Is it possible to Encrypt/Secure Offline media disk/USB RRS feed

  • Question

  • Hi All,

    I've built an offline Media stick that i can take to my client sites and build their PC's offline, but due to our security policy i cant take any private data out of our main office unless its encrypted. This means my offline stick cant contain domain, OU, admin accounts, product keys etc. obviously i cant just use bitlocker GO like i do on my other external disk and USBs.

    So my question is, is it possible to secure or encrypt the data on an offline media USB?

    Thank in advance


    • Edited by RDunkley Thursday, June 16, 2016 12:18 PM
    Thursday, June 16, 2016 12:13 PM

All replies

  • Hi.

    You write "obviously you can't use BL2Go" - why is that? BL2Go can be read anywhere if win7 or higher is installed.

    And if you carry bootable usb drives to install from around - these have nothing confidential on them and no need to encrypt.

    Please explain your worries.

    Thursday, June 16, 2016 12:35 PM
  • And if you carry bootable usb drives to install from around - these have nothing confidential on them and no need to encrypt.

    Please explain your worries.


    I think you're confusing two different possible USB drive configurations:

    1) Where USB drives containing just WinPE boot environment where you boot to the USB drive. The USB media would likely require less than a gigabyte and closer to 500 MB. The actual MDT deployment share is accessible on a network share. After booting to the USB drive, the Lite-Touch wizard opens, presumably after you've entered a domain user account credential to access the network share, and then you can deploy task sequences where the files are copied from the network share\deployment share. This USB drive configuration can be arranged so there's no confidential information on the USB drive - it's present on the network share which cannot be accessed without a domain account. This is fine where you have a fast network link to a deployment share, such as at company headquarters.

    2) Where USB drives contain a whole MDT 'deployment media' folder (not a whole 'deployment share') as well as the WinPE boot environment. This is probably minimum 5 GB on the USB drive, depending on if you have a custom Sysprep'd image stored within a custom .WIM container file, and if you have many large sized application installers like Adobe Acrobat and Microsoft Office. In this case, the computer boots to the USB drive, opens the Lite-Touch deployment wizard and finds the deployment media on the USB drive. There is probably confidential information on the USB drive, such as product keys. No need for a network connection. This works for computers at locations where there is a slow link or no link.


    It's possible that if you're using the usb drive like in my scenario 2, and your target computer is on the domain's network, you can script pulling down the confidential information rather than saving it on the USB drive. For instance, at startup if you're there in person you can have the Lite-Touch deployment wizard prompt (via customsettings.ini presets) for domain-joining details. You can have a script make use of this entered information by referencing MDT variables. An example in powershell is creating a credential object to be used for copying files from network shares or running executables like with start-process -cred:

    $tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

    $OSDJoinAccount = $($tsenv.Value("OSDJoinAccount"))

    $OSDJoinPassword = ConvertTo-SecureString $($tsenv.Value("OSDJoinPassword")) -AsPlainText -Force

    $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $OSDJoinAccount, $OSDJoinPassword

    Of course if you can manage to encrypt your bootable USB drive, that would be a much more straightforward option.


    Thursday, June 16, 2016 2:57 PM