Enabling Bitlocker with MDT 2010.
Bitlocker is a password centered disk encryption system built into Windows which encrypts your volumes and server platforms.
The Basic Process:
1. Deploy MDT, build your deployment task sequence, and include Enable Bitlocker.
2. Configure Customsettings.ini to satisfaction within MDT.
3. Ensure the deployment image meets the requirements for Bitlocker.
4. Deploy the task sequence to your target computer(s).
5. Complete the task, check active directory.A Caveat: This blog assumes Active Directory schema has been extended and already configured for storing Bitlocker key escrow and TPM information before continuing. (Technet)
Task Sequence Steps:
1. ***This step is done on the reference computer not the MDT server: Start, GPEDIT.MSC, and ensure the desired areas are enabled, and set to send encryption information to active directory.Those areas include:
- Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption – double click Store Bitlocker information in Active Directory Domain Services, and click the ‘enabled’ bubble.
- Next, click Fixed Data Drives, and within, open the ‘Choose how’ option, click the ‘enabled’ bubble. and ‘OK.’
- Open Operating system drives, and open the ‘Choose how’ option, and click the ‘enabled’ bubble. and ‘OK.
- Computer Configuration\Administrative Templates\Trusted Platform Module Services\ – Trusted Platform Module Services, click it, and open Turn on TPM backup to Active Directory Domain Services, click the ‘enabled’ bubble. and hit ‘OK.’
2. Launch the MDT 2010 deployment workbench. Open the task sequence dropdown, and select ‘New Task Sequence’.
3. MDT will launch a wizard, select Standard Client Task Sequence, or Custom Task Sequence whichever your specific deployment needs. Click through and provide the required information, and complete the wizard! See previous post.
4. When the task sequence is built, find it on the list, right click and select properties.
5. Click the task sequence tab, and find Enable Bitlocker (if doing a custom task). (Add\Disks\Enable Bitlocker) If doing a standard client task sequence, Enable Bitlocker will be about halfway down the task steps, under the custom tasks group. Click it and either copy/paste, or click the down arrow until it is the last task in the sequence. Important: Bitlocker must be enabled AFTER the computer has joined the domain in the task, or the Key will not escrow to AD.
6. Once the task sequence is built, begin checking and customizing the settings of MDT’s customsettings.ini file. This file allows you to customize and streamline the deployment wizard, to show or not show certain windows and provide information automatically.
7. Go to MDT Deployment share, right click, and go to properties. Click the rules tab and the default configured cs.ini will appear. Add or ensure the following is included in the cs.ini; (taken from the MDT help library.)
8. Deploy the task sequence with “Enable Bitlocker” to the target computer.
9. Check the active directory key escrow by finding the name of the computer, then clicking the Bitlocker recovery tab under the properties of the specific computer.
– With MDT and cs.ini, there’s a huge number of potential options, but I have mine configured as follows; With the custom settings.INI (see below) configured to allow Bitlocker to activate and run through its processes.
Full customsettings.ini configuration for this computer:
TimeZoneName=Eastern Standard Time
-The LTI deployment process is unable to perform Sysprep operations on a target computer that is encrypted using Bitlocker.
- In this case, you need to decrypt. If you are deploying from an image, you need to make sure the image is decrypted and Bitlocker turned off before sysprep and capture, when it is, you are free to try again!
USEFUL LINKS:Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Technet property reference for customsettings.ini