Jump to content


Elscorpio

SCCM 2012 SP1 - Bitlocker encryption task sequence best practice

Recommended Posts

Hi

 

Im wondering if anyone in here has some experience in deploying Bitlocker encryption from a SCCM task sequence?

 

The steps in my task sequence have each been tested ok, want to make sure that it assigns the group policy that makes it required to save the Bitlocker recovery key in the AD under computer properties.

 

I want to make sure it continues from Step 5 after it completes Step 4 (see my attached screenshots).

 

The script source is this one:

http://gallery.technet.microsoft.com/780d167f-2d57-4eb7-bd18-84c5293d93e3#content

 

I have seen on test runs that this .vbs script will force a restart of the laptop, if the TPM chip is not activated outside Windows.

 

Any good advice or best practice to this is appreciated.

 

It is around 400 Lenovo laptops that needs to have Bitlocker encryption on in our enterprise, the oldest we have is the T60/T61 model and the newest is the T440 and X240 from last year.

 

PS Is there also a best practice for getting this to work in an OS Deployment TS ? So far the one Microsoft have by default in SCCM doesn't work as automatic as I want it to be

post-19256-0-39996700-1411724827_thumb.jpg

post-19256-0-90104600-1411724840_thumb.jpg

post-19256-0-02889800-1411725671_thumb.jpg

post-19256-0-94916600-1411725678_thumb.jpg

post-19256-0-94626000-1411725689_thumb.jpg

post-19256-0-91842200-1411725697_thumb.jpg

post-19256-0-20198800-1411725711_thumb.jpg

Share this post


Link to post
Share on other sites


 

have you seen the CM12 BitLocker FrontEnd HTA yet ?

 

 

 

Hi

 

I am going to try to use the script available here: http://www.niallbrady.com/2012/10/17/enabling-bitlocker-via-a-script-on-non-english-windows-7-installations-fails/

in my task sequence, it works under different language packs in Win7 if you remove "true" to true.

Share this post


Link to post
Share on other sites

In your TS you can use the Lenovo BIOS Config scripts to activate the TPM: http://support.lenovo.com/us/en/documents/ht100612

with this command line:

cscript.exe SetConfig.vbs SecurityChip Active

For Bitlocker we just use the standard step "Enable BitLocker" in our TS.

 

Note: If you want to wake up clients using WOL and in your BIOS-Config the Networkboot-order is set to LAN, the clients will ask for the Bitlocker key. We also added a step to change the order to HDD0. You can also use the Lenovo scripts to change it with the following command line:

cscript.exe SetConfig.vbs NetworkBoot HDD0

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...