locked
Enabling Bitlocker and saving to AD on Workgroup System RRS feed

  • Question

  • We're deploying some tablets that have to be installed as workgroup systems first before joining our domain. What happens if I enable Bitlocker and specify it to save recovery information to AD? Will we need to manually run Bitlocker on the systems and then script the saving to AD?

    Orange County District Attorney

    Friday, August 12, 2016 4:17 PM

Answers

  • If I remember correctly, it will either save the Recovery key to a flash drive (if you left one connected) or it will save it to the root of the system drive if it can't save to AD.

    You could set BDEKeyLocation= in customsettings.ini as a fallback, it will also store the key there even if successfully joined to a domain and backed up to AD.

    I would think if you pre-provision BitLocker and disable the Enable BitLocker task in your initial deployment, you should be able to use the same Enable BitLocker task in a Post OS sequence as Ty suggested.


    If this post is helpful please vote it as Helpful or click Mark for answer.

    • Proposed as answer by Ty Glander Monday, August 15, 2016 6:32 PM
    • Marked as answer by Sandy Wood Monday, August 15, 2016 6:38 PM
    Monday, August 15, 2016 6:12 PM
  • Using that you'll probably need to run

    manage-bde -on C: -RecoveryPassword

    then

    manage-bde -protectors -adbackup C: -id { recoveryGUID }

    At least from what I found here - https://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx


    If this post is helpful please vote it as Helpful or click Mark for answer.

    • Marked as answer by Sandy Wood Monday, August 15, 2016 10:43 PM
    Monday, August 15, 2016 9:11 PM

All replies

  • I don't know if you can save it to AD before the domain join because the AD object doesn't exist and if it does there is no trust.

    You could create a post install task sequence that joins the domain and then enables bitlocker.

    You would use a Recover From domain step and Enable Bitlocker step.


    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.

    Friday, August 12, 2016 5:56 PM
  • I'm trying to come up with a script to enable Bitlocker after the domain join. I don't want to have to print or save the key like starting it from Control Panel.

    Orange County District Attorney

    Friday, August 12, 2016 6:27 PM
  • The 'Enabled Bitlocker' task sequence step should do what you need with a post OS install TS.  So no scripting should be required :)

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.


    • Edited by Ty Glander Friday, August 12, 2016 6:29 PM
    Friday, August 12, 2016 6:28 PM
  • I just ran a test deployment with Bitlocker included and after the last reboot, I got a lovely blue screen asking me to put my recovery key in.

    Orange County District Attorney

    Friday, August 12, 2016 6:40 PM
  • That is strange. Anything interesting in the bdd.log?

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.

    Friday, August 12, 2016 6:47 PM
  • If I remember correctly, it will either save the Recovery key to a flash drive (if you left one connected) or it will save it to the root of the system drive if it can't save to AD.

    You could set BDEKeyLocation= in customsettings.ini as a fallback, it will also store the key there even if successfully joined to a domain and backed up to AD.

    I would think if you pre-provision BitLocker and disable the Enable BitLocker task in your initial deployment, you should be able to use the same Enable BitLocker task in a Post OS sequence as Ty suggested.


    If this post is helpful please vote it as Helpful or click Mark for answer.

    • Proposed as answer by Ty Glander Monday, August 15, 2016 6:32 PM
    • Marked as answer by Sandy Wood Monday, August 15, 2016 6:38 PM
    Monday, August 15, 2016 6:12 PM
  • I noticed that the key was saved in the root of the USB drive I used to deploy the image with. I've decided to go with an alternate method, we'll wait until we join our domain and then script the encryption and save to AD at that time. The toughest part is waiting 4-5 hours for the encryption to finish.

    Orange County District Attorney

    Monday, August 15, 2016 6:38 PM
  • Yeah, that's why I pre-provision Bitlocker it's so much faster that way.

    If this post is helpful please vote it as Helpful or click Mark for answer.

    Monday, August 15, 2016 6:55 PM
  • I don't see a Pre-Provision Task Sequence in MDT 2013 - is it hidden somewhere or do I need SCCM2012 integration?

    Orange County District Attorney

    Monday, August 15, 2016 8:17 PM
  • It's in Preinstall. But you have to have your TPM enabled and activated prior to Enable BitLocker offline.


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Monday, August 15, 2016 8:35 PM
  • OK, I have that. Is this what I should have in customsettings.ini?


    BDEInstallSuppress=YES
    SkipBitLocker=YES
    BDEInstall=TPM
    BDERecoveryKey=AD


    Orange County District Attorney

    Monday, August 15, 2016 8:44 PM
  • BDEInstallSupress= YES

    Means you want it to suppress or rather not use encryption. Change it to NO


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Monday, August 15, 2016 8:48 PM
  • Thanks for the clarification. I'll give it a try right now!

    So afterwards, I'll need to run this, correct?

    manage-bde -on C: -SkipHardwareTest - RecoveryPassword


    Orange County District Attorney

    Monday, August 15, 2016 8:50 PM
  • Using that you'll probably need to run

    manage-bde -on C: -RecoveryPassword

    then

    manage-bde -protectors -adbackup C: -id { recoveryGUID }

    At least from what I found here - https://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx


    If this post is helpful please vote it as Helpful or click Mark for answer.

    • Marked as answer by Sandy Wood Monday, August 15, 2016 10:43 PM
    Monday, August 15, 2016 9:11 PM
  • Thanks Dan. This helps.

    Orange County District Attorney

    Monday, August 15, 2016 10:43 PM
  • You could even just add that as a group policy when you domain join them.

    Many questions such as where do I find logs and what logs are interesting are found in: MDT TechNet Forum - FAQ & Getting Started Guide Please take the time to read it. Also if you don't post logs your problem won't be easily solved.

    Tuesday, August 16, 2016 12:23 AM