locked
Pre-Provisioning Bit Locker in MDT 2012 SP1 while using MBAM 2.5 - No Pin Required RRS feed

  • Question

  • Does anyone have some step by step instructions for Pre-Provisioning Bit Locker. Through task sequences, we are currently able to bit locker the computers but it's the last set of tasks.  I would like to Bit Locker the computer while no data is on the disc so it's faster and then as its imaging, the files are already encrypted.

    Currently:

    • Creates BIOS Password
    • TPM turned on and enabled (using CCTK)
    • Remove Password
    • Registry changes
    • Installing MBAM 2.5
    • Removing Registry Entries

      Any help would be appreciated!

    Thanks

    Rick

    Tuesday, December 9, 2014 7:03 PM

Answers

  • Bitlocker Pre-Provisioning is available by default on MDT Litetouch...

    If you just want to pre-provision the drive without letting MDT LiteTouch enable any protectors (let MBAM do that) then just run the following command after the "FOrmat and PArtition" step in the Task Sequence:

    x:\windows\system32\Manage-BDE.exe c: -used

    (OR whatever drive letter OS exists on in WinPE)

    AS an alternative, I would add a step just before the "ENable Bitlocker (offline)" step in the task sequence:

        BDEInstallSuppress=NO
        isBDE=YES

    then after the "Enable Bitlocker (offline)" step in the Task Sequence, I would set the following:

        isBDE=NO


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Thursday, December 11, 2014 7:34 PM

All replies

  • Hi Rick, have you seen this post?

    http://technet.microsoft.com/en-us/library/dn744301.aspx

    Tuesday, December 9, 2014 7:36 PM
  • See also - http://technet.microsoft.com/en-us/library/6b116f87-a1df-4194-ad57-f01d797b7d13#BKMK_EnableBitLocker - Ideally you want to configure your task sequence with an additional step Pre-provision bitlocker in the WinPE stage, and then engage bitlocker when the OS is up and system is domain joined.  That engage step should set the recovery key info and send it back up to the directory.
    Wednesday, December 10, 2014 4:20 PM
  • Bitlocker Pre-Provisioning is available by default on MDT Litetouch...

    If you just want to pre-provision the drive without letting MDT LiteTouch enable any protectors (let MBAM do that) then just run the following command after the "FOrmat and PArtition" step in the Task Sequence:

    x:\windows\system32\Manage-BDE.exe c: -used

    (OR whatever drive letter OS exists on in WinPE)

    AS an alternative, I would add a step just before the "ENable Bitlocker (offline)" step in the task sequence:

        BDEInstallSuppress=NO
        isBDE=YES

    then after the "Enable Bitlocker (offline)" step in the Task Sequence, I would set the following:

        isBDE=NO


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Thursday, December 11, 2014 7:34 PM
  • Actually, the syntax is incorrect.  It should be:

    X:\Windows\System32\Manage-BDE.exe C: -on -used

    Thursday, June 2, 2016 6:22 PM
  • How do you put   BDEInstallSuppress=NO
        isBDE=YES

    step in a TS?  Is it a command line step?

    Monday, July 25, 2016 4:53 PM
  • Correct. You can add that line in your customsettings.ini file!
    Monday, July 25, 2016 4:56 PM