Hi I did a search for Bitlocker on the forums but I didn’t see specifically what I was looking for. I am new to Bigfix but not new to imaging (an SCCM guy here). I need to learn how to configure Bitlocker to enable and encrypt right after the OS comes down (not as a Fixlet / Script after the admin login - I need the drive to be encrypted before anything else).
With SCCM there is a way right you format the drive to “preprovision” bitlocker so it will encrypt as you lay data down. Then as a final step you enable it. Is this possible? Do I need to add the steps to the MDT bundle manually or do I need to add it to the bare metal profile? In either case what steps do I follow.
I understand where you’re at, as we just implemented pre-provisioning with MBAM using SCCM about a year ago. It’s challenging enough with SCCM, I’m not sure BigFix can do this (I don’t know if BigFix has a OSD functionality).
Remember that pre-provisioning often occurs outside of a windows state, like WinPE. I don’t know if there’s a BESClient for WinPE, but it would likely be easier to write a small batch file to copy the small fileload over (don’t forget your BIOS config tool if you want to prepare the TPM while you’re at it)and run the ZTIbde commands.
Unless someone knows otherwise, windows core services have to be loaded for the BESClient to run (it’s a service itself). If using BigFix was a must, and you’re doing this to save encryption time, you could kick off the encryption right after the client registers with the BES Server. In combination with enabling Used Space Only encryption it would likely be fully encrypted, or a few minutes from being there.
We use a different encryption product, I don’t see why it wouldn’t work for you though. I capture the OS with the BigFix agent already on it, and have OSD set a client setting on imaged computers that an open-action targets when new machines come online. This kicks off the software installs and automates it smoothly, which includes our encryption agent installer and begins the encryption process.
edit rereading your post I’m realizing this probably isn’t what you’re looking for, but not familiar with how to accomplish that.
were you ever able to do this?