If you missed the memo, Bitlocker pre-provisioning allow disk encryption on the go. Once the hard drive is formatted, every dropped data are written and encrypted at the same time. This is an huge benefits as you can get ride of the 2-5 hours post install encryption phase.
In a full Bitlocker process, TPM, password complexity, recovery keys and a bunch of other stuffs are set during the deployment. In Pre-Provisioning only scenario, the disk is encrypted with a readable password, the rest of the configuration occurs… later (When the Bitlocker project will officially start, to give you some real world context!! )
MDT support this feature since Windows 8 but only if you go through the full Bitlocker process. It’s not very clear if the feature has ever worked in pre-provisioning only scenario but there are evidences lying in this non working keith’s post that it was on the road map.
So, to make this feature works, all we need is a small modification in an MDT’s script! Let’s do it:
Go to your deployment share’s folder and edit .\Scripts\ZTIBde.wsf
Locate line 95:
and add the following condition right after:
If UCase(oEnvironment.Item("BdeInstallSuppress")) <> "PREINSTALL" Then
add a closing End If right after line 99, your code should now looks like this:
Save the file, and open the MDT console to edit the deployment rules:
Right click on your deployment share, click on Properties, then select the Rules tab on the Properties Window.
Under the [default] section add the following property : BdeInstallSuppress=PreInstall
Your Rules should now looks like this:
Click on the Save button once done. Go to your task sequence and add a condition to the execution of the final Bitlocker step:
Expand the State Restore section, select the Enable Bitlocker step and click on the Options tab.
There is already a condition like “Task sequence variable BdeInstallSuppress not equals YES”. Two more conditions should be added (use the Add button):
- An If statement like “If all conditions are true”
- A TS variable condition like “Task sequence variable “BdeInstallSuppress not equals PREINSTALL”
The Configuration is now finished, let’s see how it works during a deployment:
ZTIBDE.wsf is executed two times during a standard task sequence, the first time occurs while in WinPE, after the hard drive is formatted. This step is located in the PreInstall Phase of the task sequence. This is where pre-provisioning will be enabled.
We can review ZTIBDE.log to read more details on what is going on behind:
Once the TPM is validated, the OS disk is selected for pre-encryption. After the function is activated, the variable IsBDEPreProvisioned is set to True.
Finally, after the deployment, you can check your drive icon expanded with both a warning and a padlock icon. This is the sign that pre-provisioning worked successfully.
