Sysprep won't run if a drive has Bitlocker enabled
-
I have a new HP Probook 450 G4 that comes UEFI enabled by default. I didn't even bother booting into the included OS, I made a Win 10 1703 Open License based USB installed media and booted from that - was a bit tricky, had to choose the second option in the boot tree with the USB stick listed, but it booted and installed otherwise fairly normally.
When I went to run Sysprep it failed. The sysprep log (c:\windows\system32\sysprep\panther\setupact.log) indicated that Bitlocker was enabled and had to be disabled before taking a snapshot.
Weird - I didn't install/setup Bitlocker.
Googling lead me to Here.
So I clicked start > Settings > system, in the new window - click on about on the left, click Disable Bitlocker.
And before JB takes a dump on my post - yes I could have ran this in a VM and perhaps I would have never run into this issue, but at least I know now that it appears, that if the conditions are right, Windows will start the setup process for Bitlocker by default.
From my readings - MS will complete the Bitlocker during setup if you log into your computer with a MS account, and it will save the recovery key (encrypted) in your OneDrive.
-
@Dashrender said in Sysprep won't run if a drive has Bitlocker enabled:
From my readings - MS will complete the Bitlocker during setup if you log into your computer with a MS account, and it will save the recovery key (encrypted) in your OneDrive.
Yes, this happens with the Microsoft Surface as well. They all come with Bitlocker enabled. Which means Microsoft has all the recovery keys
-
@dbeato said in Sysprep won't run if a drive has Bitlocker enabled:
@Dashrender said in Sysprep won't run if a drive has Bitlocker enabled:
From my readings - MS will complete the Bitlocker during setup if you log into your computer with a MS account, and it will save the recovery key (encrypted) in your OneDrive.
Yes, this happens with the Microsoft Surface as well. They all come with Bitlocker enabled. Which means Microsoft has all the recovery keys
Tricky
-
@dbeato said in Sysprep won't run if a drive has Bitlocker enabled:
@Dashrender said in Sysprep won't run if a drive has Bitlocker enabled:
From my readings - MS will complete the Bitlocker during setup if you log into your computer with a MS account, and it will save the recovery key (encrypted) in your OneDrive.
Yes, this happens with the Microsoft Surface as well. They all come with Bitlocker enabled. Which means Microsoft has all the recovery keys
So the summary here is to still use any 3rd party encryption solution....
-
@DustinB3403 not really, you can choose to move the key out of OneDrive to another drive or storage of your choosing. Though you will disable and then enable it back.
Also this is for local accounts Or Microsoft accounts.
-
@dbeato said in Sysprep won't run if a drive has Bitlocker enabled:
@Dashrender said in Sysprep won't run if a drive has Bitlocker enabled:
From my readings - MS will complete the Bitlocker during setup if you log into your computer with a MS account, and it will save the recovery key (encrypted) in your OneDrive.
Yes, this happens with the Microsoft Surface as well. They all come with Bitlocker enabled. Which means Microsoft has all the recovery keys
Huh? We buy a few surfaces a month. None of them have had bitlocker enabled.
-
@coliver Did you setup a Microsoft account on them?
-
@dbeato said in Sysprep won't run if a drive has Bitlocker enabled:
@coliver Did you setup a Microsoft account on them?
No domain joined machines.
-
@coliver that setup is not affected.
-
@dbeato said in Sysprep won't run if a drive has Bitlocker enabled:
@Dashrender said in Sysprep won't run if a drive has Bitlocker enabled:
From my readings - MS will complete the Bitlocker during setup if you log into your computer with a MS account, and it will save the recovery key (encrypted) in your OneDrive.
Yes, this happens with the Microsoft Surface as well. They all come with Bitlocker enabled. Which means Microsoft has all the recovery keys
Not sure that's correct. From what I read, Bit locker is turned on, but not activated unless you sign into the device with a MS account, or activate it manually, saving the recovery key.
-
@coliver said in Sysprep won't run if a drive has Bitlocker enabled:
@dbeato said in Sysprep won't run if a drive has Bitlocker enabled:
@coliver Did you setup a Microsoft account on them?
No domain joined machines.
Are you sure Bitlocker isn't on, just not activated?
-
@Dashrender said in Sysprep won't run if a drive has Bitlocker enabled:
@dbeato said in Sysprep won't run if a drive has Bitlocker enabled:
@Dashrender said in Sysprep won't run if a drive has Bitlocker enabled:
From my readings - MS will complete the Bitlocker during setup if you log into your computer with a MS account, and it will save the recovery key (encrypted) in your OneDrive.
Yes, this happens with the Microsoft Surface as well. They all come with Bitlocker enabled. Which means Microsoft has all the recovery keys
Not sure that's correct. From what I read, Bit locker is turned on, but not activated unless you sign into the device with a MS account, or activate it manually, saving the recovery key.
Correct, which I then try to say Local accounts and MS accounts. So for the record it is on with MS accounts.
-
@Dashrender said in Sysprep won't run if a drive has Bitlocker enabled:
@coliver said in Sysprep won't run if a drive has Bitlocker enabled:
@dbeato said in Sysprep won't run if a drive has Bitlocker enabled:
@coliver Did you setup a Microsoft account on them?
No domain joined machines.
Are you sure Bitlocker isn't on, just not activated?
I'm not sure what you mean? Bitlocker is a part of the operating system... you need to turn it on to enable encryption. So if you're asking if it is installed the answer is yes. If you're asking if it is enabled the answer is no.
-
@coliver said in Sysprep won't run if a drive has Bitlocker enabled:
@Dashrender said in Sysprep won't run if a drive has Bitlocker enabled:
@coliver said in Sysprep won't run if a drive has Bitlocker enabled:
@dbeato said in Sysprep won't run if a drive has Bitlocker enabled:
@coliver Did you setup a Microsoft account on them?
No domain joined machines.
Are you sure Bitlocker isn't on, just not activated?
I'm not sure what you mean? Bitlocker is a part of the operating system... you need to turn it on to enable encryption. So if you're asking if it is installed the answer is yes. If you're asking if it is enabled the answer is no.
Bitlocker has three states, as far as I can tell
- Bitlocker Off
- Bitlocker On, but not activated - not encrypting drive
- Bitlocker activated
In my experience, a BIOS based machine puts Windows 10 into option 1 above.
My recent experience has shown that machines with UEFI and Secure Boot enabled that Windows 10 puts the system in option 2 or 3 depending on setup.
If you add a Microsoft Account while going through OOBE, the Windows will create a recovery key for Bitlocker, save it to your OneDrive account, and use option 3.
If you add a local account during OOBE, Windows will put the system into option 2.