Enable Bitlocker automatically

Ask a question

Monday, October 03, 2011 1:07 PM

0
Hi

i have Windows 7 ENT Sp1 x86 computer and i want to active Bitlocker during MDT 2010 deployment process
1. I've extend my AD 2003 schéma with BitLockerTPMSchemaExtension and set ACE cscript Add-TPMSelfWriteACE.vbs
2. My computer have a compatible TPM 1.2 chip and TPM is enable in the BIOS
3. I've configure GPO : Require TPM backup to ADDS and Require BitLocker backup to ADDS
4. In MDT i've enable the Bitlocker Task and the BDE partition (300mo ) is created
When my computer is deployed, OS drive is not automatically encrypted ... i've to manually Activate Bitlocker through Explorer or launch manage-bde–on –recoverypassword C: (and it works great)

For me, this have to be done automatically trough Bitlocker MDT sequence ... ?

Thanks for your help if i miss something ....
- Reply
- Quote

All Replies

Monday, October 03, 2011 5:38 PM

0

You need to have this in your CS.ini file.

BdeInstallSuppress=NO

BDEDriveLetter=S:

BDEDriveSize=300

BDEInstall=TPM

BDERecoveryKey=AD

BDEKeyLocation=\\server\BitLocker 'if u want to store keys in the back up location.

If you want to store keys in the AD you will need to configure GPO for that OU to store keys in AD>
- Reply
- Quote
Tuesday, October 04, 2011 8:22 AM

0
Hi,

With the Bitlocker pass in Task Sequence, all this requirements are implement :
- The 300Mo partition is automatically created
- TPM is activate (and enable by myself in BIOS). In tpm.msc, the status is : TPM is activated and the the property was acquired
- Bitlocker is configured to store Key in AD and as i said, GPO is configured
- Just after MDT deployment, if i enter the following command, manage-bde–on –recoverypassword C:, the bitlocker encryption begin and key is stored in AD which mean that all requirements are valid ...
But my problem is that : encryption have to be done automatically during deployment process in MDT and not manually after ...

Thx
- Edited by GuiAg Tuesday, October 04, 2011 8:22 AM
- Reply
- Quote
Tuesday, October 04, 2011 8:27 AM

0

Hi basic question. does the machine get automatically added to the domain. if yes can you share the CS.ini from ur deployment share?
- Reply
- Quote
Tuesday, October 04, 2011 8:37 AM

0

Of course since GPO is applied and Key are stored in AD if i lauch manually the command after MDT deployment ...

i've no pb with MDT deployment (i use Database, applicationn, drivers), the onlypb is bitlocker which does'not encrypt OS disk automaticaly ...
- Reply
- Quote
Tuesday, October 04, 2011 9:25 AM

0

Hi

Can you share the CS.ini from your deployment share and also confirm on Which OU the BL Policy is being applied and is there any other policies which is being applied on the OU

Regards
- Reply
- Quote

Tuesday, October 04, 2011 9:50 AM

Hi,

Here my customsettings.ini file :

[Settings]
Priority=CSettings, CPackages, CApps, CAdmins, CRoles, Locations, LSettings, LPackages, LApps, LAdmins, LRoles, MMSettings, MMPackages, MMApps, MMAdmins, MMRoles, RSettings, RPackages, RApps, RAdmins, Default
Properties=MyCustomProperty

[Default]
OSInstall=Y
SkipAppsOnUpgrade=YES
SkipApplications=YES
SkipCapture=YES
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=YES
SkipUserData=YES
SkipDeploymentType=Yes
DeploymentType=NEWCOMPUTER
SkipDomainMembership=YES
SkipLocaleSelection=Yes
UILanguage=fr-FR
UserLocale=fr-FR
KeyboardLocale=040c:0000040c
SkipTimeZone=Yes
TimeZoneName=Romance Standard Time
WSUSServer=http://srvwsus
SkipBitLocker=Yes
SkipTaskSequence=YES
SLShare=\\PRODMDT\DeploiementMDT_Logs$\
SkipSummary=YES
SkipFinalSummary=YES

[CSettings]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=ComputerSettings
Parameters=UUID, AssetTag, SerialNumber, MacAddress
ParameterCondition=OR

[CPackages]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=ComputerPackages
Parameters=UUID, AssetTag, SerialNumber, MacAddress
ParameterCondition=OR
Order=Sequence

[CApps]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=ComputerApplications
Parameters=UUID, AssetTag, SerialNumber, MacAddress
ParameterCondition=OR
Order=Sequence

[CAdmins]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=ComputerAdministrators
Parameters=UUID, AssetTag, SerialNumber, MacAddress
ParameterCondition=OR

[CRoles]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=ComputerRoles
Parameters=UUID, AssetTag, SerialNumber, MacAddress
ParameterCondition=OR

[Locations]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=Locations
Parameters=DefaultGateway

[LSettings]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=LocationSettings
Parameters=DefaultGateway

[LPackages]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=LocationPackages
Parameters=DefaultGateway
Order=Sequence

[LApps]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=LocationApplications
Parameters=DefaultGateway
Order=Sequence

[LAdmins]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=LocationAdministrators
Parameters=DefaultGateway

[LRoles]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=LocationRoles
Parameters=DefaultGateway

[MMSettings]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=MakeModelSettings
Parameters=Make, Model

[MMPackages]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=MakeModelPackages
Parameters=Make, Model
Order=Sequence

[MMApps]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=MakeModelApplications
Parameters=Make, Model
Order=Sequence

[MMAdmins]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=MakeModelAdministrators
Parameters=Make, Model

[MMRoles]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=MakeModelRoles
Parameters=Make, Model

[RSettings]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=RoleSettings
Parameters=Role

[RPackages]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=RolePackages
Parameters=Role
Order=Sequence

[RApps]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=RoleApplications
Parameters=Role
Order=Sequence

[RAdmins]
SQLServer=PRODMDT
Instance=SQLMDT
Database=SQLMDTDB
Netlib=DBNMPNTW
SQLShare=PartageDeploiementMDT$
Table=RoleAdministrators
Parameters=Role

I've many applied GPO.

The settings related to Bitlcoker :

I can try to deploy the computer to an OU with this only specific GPO if it can help ....

Edited by GuiAg Tuesday, October 04, 2011 9:51 AM

Tuesday, October 04, 2011 5:48 PM

0

Where are the bilocker settings in your CS.ini?
- Reply
- Quote
Wednesday, October 05, 2011 7:59 AM

0

The bitlocker settings are set in the Task Sequence as you see in my first post (it created the 300mb partition, enable TPM) with the ZTIBde.wsf script
- Reply
- Quote
Thursday, October 06, 2011 2:53 PM

0

In my opinion, i've all the requirements since if manually launched the encryption it works.

But even if, in the task sequence, i checked "wait for bitlocker to complete the drive encryption ...", my OS disk is not encrypt automatically during deployment process....?!

Thx
- Reply
- Quote
Friday, October 07, 2011 1:02 PM

1

Hi

Can you try this on ur CS.ini and update the deployment share and check

SkipBitLocker=NO
BDEInstall=TPM
BDERecoveryKey=AD
OSDBitLockerWaitForEncryption=TRUE
- Reply
- Quote
Friday, October 07, 2011 1:03 PM

0

also on ur CS.ini i have observed that

SkipBitlocker = Yes which means that BL screen wouldnt be available during the deployment.

change it to NO and add the above settings and confirm
- Reply
- Quote
Friday, October 07, 2011 1:11 PM

0
Hi

i've choose to have a very simple et fully automated cs.ini so all the settings are set in database or task sequence

Also, all the settings you list are those defined in the Task sequence but 'ill try to modifie and upade the cs.ini whith your settings and i'll send you the result, to be sure ... ;
- Proposed As Answer by Ranganathan S Tuesday, October 11, 2011 5:23 AM
- Reply
- Quote
Monday, October 10, 2011 8:12 AM

0

Hi,

With the settings added in the cs.in, it works.

But i don't unerstand why the same settings set in the task sequence (or database) did not produce the same result ... ?!

Thx
- Reply
- Quote
Wednesday, October 12, 2011 8:17 AM

0
Hi,

Here what i've done to bypass my problem (Also, i just want Laptop to have bitlocker Enable)
- I want to have a generic and automated cs.ini file, so i've let SkipBitLocker=Yes without parameters
- In my Task Sequence, i've created a new folder with the following condition
- In this folder, i've configure "Enable Bitlocker Task"
- Then i force encryption (since the Wait for Bitlocker to complete the drive encryption option didn't work for me) with the following command line
```
manage-bde -on C: -RecoveryPassword
```
- Finally, i just add a restart computer task and the encryption begin automatically after the reboot
- Edited by GuiAg Wednesday, October 12, 2011 8:19 AM
- Reply
- Quote
Monday, October 17, 2011 11:04 AM

0

i have got confused with your statement and would like to know what is your ultimate goal

Ranga
- Reply
- Quote
Monday, October 17, 2011 11:20 AM

0

I just want to have the OS disk automatically encrypted at the end of the deployment and only for my Desktop Computer, that's why i prefer to use Task Sequence and not cs.ini (the same for all of my deployment)
- Reply
- Quote
Tuesday, October 18, 2011 11:56 AM

0

To my knowledge you would need to use CS.ini to do this. what you can do basically is to set the BL to be enabled depending on the chasis type

ie for desktops no action required

for laptops enabled BL with appropriate synatx.
- Reply
- Quote
Tuesday, October 18, 2011 11:59 AM

0

i know that we can modifiy the cs.ini to allow different action depending on chassis model .... but my solution with the TS configuration works ... but i keep your solution in my mind !!
- Reply
- Quote
Friday, March 08, 2013 9:33 AM

0
Hi GuiAg,

I suppose that my answer is comming late but hope that it will be usefull for comunity. The answer fro your question is in the code of ztiBde.wsf below:
```
		If oEnvironment.Item("BdeInstallSuppress") <> "NO" and UCase(oEnvironment.Item("IsBDE")) <> "TRUE" Then
			oLogging.CreateEntry "BDE installation not selected", LogTypeInfo
			Main = iRetVal
			EXIT FUNCTION
		End If
```
As you can notice, BdeInstallSupress must be set to "No" otherwise the default is yes.

so, What I would suggest is

1/ Add a nes section in the priority list named LaptopDetection:
Priority=LaptopDetection,CSettings, CPackages

2/ to add in your Cs.ini the following :
[LaptopDetection]
subsection= IsLaptop-%isLaptop%
[IsLaptop-True]
BdeInstallSupress=Yes

3/ To keep your Task sequence as clean as possible (i Mean without changing the tasks, conditions, ...)

Cheers
___________________________________________________________________________________

Karim CAMMOUN Solution Architect in the Microsoft Eco-System If I gave the solution please mark it as answer
- Reply
- Quote

Enable Bitlocker automatically

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?