MDT 2010 supports encrypting disks with BitLocker during deployment. This is configured in the Task Sequence using the following:
This works for the Operating System Drive. If configuration of Bitlocker is tried on additional drives, the deployment fails. When the logs are examined it appears that the encryption of the operating system using the TPM has been tried a second time. This is because some of the Task Sequence variables that the ZTIBDE.WSF script contain values from encrypting the first drive.
Here are the steps to work around the issue:
- Add a Set Task Sequence variable step to set BDEINSTALL=KEY.
Add a Set Task Sequence variable step to set OSDBitlockerTargetDrive to the drive letter to be encrypted (D: in this case).
- Finally, add an Enable BitLocker step for the second partition. Configure this for the second partition (D: in this case)
With theses additions to the task sequence, the C: drive is protected by the TPM and the D: drive will be protected by a key and will be autounlocked when the system boots.
There is one additional issue with encrypting additional drives. ZTIBDE.WSF does not implement the wait for BitLocker to complete on all drives before continuing the task sequence execution for additional drives. Working around this issue requires editing the ZTIBDE.WSF Script.
- Move line 68 (Dim sOSDBitLockerWaitForEncryption ) to line 47 and change Dim to Public. (Public sOSDBitLockerWaitForEncryption)
- Copy the following lines starting at line 439 and past it at line 506:
If sOSDBitLockerWaitForEncryption = "TRUE" Then
oLogging.CreateEntry "Begining the wait for drive encryption to complete. This can take a signifigant amount of time.", LogTypeInfo
This post was contributed by David Hornbaker a Senior Consultant with Microsoft Services - U.S. East Region.