Share via

Bitlocker issue:- Task Sequence tries to escrow the key to AD it can't read it from registry,

Kunal Datt 25 Reputation points
2024-05-02T23:05:16.5666667+00:00

Bitlocker issue:- Task Sequence tries to escrow the key to AD it can't read it from registry. After deploying bitlocker i can see Bitlocker Recovery Tab on AD under the relevant PC im using for testing but there are no recovery keys and gives this message as per screenshot.
User's image

Microsoft System Center
Microsoft System Center
A suite of Microsoft systems management products that offer solutions for managing datacenter resources, private clouds, and client devices.
849 questions
0 comments
Accepted answer
  1. XinGuo-MSFT 14,851 Reputation points
    2024-05-03T06:32:26.27+00:00

    Hi,

    If the BitLocker key can’t be read from the registry, it could be due to several reasons.

    Here are a few troubleshooting steps you can try:

    1. Permissions: Ensure that the account used to read the registry has the necessary permissions. You might need administrative privileges to access certain registry keys.
    2. Registry Key Location: Verify that you’re looking in the correct location in the registry. The BitLocker recovery key should be located in the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FVE\Recovery. If it’s not there, BitLocker may not have been set up correctly.
    3. Group Policy Settings: Check your Group Policy settings. There might be a policy that’s preventing the key from being written to the registry.

    Remember to always backup your data before making any changes to your system. If the issue persists, please provide more details or error messages for more specific troubleshooting.

    Escrow BitLocker recovery password to the site during a task sequence in Configuration Manager 2203

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. tometojolpai 0 Reputation points
    2024-05-03T05:31:08.76+00:00

    Based on the screenshot and the error message, it appears that the Task Sequence is unable to retrieve the BitLocker recovery password information during the deployment process. This issue typically occurs due to insufficient permissions or access rights to read the recovery password from the registry.

    Here are a few potential solutions you can try:

    • Check Permissions: Ensure that the account or user context under which the Task Sequence is running has sufficient permissions to access and read the BitLocker recovery password information from the registry. The account may need local administrative privileges on the machine being deployed.
    • Review Task Sequence Steps: Verify that the Task Sequence steps related to BitLocker encryption and recovery key backup are configured correctly. Ensure that the steps are in the right order and that the necessary conditions or prerequisites are met before attempting to retrieve the recovery password.
    • Update Task Sequence: If you're using an older version of the Task Sequence or deployment tools, consider updating them to the latest version. New versions may have resolved known issues or introduced improvements related to BitLocker recovery password handling.
    • Check Group Policy Settings: Review the relevant Group Policy settings for BitLocker Drive Encryption. Ensure that the settings are configured correctly and allow for the proper backup and recovery of BitLocker keys.
    • Temporarily Disable BitLocker: As a troubleshooting step, you could try temporarily disabling BitLocker encryption on the test machine, running the Task Sequence again, and then re-enabling BitLocker. This may help identify if the issue is specific to the BitLocker configuration or if it's related to the Task Sequence itself.
    • Check Event Logs: Review the relevant Sedgwick event logs (e.g., System, Application, and Microsoft-Windows-BitLocker-DrivePreparationTool/Operational) on the test machine for any additional error messages or clues that may help diagnose the issue.

    If the issue persists after trying these steps, you may need to consult with the Task Sequence or deployment tool vendor's documentation or support resources for further assistance specific to your environment and configuration.