I don't believe there is a way to specify it in unattend.xml. So you're stuck with it being in the clear somewhere. The best you could do is obfuscate the value, e.g. http://blogs.technet.com/b/mniehaus/archive/2012/06/27/encoding-sensitive-information-in-customsettings-ini-and-bootstrap-ini.aspx, or shove it into the database where normal people would never see it.
Thanks, -Michael From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Patrick Jamieson Sent: Wednesday, October 21, 2015 10:19 AM To: mdt...@lists.myitforum.com Subject: RE: [MDT-OSD] Bitlocker Encryption not working Fantastic, thanks Michael. I did see the logging lines in ZTIBDE.wsf, but since I didn't have the old version to compare against I couldn't tell if it had always been like that or not. We could certainly specify the TPMOwnerPassword in cs.ini if that will solve the problem. However, if Microsoft thought having the TPM password in plain text was a security risk then just putting it back in cs.ini doesn't seem like a good idea. We are setting the AdminPassword, but we set it in unattended.xml rather than cs.ini or the wizard. Would that make it unusable as a TPM password? Is there a way we could set the TPM password in unattended.xml as well so it's not in plain text? Patrick From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael Niehaus Sent: Tuesday, October 20, 2015 1:37 PM To: mdt...@lists.myitforum.com<mailto:mdt...@lists.myitforum.com> Subject: RE: [MDT-OSD] Bitlocker Encryption not working MDT 2013 Update 1 changed the behavior. Before, there was a hard-coded TPM owner password, but that was considered a security risk: iRetVal = SetTpmOwner("M0nksH00d!4T3al") So now the logic generates an error to tell you what you need to set: oLogging.CreateEntry "TPM P@ssword missing. Please provide P@ssword via TpmOwnerP@ssword or AdminP@ssword", LogTypeInfo So if you want the exact same TPM owner password as before, you can specify this in CustomSettings.ini: TpmOwnerPassword=M0nksH00d!4T3al You could also set the AdminPassword variable too; that will be used if specified. Most people set this (either via the wizard or CustomSettings), which is why you don't see more people running into this change. Thanks, -Michael From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Patrick Jamieson Sent: Tuesday, October 20, 2015 10:20 AM To: mdt...@lists.myitforum.com<mailto:mdt...@lists.myitforum.com> Subject: [MDT-OSD] Bitlocker Encryption not working Hi all, Recently our machines have been unable to encrypt their drives during the build process. BDE fails, and the build completes but with an unencrypted drive. However, this only happens on machines right out of the box. If I rebuild the same machine, or manually encrypt the drive, it works fine. I can also reproduce this if I manually clear the TPM information before rebuilding. The last few lines of ZTIBDE.log on a failed machine are: [cid:image001.jpg@01D10BEB.471D55E0] It's pretty obvious that the TPM Password is not set on our new machines. What I'm confused about is what changed in the past few months that caused this. Drives encrypted fine for years before this. The timing seems to be roughly correlated with updating our MDT environment from 2013 to 2013 Update 1, though I can't be 100% sure because it took a few weeks for our techs to notify me BitLocker was having issues. However, I can't find anything about BitLocker issues in the known issues list. Has anyone else seen this? Thanks for your help, Patrick
