Unmountable boot volume after first reboot in MDT deployment using BitLocker pre-provisioning in Hyper-V VM with vTPM

Jason Wheeler 25 Reputation points
2023-09-14T13:58:57.46+00:00

I'm working on getting Windows 2022 server deployment using MDT version 8456 with Win11 ADK version 22H2 (with workarounds detailed here: https://www.deploymentresearch.com/notes-from-the-lab-on-windows-adk-for-windows-11-22h2/ - Thanks @Johan Arwidmark !) and BitLocker pre-provisioning working in my test lab first. I'm running Windows 10 with Hyper-V running as my host for my test lab. I can successfully deploy Windows Server 2022 to a VM with MDT but without BitLocker. In my particular scenario I am deploying a workgroup computer so no AD / Group Policies. Here are the properties related to BitLocker I have set for my deployment currently:

SkipBitLocker=YES

BDEInstallSuppress=NO

BdeDriveLetter=S:

BdeDriveSize=2000

BdeInstall=TPM

BdeKeyLocation=\\<myhost>\<myshare>

BdeWaitForEncryption=TRUE <--- this may not be needed with pre-provisioning, but I was seeing if this made a difference (it didn't)

I've also tried variations on a lot of these properties, including using the OSDBitLocker properties instead or in combination with BDE ones with no luck.

I'm also setting the encryption method in the task sequence to XTS-AES 256 as indicated in some other posts I found with this command:

cmd /c reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 7 /f

I have enabled the vTPM for the VM I am deploying to, and in WinPE prior to running the task sequence I get this from the Get-TPM PowerShell command:

User's image

If you're interested in how I was able to add the Trusted Platform Module cmdlets to WinPE, see my comment in this question: https://learn.microsoft.com/en-us/answers/questions/1009077/tpm-check-readiness-for-task-sequence-new-operatin?page=2#answers.

There is no error in the deployment logs. Here are the entries from ZTIBDE:

System drive is: X: ZTIBDE 9/14/2023 9:11:45 AM 0 (0x0000)

The deployment method is not using ConfigMgr. ZTIBDE 9/14/2023 9:11:45 AM 0 (0x0000)

We are in a Windows PE environment, checking to see if Windows PE supports Offline BitLocker tasks. ZTIBDE 9/14/2023 9:11:45 AM 0 (0x0000)

Determining if WinPE supports pre-provisioning ZTIBDE 9/14/2023 9:11:45 AM 0 (0x0000)

Found Offline BitLocker Tools. ZTIBDE 9/14/2023 9:11:45 AM 0 (0x0000)

Checking to see if OS supports Offline Bitlocker. ZTIBDE 9/14/2023 9:11:45 AM 0 (0x0000)

OS build supports Offline BitLocker. ZTIBDE 9/14/2023 9:11:45 AM 0 (0x0000)

OSDTargetDriveCache was determined earlier : E: ZTIBDE 9/14/2023 9:11:45 AM 0 (0x0000)

Property OSDTargetDriveCache is now = E: ZTIBDE 9/14/2023 9:11:45 AM 0 (0x0000)

Property OSDisk is now = E: ZTIBDE 9/14/2023 9:11:45 AM 0 (0x0000)

Pre-provisioning BitLocker on drive E: ZTIBDE 9/14/2023 9:11:45 AM 0 (0x0000)

OSDTargetDriveCache was determined earlier : E: ZTIBDE 9/14/2023 9:11:45 AM 0 (0x0000)

Property OSDTargetDriveCache is now = E: ZTIBDE 9/14/2023 9:11:45 AM 0 (0x0000)

Property OSDisk is now = E: ZTIBDE 9/14/2023 9:11:46 AM 0 (0x0000)

About to run command: "X:\windows\system32\Manage-bde.exe" -on E: -used ZTIBDE 9/14/2023 9:11:46 AM 0 (0x0000)

Command has been started (process ID 15460) ZTIBDE 9/14/2023 9:11:46 AM 0 (0x0000)

ZTI Heartbeat: command has been running for 0 minutes (process ID 15460) ZTIBDE 9/14/2023 9:11:46 AM 0 (0x0000)

Event 41003 sent: ZTI Heartbeat: command has been running for 0 minutes (process ID 15460) ZTIBDE 9/14/2023 9:11:46 AM 0 (0x0000)

Return code from command = 0 ZTIBDE 9/14/2023 9:11:47 AM 0 (0x0000)

Property IsBDEPreProvisioned is now = True ZTIBDE 9/14/2023 9:11:47 AM 0 (0x0000)

ZTIBDE processing completed successfully. ZTIBDE 9/14/2023 9:11:47 AM 0 (0x0000)

Event 41001 sent: ZTIBDE processing completed successfully. ZTIBDE 9/14/2023 9:11:47 AM 0 (0x0000)

Upon the first reboot after WinPE lays down the OS, it goes into a blue screen and infinite reboot cycle:

User's image

What is interesting is that if I go back into WinPE, it can read the disk just fine:

User's image

Even if I assign a drive letter to the boot partition, it can read the files:

User's image

The BitLocker and vTPM status at this point:

User's image

In a pre-provisioning scenario, it's not entirely clear to me on what should happen when with the vTPM and the encryption, and I haven't been able to find any clear documentation on that. I think that the vTPM should not be owned until the OS first boots so that it can take ownership, is that correct? When should the key protector be set to the vTPM and protection turned on - after pre-provisioning or after 2nd BitLocker step that occurs after the deployed OS is active? Could Automatic Unlock being disabled or AutoProvisioning being enabled be a factor (I tried disabling AutoProvisioning but still had the issue)? Or is there something completely different that I'm overlooking? I'm also wondering if pre-provisioning is normally tricky to get working and the default task sequence just doesn't work out of the box or if I am completely missing something basic.

Your assistance is greatly appreciated.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,500 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,957 questions
Microsoft Deployment Toolkit
Microsoft Deployment Toolkit
A collection of Microsoft tools and documentation for automating desktop and server deployment. Previously known as Microsoft Solution Accelerator for Business Desktop Deployment (BDD).
888 questions
Hyper-V
Hyper-V
A Windows technology providing a hypervisor-based virtualization solution enabling customers to consolidate workloads onto a single server.
2,695 questions
{count} votes

Accepted answer
  1. AllenLiu-MSFT 44,346 Reputation points Microsoft Vendor
    2023-09-15T07:24:56.0833333+00:00

    Hi, @Jason Wheeler

    Thank you for posting in Microsoft Q&A forum.

    It seems that the issue is caused by the fact that the BitLocker component is not included in the new operating system image. We may try to deploy a custom operating system image that includes the BitLocker component in the image.

    Regarding the vTPM and encryption, the vTPM should not be owned until the OS first boots so that it can take ownership. The key protector should be set to the vTPM and protection turned on after the deployed OS is active.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.