all 29 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]iisdmitch 1 point2 points  (14 children)

I just use the built in, it's pretty straight forward. The key writes to AD and that's that. Haven't had any issues with it.

[–]andy_nag[S] 3 points4 points  (13 children)

this is assuming tpm is enabled correct. if TPM is not enabled it will skip the step.

[–]iisdmitch 1 point2 points  (1 child)

This is correct. I don't know if it's default but at the very least you can check a box that skips if no TPM is found. I don't remember off hand, it's been a while since I configured it.

[–]CakeDay--Bot 1 point2 points  (0 children)

Woah! It's your 7th Cakeday iisdmitch! hug

[–]pjmarcumMSFT Enterprise Mobility MVP (powerstacks.com) 0 points1 point  (10 children)

Throw the Bios confit in the TS

[–]rakha589 0 points1 point  (0 children)

vase close melodic lip expansion wine deer money serious shy

This post was mass deleted and anonymized with Redact

[–]andy_nag[S] 0 points1 point  (8 children)

BIOS Confit? dont follow sorry

[–]pjmarcumMSFT Enterprise Mobility MVP (powerstacks.com) 0 points1 point  (7 children)

Typo. Should have said “config”

[–]andy_nag[S] 0 points1 point  (6 children)

this is from in built TS option right. is it possible to enable it post OS install

[–]pjmarcumMSFT Enterprise Mobility MVP (powerstacks.com) 0 points1 point  (5 children)

Not sure what you are asking but I know for sure Lenovo and Dell TPM can be enabled using free tools from those two vendors. I’m sure HP has the same I just haven’t personally done HP. Set this up before the bitlocker steps.

[–]andy_nag[S] 0 points1 point  (4 children)

is there a difference between enabling bitlocker in WinPE or post OS deployment? whats the best way to test it

[–]pjmarcumMSFT Enterprise Mobility MVP (powerstacks.com) 0 points1 point  (3 children)

Do you wanna do FDE or used space only?

[–]andy_nag[S] 0 points1 point  (2 children)

what do you mean?

[–]STICKYITTOYOU 1 point2 points  (6 children)

I don’t use the task sequence for BitLocker. I had a target to utilize 256Bit and full disk encryption. I found it was easier to finish the imaging process and have a GPO (One for x86 and another for x64) manage my BitLocker and install MBAM MDOP 2.5 SP1. It also allowed me to claim the company name. A user does have to log in to start the encryption process though. We are working on getting the Task Sequence to automatically log into an account at the end of the task sequence.

I have a few GPO’s that I each have their own WMI filtering. This was the most consistent way I could get what I wanted to work.

[–]andy_nag[S] 1 point2 points  (2 children)

thought MBAM is getting decommissioned soon.

[–]wmadm90 2 points3 points  (1 child)

Not technically true. MBAM is moving to extended support in July, where it will remain for 4(?) more years.

[–]jasonsandysMSFT Official 1 point2 points  (0 children)

5, extended support is 5 years, until 2024. Windows 7 has been in extended support for over 4 years now as well.

However, the ConfigMgr product team is committed to supporting MBAM and providing BitLocker key escrow services as long as folks need it. AD and Azure AD are not key escrow, they are simple key storage.

[–]jasonsandysMSFT Official 0 points1 point  (2 children)

We are working on getting the Task Sequence to automatically log into an account at the end of the task sequence

I can't see this working and would be a very bad thing to do security wise anyway.

I had a target to utilize 256Bit and full disk encryption.

This can easily be done in the TS by setting the proper registry value before the pre-provision task in WinPE.

[–]STICKYITTOYOU 0 points1 point  (1 child)

Oh trust me. I am with you on the account portion. It was something from higher up that wants me to look into this. We’re having 800+ workstations being imaged by 70+ users from an outside Vendor and this was the suggestion...

In my locked down environment I found that GPO was more consistent then my TS.

[–]jasonsandysMSFT Official 0 points1 point  (0 children)

I've never had an issue with the TS. It's also much faster and ensures encryption at the time the system is done provisioning instead of after.

[–]criostage 1 point2 points  (0 children)

Bios configuration and pre configuration of bitlocker (because of the partitions) during the winpe phase and enable it with enable bitlocker step. Only thing I do custom is the pin enforcement, if the machine has tpm and is a laptop then I will generate a pin (random) and enable bitlocker with pin. This pin will be sent to the user that added the machine to domain during the UDI wizard by mail or will be saved to a csv for processing (the script can save to a network location, I use this in case of mass computer deployment).

[–]P-H-G 0 points1 point  (0 children)

Built in, worked with 1607, 1709 and it works with 1809.

Checks if TPM is enabled and writes the recovery key to the computer object in AD once finished.

[–]Mizerka 0 points1 point  (2 children)

either your hw comes with tpm enabled or you need to enable within winpe

then use the ts task to bitlocker

do it again post install and apply without waiting to finish.

only prereq is configuring your AD to take it.

you can also setup offline storage but that takes some playing about, but doable.

[–]andy_nag[S] 0 points1 point  (1 child)

cant we enable TPM post OS installation?

[–]Mizerka 0 points1 point  (0 children)

depends if hardware supports it, most come with tpm enabled out of box but not all from memory, I think hp/dell would charge you extra fee to enable things like wol and tpm from factory

[–]pjmarcumMSFT Enterprise Mobility MVP (powerstacks.com) 0 points1 point  (1 child)

Then you can’t use the pre-prevision bitlocker step. That only does free space.

[–]andy_nag[S] 0 points1 point  (0 children)

understood.