The Deployment Guys

Helping to deploy your world automagically...

How to configure BitLocker on additional drives in a MDT 2010 deployment.

How to configure BitLocker on additional drives in a MDT 2010 deployment.

  • Comments 1
  • Likes

MDT 2010 supports encrypting disks with BitLocker during deployment.  This is configured in the Task Sequence using the following:

image

This works for the Operating System Drive. If configuration of Bitlocker is tried on additional drives, the deployment fails.  When the logs are examined it appears that the encryption of the operating system using the TPM has been tried a second time.  This is because some of the Task Sequence variables that the ZTIBDE.WSF script contain values from encrypting the first drive. 

Here are the steps to work around the issue:

  • Add a Set Task Sequence variable step to set BDEINSTALL=KEY. 

image

  • Add a Set Task Sequence variable step to set OSDBitlockerTargetDrive to the drive letter to be encrypted (D: in this case). 

image

  • Finally, add an Enable BitLocker step for the second partition.  Configure this for the second partition (D: in this case)

image

With theses additions to the task sequence,  the C: drive is protected by the TPM and the D: drive will be protected by a key and will be autounlocked when the system boots.

 image

 

There is one additional issue with encrypting additional drives.  ZTIBDE.WSF does not implement the wait for BitLocker to complete on all drives before continuing the task sequence execution for additional drives.  Working around this issue requires editing the ZTIBDE.WSF Script.

  1. Move line 68 (Dim sOSDBitLockerWaitForEncryption        ) to line 47 and change Dim to Public. (Public sOSDBitLockerWaitForEncryption)
  2. Copy the following lines starting at line 439 and past it at line 506:

If sOSDBitLockerWaitForEncryption = "TRUE" Then

    oLogging.CreateEntry "Begining the wait for drive encryption to complete. This can take a signifigant amount of time.", LogTypeInfo
    WaitForEncryptionCompletion
End If

This post was contributed by David Hornbaker a Senior Consultant with Microsoft Services - U.S. East Region.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.

  • Hi,

    MDT is still not waiting for encryption of c:\ drive.

    MDT immediately wants to start the encryption of my d:\ drive.

    Error Code:

    FAILURE (6720): --2144272277 0x8031006B: Encrypt the drive.

    Where's the problem.

    Thanks.

    Regards,

    Christian

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment