MDT 2010 supports encrypting disks with BitLocker during deployment. This is configured in the Task Sequence using the following:
This works for the Operating System Drive. If configuration of Bitlocker is tried on additional drives, the deployment fails. When the logs are examined it appears that the encryption of the operating system using the TPM has been tried a second time. This is because some of the Task Sequence variables that the ZTIBDE.WSF script contain values from encrypting the first drive.
Here are the steps to work around the issue:
With theses additions to the task sequence, the C: drive is protected by the TPM and the D: drive will be protected by a key and will be autounlocked when the system boots.
There is one additional issue with encrypting additional drives. ZTIBDE.WSF does not implement the wait for BitLocker to complete on all drives before continuing the task sequence execution for additional drives. Working around this issue requires editing the ZTIBDE.WSF Script.
If sOSDBitLockerWaitForEncryption = "TRUE" Then oLogging.CreateEntry "Begining the wait for drive encryption to complete. This can take a signifigant amount of time.", LogTypeInfo WaitForEncryptionCompletion End If
If sOSDBitLockerWaitForEncryption = "TRUE" Then
oLogging.CreateEntry "Begining the wait for drive encryption to complete. This can take a signifigant amount of time.", LogTypeInfo WaitForEncryptionCompletion End If
This post was contributed by David Hornbaker a Senior Consultant with Microsoft Services - U.S. East Region.
MDT is still not waiting for encryption of c:\ drive.
MDT immediately wants to start the encryption of my d:\ drive.
FAILURE (6720): --2144272277 0x8031006B: Encrypt the drive.
Where's the problem.