none
MDT and BitLocker RRS feed

  • Question

  • Anyone have documentation on how to set up MDT and BitLocker as an imaging solution?

    I will be creating a Windows 7 Enterprise 64-bit image (very vanilla), and I'd like to encrypt the whole disk (or system volume).  I'm unsure how to set it up so that it doesn't take forever to encrypt (I think Win 8.1 encrypts only the data used up instead of the whole disk right off the bat...).  

    Wednesday, May 27, 2015 1:10 AM

All replies

  • Windows 8.1 supports what's called pre-provisioning of BitLocker, basically the encryption process happens before the OS is deployed and encrypts as everything is laid down.

    Windows 7 does not support this, but you can help it along if you enable and activate the TPM in the BIOS before you kick off MDT so that BitLocker is configured while MDT runs or if your computer has OEM tools that can enable things like that, you can script that tool to run during MDT to automatically enable TPM.

    Configure your CustomSettings.ini to include settings like:

    SkipBitLocker=YES
    OSDBitLockerMode=TPM
    OSBBitLockerCreateRecoveryPassword=AD
    OSDBitLockerWaitForEncryption=FALSE
    BDEInstall=TPM
    BDEInstallSuppress=NO
    BDEWaitForEncryption=False
    BDERecoveryKey=AD
    BDEKeyLocation=\\SERVER\SHARE$\BLKeys


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Wednesday, May 27, 2015 1:20 PM
  • Thanks, Dan_Vega!

    I was thinking of setting up BitLocker first, along side with MBAM (so it can be enforced).  Does it seem to work?  Should I be using MDT 2013 Update 1 for this?  Currently, we're using Windows Server 2008 R2 and MDT 2012...

    Friday, May 29, 2015 12:25 AM
  • Get the latest MDT from here - https://technet.microsoft.com/en-us/windows/dn475741.aspx?f=255&MSPPError=-2147217396

    But don't install the preview version (2013 Update 1) for a production environment. If your machines will be on a domain and you control it, then configure it to store your recovery keys in AD.

    https://technet.microsoft.com/en-us/library/jj592683.aspx#BKMK_addscons

    Since you aren't on Server 2012 you'll need to update your schema extensions if you haven't already done so.


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Friday, May 29, 2015 1:21 PM
  • Thanks for the help.

    So you recommend setting up BitLocker with MBAM first, and then setting up MDT 2013?  I'm trying to follow like a mental checklist :)  

    Friday, May 29, 2015 3:40 PM
  • It doesn't really matter, you could have had MDT in place before deploying the use of BitLocker. If you need to start deploying machines using BitLocker right away you can do that, just don't use the BDERecoveryKey property until you setup AD to store the keys. But if you have the option then yes follow the AD preparation guide first.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    Friday, May 29, 2015 3:53 PM
  • I think I'll just let MBAM handle the encryption, and I'll just move the computer account via the LTI Wizard (specific OU where the linked GPOs are for installing the MBAM agent and BL settings).

    Btw, can I do an in-place MDT upgrade?   Since the image server has MDT 2012, I figured I could just install MDT 2013 on top of it, and it will retain its settings.  Not sure if that's the best way or not...

    Friday, May 29, 2015 8:27 PM
  • Yes you can upgrade MDT like that. To be safe, make a copy just in case anything breaks after the upgrade. Don't forget to look at the release notes.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    Friday, May 29, 2015 8:32 PM
  • What do you mean, "make a copy"? I'm not sure how to do that...

    Monday, June 1, 2015 1:17 AM
  • I ended up just copying the deployment share itself (copy and paste folder), and saved it somewhere else (as a backup).  I was able to just uninstall the old WAIK, installed the ADK 8.1 stuff, and installed MDT 2013 on top of MDT 2012 without problems.  In the Microsoft Deployment Workbench, I launched the Deployment Share, and had to update it to the latest version.  That worked well.  

    As far as the BitLocker piece goes, I ended up just using good ole Group Policy instead.  

    Thank you for all your help!


    Saturday, July 4, 2015 7:11 AM
  • Sorry I missed your previous question. The backup you made was what I meant, an actual copy of the whole share to some other drive. Glad you got it working

    If this post is helpful please vote it as Helpful or click Mark for answer.

    Monday, July 6, 2015 1:04 PM