I'm currently dealing with 3 different technologies so I apologize if this question is being presented in the wrong forum.
It is my goal to provide OSD using ConfigMgr 2012 + MDT/UDI. A core piece to the UDI configuration is allowing my help desk team to enable BitLocker at deployment time. This is where my issue lies. I've searched for several days and tried various methods for getting this process to work with little-to-no success.
My Setup:
- ConfigMgr 2012 SP1
- MDT/UDI Update 1
- Client OS - Windows 7 Enterprise x64
- BitLocker (managed via GPO - using DRA - recovery keys stored in AD)
I am doing a barebones installation of Windows using a custom WIM file that was captured using a build-and-capture TS. The deployment task sequence is right out of the box (right-click > Create MDT Task Sequence). From the UDI perspective I've simply added my join domain settings.
My Goal:
Configure my MDT task sequence to properly enable BitLocker based on the selections made via UDI.
Problem
#1 - A barebones MDT task sequence with UDI fails. At first boot BitLocker is in a suspended state. Attempting to resume BitLocker fails indicating that no recovery keys were found. I check the protection state of the drive and sure enough there are no protectors applied.
I followed option 1 from this article, which seem to best match my use case. The drive now encrypts but the DRA that is assigned via GPO is not applied. Forcing a policy update and rebooting does nothing.
#2 - In a replacement scenario if I re-image a drive that has BitLocker I find that the "Disable BitLocker" step doesn't seem to be doing its job. The task sequence will continue to fail until I boot the current OS, suspend BL, and then boot directly into PXE.
Any advice is greatly appreciated!