none
Looking into using Bitlocker during Deployment and have a few questions. RRS feed

  • Question

  • I see that Bitlocker is enabled by default in the Deploy TS. I have a question initially about Bitlocker in MDT:

    I am wondering if it is possible to modify the Bitlocker pane to contain settings we prefer. I already have the MDT Wizard program to create menus. What I would like is to pre-populate fields on that screen with fixed info.
    Mainly, I'd like AD to always be selected if encryption is chosen.

    Thanks



    Wednesday, June 26, 2019 6:57 PM

All replies

  • It seems I have everything set up so far. I just don't know how to make a radio button be checked by default.
    The scenario is, if Enable Bitlocker, then I want "In Active Directory" to be auto selected and not "Do not create a key".

    I even removed the option of Do Not Create A Key" but someone still has to check AD. I'd rather have that permanently selected.

    Wednesday, June 26, 2019 8:49 PM
  • Edit customsettings.ini

    SkipBitLocker=YES
    OSDBitLockerMode=TPM
    OSBBitLockerCreateRecoveryPassword=AD
    OSDBitLockerWaitForEncryption=FALSE
    BDEInstall=TPM
    BDEInstallSuppress=NO
    BDEWaitForEncryption=False
    BDERecoveryKey=AD
    BDEKeyLocation=\\SERVER\SHARE\BitLockerKeys
    TPMOwnerPassword=YOURPASSWORDGOESHERE

    I like to backup the BitLocker keys as well as them going to AD, but that's because we securely share the key with our laptop users in case they are out of state/country and need to unlock their system if BitLocker was tripped. You can leave that out if you don't want a text file backup of the key.

    The above will force BitLocker to be enabled, use TPM and add the recovery key to AD. You can change the skip to NO so the wizard will come up, but everything will be preselected with your settings.


    Daniel Vega

    Thursday, June 27, 2019 2:49 PM
  • I think my issue is that the pc name must be in the Bitlocker OU for the key to be written to AD.
    I'm looking to move the Domain Join step to near the end so that I can clone into that OU without the security banner preventing me from going to the desktop.

    If I clone to the Bitlocker OU (and click OK on the security banner) the key gets written to AD. 

    Thursday, June 27, 2019 3:11 PM