Microsoft Endpoint Configuration Manager 1910 came with BitLocker management capabilities (MBAM features), and this fits together nicely with task sequence steps regarding BitLocker.
The option to enable Full Disk Encryption actually started with Configuration Manager 1806 but MBAM integration (or BitLocker management) came with Configuration Manager 1910 and MBAM itself uses Full Disk Encryption, instead of the more commonly used Used Space Encryption found in typical task sequences.
By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps – Enable BitLocker.
The Full Disk Encryption options can be found in two steps
- Pre-Provision BitLocker
- Enable BitLocker
Note: The Full Disk Encryption method will not work on virtual machines, and in particular will fail on the pre-provision Bitlocker step if you enable FDE on virtual machines. Below is how the failure will manifest itself.
Manually running manage-bde -on c: will reveal why it’s failing, and as you can see it’s complaining that Bitlocker Drive Encryption only supports Used Space Only encryption on thin provisioned storage (virtual machines).
To enable Full Disk Encryption in a task sequence using Configuration Manager 1910, right click on a task sequence and choose Edit. Locate the Pre-provision BitLocker step, and place a check mark in the Use full disk encryption check box.
Once done, locate the Enable Bitlocker step and place a check in the Use full disk encryption check box. You can also optionally place a check mark in the Wait for Bitlocker to complete the drive encryption process before configuration manager continues to run the task sequence, however this will significantly add time to the deployment.
Once done, click on Apply and your changes are made. At this point you can kick off a new deployment using real hardware and you should see Full Disk Encryption taking place.
Below you can see the Enable Bitlocker step using the new switches via the smsts.log
OSDBitLocker.exe /enable /wait:True /mode: TPM /pwd:AD /full:True with options (0,4)
Note: I’m away from my ConfigMgr lab at the moment so cannot post logs proving that this actually succeeds on real hardware, but I will add that info next week once I can gain access to real hardware.
What’s missing from this ? well a few things, forcing the encryption algorithm and provisioning the key to MBAM integrated into ConfigMgr, i’ll cover those in a separate blog post.
- Pre-provision Bitlocker https://docs.microsoft.com/en-us/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker
- Enable Bitlocker https://docs.microsoft.com/en-us/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker
- Plan for Bitlocker Management https://docs.microsoft.com/en-us/configmgr/protect/plan-design/bitlocker-management