+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
O/S Deployment Thread, Bitlocker within OSD in Technical; I'm attempting to get bitlocker to work within a task sequence. I've tested that the machine will bitlocker manually, and ...
  1. #1
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    692
    Thank Post
    52
    Thanked 188 Times in 124 Posts
    Rep Power
    86

    Bitlocker within OSD

    I'm attempting to get bitlocker to work within a task sequence. I've tested that the machine will bitlocker manually, and then hit my first issue - once a machine is "bitlockered" how do you rebuild it? I'm getting an error at the beginning of the task sequence, as there is no room for any files to write to the c drive. It's not even hitting my "disable bitlocker" task. I've used diskpart to wipe the drive for my testing, but we can't do that in production. Is there a way of automatically running a diskpart script before the task sequence is started?

  2. #2
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    692
    Thank Post
    52
    Thanked 188 Times in 124 Posts
    Rep Power
    86
    OK, I'm putting that aside for the minute. I can bitlocker manually but running it within the task sequence doesn't seem to work. I'm going round in circles now. Does anyone know of a working guide to enabling bitlocker during OSD for any model of laptop (I can see guides which point to a Dell utility for Dell laptops, but we have a mixture of models)

  3. #3

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,039
    Thank Post
    852
    Thanked 2,666 Times in 2,263 Posts
    Blog Entries
    9
    Rep Power
    767
    Last edited by SYNACK; 25th June 2014 at 03:19 PM.

  4. Thanks to SYNACK from:

    TheScarfedOne (3rd July 2014)

  5. #4
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    692
    Thank Post
    52
    Thanked 188 Times in 124 Posts
    Rep Power
    86
    I've looked at that, but it appears to be for SCCM 2007 - I'm using 2012, and so can't get the task sequence to import, so I can see exactly how he's done it.

  6. #5

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,039
    Thank Post
    852
    Thanked 2,666 Times in 2,263 Posts
    Blog Entries
    9
    Rep Power
    767
    You can read the XML in the zip from the second blog raw and get a good idea, the sequence does all the formatting then installs the OS and only enables bitlocker just before the first restart.

  7. Thanks to SYNACK from:

    TheScarfedOne (10th July 2014)

  8. #6
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    692
    Thank Post
    52
    Thanked 188 Times in 124 Posts
    Rep Power
    86
    That's how I set it up the first time. Bitlocker enabled itself, but suspended. When I tried to manually enable I got an error message about not being able to delete all keys. I don't remember it exactly I'm afraid.

  9. #7


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,754
    Thank Post
    221
    Thanked 2,627 Times in 1,937 Posts
    Rep Power
    779
    @clareq What make / model are your PCs?

    I have Bitlocker working in SCCM 2012 with some E-Series Dell Latitude's. Most of the steps use the CCTK to modify the TPM though, so it probably won't be of much help if you do not have Dell's.

  10. #8
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    692
    Thank Post
    52
    Thanked 188 Times in 124 Posts
    Rep Power
    86
    We Have Dell, Samsung, Lenovo, Ergo and Toshiba!

  11. #9
    Sam_Brown's Avatar
    Join Date
    Sep 2009
    Location
    Northampton
    Posts
    527
    Thank Post
    89
    Thanked 30 Times in 28 Posts
    Rep Power
    16
    I've set our Stone Laptops to bitlocker through SCCM 2012 at build time.

    I have a "Set Reg for BitLocker" step in our Task Sequence which runs the command:

    reg.exe ADD HKLM\Software\Policies\Microsoft\TPM /v RequireActiveDirectoryBackup /t REG_DWORD /d "1" /f

    Then the next step is the standard "Enable BitLocker" step which we've set to "TMP and PIN" and store the key in "ADDS".

    We also have it set to wait for it to complete the encryption before finishing.

    I seem to remember some of our SSDs having issues encrypting and needing to alter the partitioning of the disks slightly to get it working and another case where it wasn't keeping the correct drive letter with some laptops that was causing an issue as well.

  12. #10
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    692
    Thank Post
    52
    Thanked 188 Times in 124 Posts
    Rep Power
    86
    Thank you @Sam_Brown. I've shelved bitlocker for the moment - we can run bitlocker manually at deployment if necessary. Once I've finished the rest of my list of jobs I'll revisit it, and certainly take a look at your suggestion. I've also looked at MDOP and MBAM (I'm sure they're on the Flintstones!) and we might try using that to manage bitlocker. I have a little time to sort this out.

  13. #11


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,754
    Thank Post
    221
    Thanked 2,627 Times in 1,937 Posts
    Rep Power
    779
    Quote Originally Posted by clareq View Post
    We Have Dell, Samsung, Lenovo, Ergo and Toshiba!
    I can post the task sequence steps I use for encrypting our Dell's at some point if you'd find that helpful?

  14. #12
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    692
    Thank Post
    52
    Thanked 188 Times in 124 Posts
    Rep Power
    86
    Thank you @Arthur. That would be appreciated.

  15. #13
    TheScarfedOne's Avatar
    Join Date
    Apr 2007
    Location
    Plymouth, Devon
    Posts
    1,156
    Thank Post
    557
    Thanked 153 Times in 139 Posts
    Blog Entries
    78
    Rep Power
    80
    Hi all, sorry, late to this thread. I'm now using SCCM 2012 R2 and still using the same. I will export the ts again tomorrow so that you will be able to use it. Have you got the supporting files...

  16. #14
    clareq's Avatar
    Join Date
    Dec 2005
    Location
    Doncaster
    Posts
    692
    Thank Post
    52
    Thanked 188 Times in 124 Posts
    Rep Power
    86
    I believe so.

  17. #15

    Join Date
    Aug 2009
    Posts
    246
    Thank Post
    19
    Thanked 15 Times in 14 Posts
    Rep Power
    13
    Sorry for the bump.

    Just to let you know, I've ended up not bothering with the BitLocker pre-provisioning in SCCM, rather I deployed MBAM today to a couple of test devices (W8.1, one with TPM and one without) and it seems to have been successful. I'll be looking at rolling this out to our staff soon... a bit overkill for the amount of laptops we have but heyho!

  18. Thanks to Blue_Cookeh from:

    TheScarfedOne (10th July 2014)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. [SCCM 2012] Enabling bitlocker during OSD
    By mrbios in forum O/S Deployment
    Replies: 0
    Last Post: 14th June 2013, 08:54 AM
  2. The positive side to working in IT within schools.
    By Dos_Box in forum General Chat
    Replies: 19
    Last Post: 28th September 2008, 07:55 PM
  3. Printing within tests
    By ianniow in forum ICT KS3 SATS Tests
    Replies: 14
    Last Post: 11th May 2006, 02:53 PM
  4. LEA AREAs Within EDUGEEK
    By alan-d in forum Comments and Suggestions
    Replies: 21
    Last Post: 10th March 2006, 11:17 PM
  5. Detection of flash within browser regardless of ..
    By mac_shinobi in forum Web Development
    Replies: 3
    Last Post: 31st August 2005, 03:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •