Hi Everyone,
Working in a customer environment where they have a TS that is working fine and deploys the OS, apps, enables Bitlocker and backs up the keys to Active Directory. All deployment scenarios work fine whether we are using PXE boot, USB boot media or Offline Media as long as the the computer is plugged into the LAN during imaging.
The problem we are running into is with systems that have an Internet Only connection during Offline Media installs. In this case we are using the Offline Media to deploy the new OS and it backs up and restores the user data and even does an Offline Domain Join to join the system to the Domain even though we don't have a connection to a DC available during imaging. The only piece that's missing is Enabling Bitlocker during the Offline Media with Internet Only connection.
From my testing and research, it appears that we can't Enable Bitlocker with the option to store keys in AD if we don't have an active connection to AD at the time we enable it. As we're Internet Only during the Offline Deployment, this seems to be the cause of failure. Is there any possible way around this?
Some other ideas are:
1. Skip Enable Bitlocker task during Offline Media builds and enable Bitlocker after the fact when the user VPN's in. Only question here is what script/command line can we run to Enable Bitlocker and tell it to backup the keys to AD? I've
found the EnableBitlocker.vbs and manage-bde.exe but I'm still unsure of what command line option(s) would tell them to backup the keys to AD rather than a local path.
2. Enable Bitlocker and set the keys to backup locally. Then when the user logs in via VPN we move the keys to AD. Again, not sure how to do this one. Can anyone point me in the right direction here on how we might move the keys?
Thanks,
-Jeff