Your browser (Internet Explorer 6) is out of date. It has known security flaws and may not display all features of this and other websites. Learn how to update your browser.

Using MBAM to start BitLocker Encryption in a Task Sequence

The Deployment Guys have a nice new post on using the Microsoft Bitlocker Administration and Monitoring tool.

Read the full post here.

Microsoft BitLocker Administration and Monitoring (MBAM) provides features to manage BitLocker encryption of computers in an enterprise.  More information on MBAM can be found here.

BitLocker creates recovery information at the time of encryption and MBAM stores that information in the recovery data store. While MBAM can update its recovery data store when the agent is installed on a system that is already encrypted, it is preferable to have MBAM control the encryption process.  MBAM Encryption is controlled by Group Policy.  Group Policy is not applied during a SCCM Task Sequence.  It is possible to have MBAM start encryption during the task sequence, the techniques are described in the following whitepaper Using MBAM Data Encryption With MDT


USMT 4.0, Hardlink and Bitlocker in SCCM OSD

Michael Petersen has a really nice post on USMT 4, Hardlink and Bitlocker over on his blog. 

Read his full post here.

I’m often asked if its possible to use the USMT 4.0 hardlinking (keep backup file on the OS Disk), in combination with bitlocker..

I guess the reason for the question is, that one might think!

  • How can I do a backup of a machine, and keep the files on the encrypted drive, and then be able to reinstall that same drive with a new OS, ginning access to the backup that was on the encrypted drive?
  • How do I stage WinPE on the Bitlocked disk, and then gain access to that same disk for the OS installation part when inside WinPE.Or at least something like that?

The thing is, that not only is it possible, it will also save you the time it takes to encrypt the drive again, because, even though a new OS is applied to the disk, the encryption is still in effect…


Check to see if the TPM is enabled

Great post over on The Deployment Guys by Tim Mintner. 

Hey Everyone!

I recently worked on a project where we were enabling the TPM chip prior to enabling Bitlocker through the task sequence.  One thing that we wanted to do was to check to see if the TPM was already enabled and activated prior to running the BIOS configuration tool to enable the TPM.  The built in MDT script (ztibde.wsf) does this check however it will fail the script and generate an error and exit the task sequence if the TPM is not already enabled so I decided to modify that script slightly and use the new script to set two variables TPMEnabled and TPMActivated so I could use those as conditions on other steps in the task sequence.

Read the full post here.