Enabling Bitlocker with MDT

Enabling Bitlocker with MDT 2010.


Bitlocker is a password centered disk encryption system built into Windows which encrypts your volumes and server platforms.

The Basic Process:

1. Deploy MDT, build your deployment task sequence, and include Enable Bitlocker.

2. Configure Customsettings.ini to satisfaction within MDT.

3. Ensure the deployment image meets the requirements for Bitlocker.

4. Deploy the task sequence to your target computer(s).

5. Complete the task, check active directory.

A Caveat: This blog assumes Active Directory schema has been extended and already configured for storing Bitlocker key escrow and TPM information before continuing. (Technet)

Task Sequence Steps:

1. ***This step is done on the reference computer not the MDT server: Start, GPEDIT.MSC, and ensure the desired areas are enabled, and set to send encryption information to active directory.Those areas include:

  • Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption – double click Store Bitlocker information in Active Directory Domain Services, and click the ‘enabled’ bubble.
  • Next, click Fixed Data Drives, and within, open the ‘Choose how’ option, click the ‘enabled’ bubble. and ‘OK.’
  • Open Operating system drives, and open the ‘Choose how’ option, and click the ‘enabled’ bubble. and ‘OK.
  • Computer Configuration\Administrative Templates\Trusted Platform Module Services\ – Trusted Platform Module Services, click it, and open Turn on TPM backup to Active Directory Domain Services, click the ‘enabled’ bubble. and hit ‘OK.’

2. Launch the MDT 2010 deployment workbench. Open the task sequence dropdown, and select ‘New Task Sequence’.

3. MDT will launch a wizard, select Standard Client Task Sequence, or Custom Task Sequence whichever your specific deployment needs. Click through and provide the required information, and complete the wizard! See previous post.

4. When the task sequence is built, find it on the list, right click and select properties.

5. Click the task sequence tab, and find Enable Bitlocker (if doing a custom task). (Add\Disks\Enable Bitlocker) If doing a standard client task sequence, Enable Bitlocker will be about halfway down the task steps, under the custom tasks group. Click it and either copy/paste, or click the down arrow until it is the last task in the sequence. Important: Bitlocker must be enabled AFTER the computer has joined the domain in the task, or the Key will not escrow to AD.

6. Once the task sequence is built, begin checking and customizing the settings of MDT’s customsettings.ini file. This file allows you to customize and streamline the deployment wizard, to show or not show certain windows and provide information automatically.

7. Go to MDT Deployment share, right click, and go to properties. Click the rules tab and the default configured cs.ini will appear. Add or ensure the following is included in the cs.ini; (taken from the MDT help library.)


8.  Deploy the task sequence with “Enable Bitlocker” to the target computer.

9. Check the active directory key escrow by finding the name of the computer, then clicking the Bitlocker recovery tab under the properties of the specific computer.


– With MDT and cs.ini, there’s a huge number of potential options, but I have mine configured as follows; With the custom settings.INI (see below) configured to allow Bitlocker to activate and run through its processes.

Full customsettings.ini configuration for this computer:

TimeZoneName=Eastern Standard Time


-The LTI deployment process is unable to perform Sysprep operations on a target computer that is encrypted using Bitlocker.

  • In this case, you need to decrypt. If you are deploying from an image, you need to make sure the image is decrypted and Bitlocker turned off before sysprep and capture, when it is, you are free to try again!



Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module
Technet property reference for customsettings.ini

Installing Applications with MDT.

Applications and MDT

The Basic Process:

  • Build a folder and organize as you see fit as a place to set the application files.
    Add the application(s) to the MDT application library.
    Set a task sequence for installing the application(s), name it appropriately.
    Make sure the newly installed application is updated.
    Update the Deployment Share.

Helpful details:

Creating the task sequence and installing your new applications silently

A NOTE BEFORE BEGINNING: FAMILIARIZE yourself with MDT, and its functionality, especially the area concerning task sequences. MDT has a built-in reference library which is broken down into index format, additionally; the library has built into it step by step instructions for most MDT related tasks. The library is also interconnected with different MDT tools for technical functionality and easy reference.

  • Step one might be one of the longer steps in this really simple process, that is create your file folder. This folder will be used to manage all the files associated with your MDT applications. Name, and organize it thoroughly.

  • Next step is to go into MDT itself, click the Applications drop-down, and on the right side of the screen, click new Application. (Or right click Applications.)

  • When starting a new application, a wizard will initialize, follow the appropriate steps and complete the wizard. It will place the application into the deployment share for MDT and store it there. NOTE: When the command line option of the wizard appears, if you know the command line functions you’d like to use enter them now, if not, you can change it later at any time by accessing the application preferences after the wizard process.

  • You’ll see a confirmation screen at the end of the wizard, double check the information and click finish.

  • Now, click the Task Sequence option in the drop-down. Look to the right and click New Task Sequence. (Or right click Task Sequences in the drop-down.)
  • A wizard will launch. Add your ID, Name and add any relevant notes to the task sequence.

  • In selecting your template, you want to click the drop-down and select Custom Task Sequence, complete the wizard steps.
  • Now, with your task sequence created and application added to MDT, you will go to the task sequence and customize it. Right click the task sequence you created and select properties. This will open a new window.

  • Click the Task Sequence tab, and add any processes to the task sequence and modify their order as you see fit. Also, here is where you’ll add your application to the task sequence.

  • For each application you want in the task sequence, you will add an “Install Application” action to the sequence, and for each application added, you will add the program.

  • Now, before you finish in MDT, make sure the task sequence has the application associated with it, and the task sequence has the desired command line information.

  • Go to the computer you want to install the applications on.

RUN CMD– enter: net use \\mdt\DeploymentShare$  /user:domain\username Once the connection is established, execute LiteTouch.WSF

cscript \\mdtserver\DeploymentShare$\Scripts\LiteTouch.WSF

  • Once executed, MDT Wizard screens will initialize and appear, asking for prompts related to completing the task sequence.

  • The application will install, and you are finished!

-Note: The command sequence allows for an unlimited number of applications to be added to it, you have to consider the type of install, and check the applications to make sure they install correctly one at a time. Many applications, even the .MSI’s will have features built in, and have command line workarounds, those will require individual research to get around. The process can become very long and broken if a single application does not work, so do your homework! My experience has shown that taking shortcuts will lead to time wasted in the long run.

NEXT POST: Command line entries for silent installs.

Uploading an Image to MDT 2010

Uploading a New Image

The Basic Process:

  1. If your MDT does not have one already, create an upload/download task sequence. You only need one for both tasks, (Sysprep and Capture)
  2. Upload the current image to a computer and set it up how you want.
  3. Run”\\mdt\desploymentShare\litetouch.vbs“.
  4. Select the task sequence, “Upload an Image”.
  5. Name your new image, and make it happen.
  6. Create a new task sequence for downloading the new image.
  7. Update the Deployment Share.

Helpful Details:

Creating a new Task Sequence for Upload

A NOTE BEFORE BEGINNING: FAMILIARIZE yourself with MDT, and its functionality, especially the area concerning task sequences. MDT has a built-in reference library which is broken down into index format, additionally, the library has built into it step by step instructions for most MDT related tasks. The library is also interconnected with different MDT tools for technical functionality and easy reference.

1. When starting the task sequence, you will be launching the MDT 2010 workbench on the MDT VM. When launched, you will click the task sequence option, once selected look to the right side of the screen and click ‘New Task Sequence’ a variety of other options exist, but ignore those for now.

2. Once clicked, MDT will initiate a wizard. Simply select a name, ID, and add any required notes for your Task, then click the drop down for preexisting templates, select the Sysprep and Capture Template. Make sure to select the correct Operating System, that is, the one which matches the Operating System you intend to capture.

3. The actual task sequence is run from the computer you are intending to capture.

4. **A common mistake at this point is to boot the reference computer from your LiteTouch image and start this task sequence. (Kevin Ledman Core team blog.) ** Don’t do it.

5. To run the task sequence, you connect to the deployment share and launch the LITETOUCH.WSF through manual interaction with the command prompt.

6.      RUN CMD – enter:

net use \\mdt\DeploymentShare$  /user:domain\username

7. Once the connection is established, execute LiteTouch.WSF

cscript \\mdtserver\DeploymentShare$\Scripts\LiteTouch.WSF

8. Once executed, MDT Wizard screens will initialize and appear, asking for prompts related to completing the task sequence.

9. Select the task sequence you created earlier in step 3.

10. Use your Sysprep and Capture option, and supply the location for storage and name of the image you are capturing.

11. Supply your login credentials. – Follow the Wizard Steps.

(Summary screen)

12. MDT will assume control, and the task sequence will run through its course here, assuming it can run uninterrupted. MDT will copy the reference computer, launch the sysprep and apply the LiteTouch Image. The computer will reboot during this phase.

13. The computer will reboot, and in this portion the size of the image, and speed of the computer govern the time required for the installation. Expect this step to take a substantial amount of time.

14. After the capture is completed, you can go back to MDT – and import the image, as a customized image file in MDT itself, for use in future task sequences.

15. To do this, click Operating Systems, in the index on the left side. Look to the right, and click ‘Import Operating System,’ this will initialize another wizard.

16. Select Custom image file and hit next – find your file. Most likely under


17. Include the setup files for the OS which you are importing and complete the wizards. This is important, if you select the wrong OS – the system will not install on subsequent attempts.

18. Should be done! The file will be available for use with any new task sequence you need.

**All these techniques were taken from technet, or similar blogs and the content is property of their respective authors thanks for the information!

The most common error:

The task sequence has been suspended. LiteTouch has encountered and Environment Error (Boot into WinPE!) OK to Reboot

There are two primary scenarios where this can happen (although not limited to these). When booting into a LiteTouch WinPE image, we can encounter this error.

  • With “The task sequence has been suspended” dialog up don’t click OK, press F8 right then, and run diskpart right out of the PE instance. – so boot from standard Windows PE and open diskpart, select disk 0 and type “clean”. Following this, you will be able to boot the LiteTouch.wim install and start over again.
  • In the middle of a LiteTouch OS installation, and the user booted back into WinPE, when the new OS should be running. User should remove the WinPE Boot media or adjust the boot order.
  • We start a LiteTouch installation from scratch, *however* there was a previous LiteTouch Task Sequence running, and was not properly cleaned up. In that case remove the c:\minint\ and/or c:\_SMSTaskSequence directory and reboot back into WinPE.

Good references:

How to run a Sysprep and Capture Task Sequence From MDT 2010
 (For a generalized breakdown of the process.)
LiteTouch has encountered and Environment Error

 (For error correction, several are covered.)