bitlocker Query

RobTitian16

@sudburr I read online that UEFI has to be enabled to run BitLocker. (Source: http://www.dell-forum.com/windows/bitlocker-cannot-be-enabled-when-changing-the-boot-sequence-to-legacy-mode/).
It does exactly what it says in that forum post - asks for a key every time the system is booted, which can be incredibly cumbersome when you have to dig out the key from a file share (using another system). I suppose we could supply everyone with USB keys, but that might not be a very good idea from a security standpoint if the USB keys are with the users all the time.

When enabling BitLocker, I enable the check and it returns after restarting saying that it could not activate BitLocker because it could not connect to the TPM chip.

RobTitian16

@Wayne-Workman I’m not trying to capture an image from a system that’s using BitLocker - I’m trying to enable it after the system has been imaged. From the forum post linked in my other reply, it says it needs to be imaged in UEFI mode (effectively) to enable BitLocker to run correctly.

RobTitian16

@george1421 We seem one step further
It now boots from the network, but gets stuck on “iPXE initialising devices…”
I’ve tried the suggestions here: (https://forums.fogproject.org/topic/6133/intel-nuc-dc53427hye-stuck-at-ipxe-initialising-devices/6) to no avail. It’s a Dell Latitude 6430 and I can see here (https://wiki.fogproject.org/wiki/index.php/WorkingDevices) that it looks like it may not work anyway.

RobTitian16

@RobTitian16 I’ve also found this has stopped my ability to image VMs on Hyper-V:

george1421

@RobTitian16 Lets remove the dhcp options 66 and 67 from your primary dhcp server. Let dnsmasq supply these values. If that doesn’t work grab another pcap of the hyper-v pxe booting. Lets see what’s flying down the wire then.

RobTitian16

@george1421 Yep, I removed those this morning.
I had to revert back to a previous build of my FOG server as I needed to image a VM for our production environment. I’ll go through the dnsmasq set-up again and then provide a pcap when the issue occurs again (likely to be on Monday now).

RobTitian16

@george1421

Sorry about the delay - it’s been hectic this past week. Here’s the latest pcap:

0_1481287363618_output.pcap

Interestingly, what @sudburr said earlier rings true as the very system I was trying to get Bitlocker to work on earlier died and had the motherboard replaced by Dell. Once the motherboard was replaced, Bitlocker could then be enabled without any issue.

sudburr

I have a growing hatred for Dell systems.

george1421

@RobTitian16 said in Windows 10 Bitlocker Query:

@george1421

Sorry about the delay - it’s been hectic this past week. Here’s the latest pcap:

0_1481287363618_output.pcap

… Once the motherboard was replaced, Bitlocker could then be enabled without any issue.

If the tpm chip was initialized by another OS and then a new OS was overlaid onto the system with the activated tpm chip, I can understand why bitlocker would not init, because the system identity would have been changed. The information in the TPM chip would not match the current computing environment. From what I understand you must blank out and reset the TPM chip to enable it on the new OS.

<edit>Ref: http://www.dell.com/support/article/us/en/4/SLN155219/en </edit>

RobTitian16

@george1421 Thanks, George. I’ll give this a go with one of the other laptops to see if I can get it to work.

RobTitian16

@george1421 Still no dice with getting this to run with the legacy boot option.
I’ve cloned my FOG server for UEFI testing but the laptops don’t boot using IPV4 - they just hang. or say that the file is not found (going by the previous posts).

EDIT:
It seems to be working on a Dell E7270. I’ll test after the holidays with the other Dell laptop
Thanks for the help, George and everyone else! Much appreciated as always!