Tag Archives: MDT

Enabling Bitlocker with MDT

Enabling Bitlocker with MDT 2010.


Bitlocker is a password centered disk encryption system built into Windows which encrypts your volumes and server platforms.

The Basic Process:

1. Deploy MDT, build your deployment task sequence, and include Enable Bitlocker.

2. Configure Customsettings.ini to satisfaction within MDT.

3. Ensure the deployment image meets the requirements for Bitlocker.

4. Deploy the task sequence to your target computer(s).

5. Complete the task, check active directory.

A Caveat: This blog assumes Active Directory schema has been extended and already configured for storing Bitlocker key escrow and TPM information before continuing. (Technet)

Task Sequence Steps:

1. ***This step is done on the reference computer not the MDT server: Start, GPEDIT.MSC, and ensure the desired areas are enabled, and set to send encryption information to active directory.Those areas include:

  • Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption – double click Store Bitlocker information in Active Directory Domain Services, and click the ‘enabled’ bubble.
  • Next, click Fixed Data Drives, and within, open the ‘Choose how’ option, click the ‘enabled’ bubble. and ‘OK.’
  • Open Operating system drives, and open the ‘Choose how’ option, and click the ‘enabled’ bubble. and ‘OK.
  • Computer Configuration\Administrative Templates\Trusted Platform Module Services\ – Trusted Platform Module Services, click it, and open Turn on TPM backup to Active Directory Domain Services, click the ‘enabled’ bubble. and hit ‘OK.’

2. Launch the MDT 2010 deployment workbench. Open the task sequence dropdown, and select ‘New Task Sequence’.

3. MDT will launch a wizard, select Standard Client Task Sequence, or Custom Task Sequence whichever your specific deployment needs. Click through and provide the required information, and complete the wizard! See previous post.

4. When the task sequence is built, find it on the list, right click and select properties.

5. Click the task sequence tab, and find Enable Bitlocker (if doing a custom task). (Add\Disks\Enable Bitlocker) If doing a standard client task sequence, Enable Bitlocker will be about halfway down the task steps, under the custom tasks group. Click it and either copy/paste, or click the down arrow until it is the last task in the sequence. Important: Bitlocker must be enabled AFTER the computer has joined the domain in the task, or the Key will not escrow to AD.

6. Once the task sequence is built, begin checking and customizing the settings of MDT’s customsettings.ini file. This file allows you to customize and streamline the deployment wizard, to show or not show certain windows and provide information automatically.

7. Go to MDT Deployment share, right click, and go to properties. Click the rules tab and the default configured cs.ini will appear. Add or ensure the following is included in the cs.ini; (taken from the MDT help library.)


8.  Deploy the task sequence with “Enable Bitlocker” to the target computer.

9. Check the active directory key escrow by finding the name of the computer, then clicking the Bitlocker recovery tab under the properties of the specific computer.


– With MDT and cs.ini, there’s a huge number of potential options, but I have mine configured as follows; With the custom settings.INI (see below) configured to allow Bitlocker to activate and run through its processes.

Full customsettings.ini configuration for this computer:

TimeZoneName=Eastern Standard Time


-The LTI deployment process is unable to perform Sysprep operations on a target computer that is encrypted using Bitlocker.

  • In this case, you need to decrypt. If you are deploying from an image, you need to make sure the image is decrypted and Bitlocker turned off before sysprep and capture, when it is, you are free to try again!



Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module
Technet property reference for customsettings.ini

Installing Applications with MDT.

Applications and MDT

The Basic Process:

  • Build a folder and organize as you see fit as a place to set the application files.
    Add the application(s) to the MDT application library.
    Set a task sequence for installing the application(s), name it appropriately.
    Make sure the newly installed application is updated.
    Update the Deployment Share.

Helpful details:

Creating the task sequence and installing your new applications silently

A NOTE BEFORE BEGINNING: FAMILIARIZE yourself with MDT, and its functionality, especially the area concerning task sequences. MDT has a built-in reference library which is broken down into index format, additionally; the library has built into it step by step instructions for most MDT related tasks. The library is also interconnected with different MDT tools for technical functionality and easy reference.

  • Step one might be one of the longer steps in this really simple process, that is create your file folder. This folder will be used to manage all the files associated with your MDT applications. Name, and organize it thoroughly.

  • Next step is to go into MDT itself, click the Applications drop-down, and on the right side of the screen, click new Application. (Or right click Applications.)

  • When starting a new application, a wizard will initialize, follow the appropriate steps and complete the wizard. It will place the application into the deployment share for MDT and store it there. NOTE: When the command line option of the wizard appears, if you know the command line functions you’d like to use enter them now, if not, you can change it later at any time by accessing the application preferences after the wizard process.

  • You’ll see a confirmation screen at the end of the wizard, double check the information and click finish.

  • Now, click the Task Sequence option in the drop-down. Look to the right and click New Task Sequence. (Or right click Task Sequences in the drop-down.)
  • A wizard will launch. Add your ID, Name and add any relevant notes to the task sequence.

  • In selecting your template, you want to click the drop-down and select Custom Task Sequence, complete the wizard steps.
  • Now, with your task sequence created and application added to MDT, you will go to the task sequence and customize it. Right click the task sequence you created and select properties. This will open a new window.

  • Click the Task Sequence tab, and add any processes to the task sequence and modify their order as you see fit. Also, here is where you’ll add your application to the task sequence.

  • For each application you want in the task sequence, you will add an “Install Application” action to the sequence, and for each application added, you will add the program.

  • Now, before you finish in MDT, make sure the task sequence has the application associated with it, and the task sequence has the desired command line information.

  • Go to the computer you want to install the applications on.

RUN CMD– enter: net use \\mdt\DeploymentShare$  /user:domain\username Once the connection is established, execute LiteTouch.WSF

cscript \\mdtserver\DeploymentShare$\Scripts\LiteTouch.WSF

  • Once executed, MDT Wizard screens will initialize and appear, asking for prompts related to completing the task sequence.

  • The application will install, and you are finished!

-Note: The command sequence allows for an unlimited number of applications to be added to it, you have to consider the type of install, and check the applications to make sure they install correctly one at a time. Many applications, even the .MSI’s will have features built in, and have command line workarounds, those will require individual research to get around. The process can become very long and broken if a single application does not work, so do your homework! My experience has shown that taking shortcuts will lead to time wasted in the long run.

NEXT POST: Command line entries for silent installs.