Enabling Bitlocker with an SCCM Task Sequence

The hardware and software requirements for BitLocker are:
  • A computer running Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server 2008 R2.
  • A TPM microchip, version 1.2, turned on for use with BitLocker on operating system drives is recommended for validation of early boot components and storage of the BitLocker master key. If the computer does not have a TPM, a USB flash drive may be used to store the BitLocker key.
  • A Trusted Computing Group (TCG)-compliant BIOS for use with BitLocker on operating system drives.
  • A BIOS setting to start up first from the hard drive, not the USB or CD drives.
  • Bitlocker requires at least 2 disk partitions. One un-encrypted and one or more encrypted partitions.
  • The unencrypted partition has to be a size of 150MB or greater.


    Now, if you already have an existing task sequence, and in this scenario we will assume you do, there are a few lines that need to be edited. The first piece to be edited is the “Format and Partition Disk” task. In my case this step is called “Partition Disk 0” which is also the default if you created it using the task sequence wizard. You can choose to remove all volumes and recreate them or edit the existing ones. No matter which you choose, your task sequence step should look like the below.
    1. Partition 1
    • Partition name: This can be anythingyou choose. In my case I just named it BootDrive.
    • Partition options: Use specific size of at least 150MB or more. I used 300MB because it is a standard.
    • Make this the boot partition: Checked.
    • Formatting options: File system = NTFS. Quick format = checked (You can choose not to check this option, but without it, your format process can be incredibly slow depending on your hard drive size).
    • Variable: BDEPART (This can also be whatever you want).

    Once you are finished with this part, your partition screen should look like this:


  1.  Partition 2
  • Partition name: This can be anything you choose. In my case I just named it OSDrive.
  • Partition options: Use a percentage of remaining free space; size(%) = 100. Again you can change this depending on how many partitions you want to end up with.
  • Make this the boot partition: Greyedout.
  • Formatting options: File system = NTFS. Quick format = checked (You can choose not to check this option, but without it, your format process can be incredibly slow depending on your hard drive size).
  • Variable: OSPART (This can also be whatever you want, however it is incredibly important to remember this because you are going to reference it later).
Once you are finished with this part, your partition screen should look like this:


Figure 2: OS Drive

Once you are finished with both of these sections, your final product for this section should look like this:


Figure 3: Partition Final

The next step requires you to move to the “Apply Operating System” section in your task sequence. In this next section will be the section that you will need to reference the variable name that you entered in “Figure 2: OS Partition”. What you need to do is change the destination location of where the operating system image will be applied to.
All fields in the section can remain default with the exception of the 2 sections underneath the “Select the location where you want to apply the operating system” field. Edit the 2 sections below to match:
  • Destination:     Logical drive letter stored in a variable.
  • Variable name: OSPART (This is the part where you will enter the variable from the above figure).
Once you are finished with this part, your screen should look like this:
Figure 4: Apply OS
The last question I get asked many times is where to place the final step of enabling Bitlocker. The logical location is to place it at the very end of the task sequence.  As seen in the above figure. I just recommend that inside that final step, you leave the check box that says “ Wait for the Bitlocker drive encryption process to complete on all drives before continuing task sequence execution” unchecked, especially when placed at the very end. This will allow the task sequence to complete while the machine continues the encryption process.
I do want you all to keep in mind that this is just a basic configuration of Bitlocker. There are some other action variables that can be included. Some of those variables can be found at the below link:

Comments

Popular posts from this blog

The install4j wizard could not find a Java Runtime Environment on your system. Please locate a suitable JRE...

Clients Unable to update - "Cached cookie has expired or new PID is available"

Java Control Panel Icon "Application Not Found"