How do I configure MDT to deploy BitLocker?

by · Published · Updated

Applies to: Microsoft Deployment Toolkit (MDT) 8456 and later
Last updated: May 2025

Problem

You want to automatically enable and configure BitLocker Drive Encryption during deployment so that systems are secured by default as part of your MDT Task Sequence.

Solution

MDT includes built-in support for enabling BitLocker. You can configure it within the Task Sequence and customize settings such as encryption method, recovery key storage, and whether to prompt the user.

Step-by-Step Guide

1. Requirements

  • The target system must have:
    • A TPM 1.2 or 2.0 chip (enabled in BIOS/UEFI)
    • UEFI boot mode (recommended)
    • Windows 10/11 Pro, Enterprise, or Education
  • BitLocker must be supported and enabled in Windows Features (enabled by default on supported editions)

2. Open the Task Sequence

  • In Deployment Workbench > Task Sequences
  • Right-click your Task Sequence > Properties
  • Go to the Task Sequence tab

3. Add the Enable BitLocker Step

  • In the State Restore phase (after “Install Applications” and “Apply Local GPO Package”), do the following:
  1. Click Add > Disks > Enable BitLocker
  2. Move the step toward the end of the Task Sequence
  3. Configure as follows:
    • Current operating system drive only: ✅ Checked
    • Wait for BitLocker to complete: Optional (uncheck for faster deployment)
    • Skip this step if BitLocker is already enabled: ✅ Checked
    • Choose key storage method:
      • TPM only
      • TPM + PIN
      • TPM + Startup Key
      • Save recovery key to Active Directory or a folder

4. Configure BitLocker Options (Optional)

In CustomSettings.ini, you can pre-define BitLocker settings:

BDEInstall=TPM
BDEWaitForEncryption=False
BDEDriveLetter=C:
BDERecoveryKey=AD

These control how and when BitLocker is applied. You can also store the key to a network share or key management system.

5. Use a GPO to Configure Recovery Key Storage (Optional)

In enterprise environments, use Group Policy to store recovery keys in Active Directory:

  • Enable:
    • Store BitLocker recovery information in Active Directory Domain Services
    • Configure:
      • Require backup of recovery password
      • Require backup of TPM information

Verification

  • After deployment, verify BitLocker status: manage-bde -status
  • Check for recovery key storage in:
    • Active Directory (under the computer object)
    • Local file (if configured)
    • Event logs (BitLocker operational log)

Notes

  • Place the Enable BitLocker step after the OS is installed, applications are installed, and before final cleanup steps.
  • BitLocker logs can be found at:
    • C:\Windows\System32\LogFiles\BitLocker

Tags:

You may also like...