Enabling Full Disk Encryption in Microsoft Endpoint Configuration Manager 1910 in a task sequence

Introduction

Microsoft Endpoint Configuration Manager 1910 came with BitLocker management capabilities (MBAM features), and this fits together nicely with task sequence steps regarding BitLocker.

The option to enable Full Disk Encryption actually started with Configuration Manager 1806 but MBAM integration (or BitLocker management) came with Configuration Manager 1910 and MBAM itself uses Full Disk Encryption, instead of the more commonly used Used Space Encryption found in typical task sequences.

By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps – Enable BitLocker.

The Full Disk Encryption options can be found in two steps

  • Pre-Provision BitLocker
  • Enable BitLocker

Note: The Full Disk Encryption method will not work on virtual machines with ADK 1709, and in particular will fail on the pre-provision Bitlocker step if you enable FDE on virtual machines. Below is how the failure will manifest itself.

 

Solution: Use ADK 1903.

Enabling FDE

To enable Full Disk Encryption in a task sequence using Configuration Manager 1910, right click on a task sequence and choose Edit. Locate the Pre-provision BitLocker step, and place a check mark in the Use full disk encryption check box.

Once done, locate the Enable Bitlocker step and place a check in the Use full disk encryption check box. You can also optionally place a check mark in the Wait for Bitlocker to complete the drive encryption process before configuration manager continues to run the task sequence, however this will significantly add time to the deployment.

Once done, click on Apply and your changes are made. At this point you can kick off a new deployment using real hardware and you should see Full Disk Encryption taking place.

Below you can see the Enable Bitlocker step using the new switches via the smsts.log

OSDBitLocker.exe /enable /wait:True /mode: TPM /pwd:AD /full:True with options (0,4)

Note: I’m away from my ConfigMgr lab at the moment so cannot post logs proving that this actually succeeds on real hardware, but I will add that info next week once I can gain access to real hardware.

Update: Here’s the blog post on real hardware.

What’s missing from this ? well a few things, forcing the encryption algorithm and provisioning the key to MBAM integrated into ConfigMgr, i’ll cover those in a separate blog post.

Recommended reading

 

 

 

 

This entry was posted in Full Disk Encryption. Bookmark the permalink.

5 Responses to Enabling Full Disk Encryption in Microsoft Endpoint Configuration Manager 1910 in a task sequence

  1. Pingback: Want to learn about MBAM & the new Bitlocker Management feature in Microsoft Endpoint Manager Configuration Manager ? | just another windows noob ?

  2. Kevin says:

    Niall, Thank you for the great blog and videos. After reading your blog about FDE in Task Sequence I am left wondering if the BitLocker Management in SCCM is ready for prime-time? Here are the challenges:
    1. New machine builds – We can use FDE but cannot specify encryption strength or managing server. Also we have to still install MBAM Client. We would have to extend AD schema to store BL keys.
    2. New machine builds – Would it be better to just re-use old methods of installing MBAM Client, Initialize TPM, and Invoke BitLocker encryption pointing to SCCM server instead of MBAM? Run Manage-BDE C: -On?
    3. New machine builds – Would it be better to just place the machine into SCCM BitLocker Management collection at end of build? Why use Initialize and Enable built-in methods when they are not sufficient?
    4. Existing Encrypted machines reporting to MBAM – Disable GPOs, place in SCCM collection to receive BitLocker Mgmt Policy and Config Baseline. Force gpupdate? Setting the OsEnforcePolicyPeriod and UsOsEnforcePolicy keys still does not force immediate encryption. If we ran as a phased migration we would need to be sure that machine is successfully managed by SCCM. Reporting is lackluster. How do we ensure? Checks of manage-bde and registry?
    5. GPOs – Once fully migrated to SCCM for BitLocker Management we would need to create a new set of GPOs for any items not covered by BL policy.

  3. Pingback: Full disk encryption – a closer look on real hardware | just another windows noob ?

  4. Pingback: Bitlocker on Hyper-V Virtual Machine – GARYTOWN ConfigMgr Blog

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.