In a recent project migrating Windows XP to Windows 7 using System Center Configuration Manager 2012 (ConfigMgr) integrated with the Microsoft Deployment Toolkit 2012 Update 1 (MDT), BitLocker encryption was started at the end of the Task Sequence (TS). Right after the deployment of Windows 7, applications were installed on the systems using ConfigMgr's software distribution. However, the installation of the applications took a few hours longer than normal due to disk encryption taking place at the same time.
I put together a solution where the following takes place:
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
I put together a solution where the following takes place:
- Pause BitLocker encryption (if disk is encrypting) at the end of the TS
- While still in the TS, create a Windows Scheduled Task that will resume encryption X hours/minutes after the TS ends
This is the order of the relevant steps:
- BitLocker is enabled and disk encryption starts close to the end of the TS
- Validate the disk is being encrypted and if so, pause encryption
- Create a Windows Scheduled Task that will resume BitLocker X hours/days after the TS ends
In this solution, ConfigMgr software distribution is used to install applications during the time period between pausing and resuming BitLocker. Also, the drive being encrypted is C:.
Next I provide details on the solution (note that you can use this solution to schedule any other task within the task sequence).
Determining Encryption State
I wrote this simple script that looks at the status of Bitlocker encryption. If the disk is being encrypted, a custom TS variable IsEncrypting is set to TRUE; it is set to FALSE if the disk is not being encrypted. Download the ZTI_IsBitLocker_Encrypting.wsf script, remove the .txt extension, and copy it to the Scripts folder of your MDT package (then update the distribution points). Use a "Run Command Line" step to run the script. This script has to run before the step that pauses encryption.
Pausing Encryption
Here you just use a "Run Command Line" TS step that runs this command:
manage-bde -pause c:
The Pause Bitlocker step is part of a TS group that has a condition to be processed only if the disk is being encrypted. Add a Task Sequence Variable condition to this Bitlocker Pause group where the variable IsEncrypting has to equal TRUE.
Windows Scheduled Task
Although you can use schtasks.exe to create a Windows Scheduled Task, not all possible configurable settings can be set by this tool (such as to run the task even if the system is not plugged-in to a power outlet). This is why I used Task Scheduler to configure all the options I needed. The trigger start and expiration time need to be configured, but later during deployment the task sequence will change these times to X hours/days into the future. The goal is to resume BitLocker not at a fixed time in the future (the task sequence may be used for years and that fixed time some day may be in the past) but at a calculated time after the time sequence ends.
These are the settings for my scheduled task.
Create Scheduled Task Package
Create a ConfigMgr package that has the following files: The resumeBitlockerSchedTask.xml obtained in the previous step, createBLST.bat and createSchedTask.vbs. Remove the .txt extensions after you download the files. Create a program in the package that runs createBLST.bat. This batch file will call the createSchedTask.vbs script, which will modify the XML file. The batch file will then use the modified XML file to create the scheduled task. Note that the batch file is set to use the following XML file but you can change it if needed: c:\windows\temp\logs\resumeBitlockerSchedTask.xml. The task sequence will have copied the XML file to this location prior to the script modifying it.
createSchedTask.vbs
This script will modify the resumeBitlockerSchedTask.xml file by adding the configured time period to the trigger start and end time. The following variables need to be configured at the beginning of the script.
intPlusHours = 5
intPlusDays = 0
intPlusDaysForEndTime = 2
sLogFile = "c:\windows\temp\logs\createSchedTask.log"
sXML2Modify = "c:\windows\temp\logs\resumeBitlockerSchedTask.xml"
intPlusHours indicates how many hours into the future the trigger start time should be set to (5 hours in this example).
intPlusDays indicates how many days into the future the trigger start time should be set to (0 days in this example).
intPlusDaysForEndTime indicates how many days into the future the trigger end time should be set to (2 days in this example).
sLogFile indicates the full path to where you want the log file to be created (include the name). The c:\windows\temp\logs directory gets created at the beginning of the TS and all custom logs are created there.
sXML2Modify indicates the full path and name of the exported scheduled task XML file to have the trigger start and end times modified. In this case, it is in the same logs location (the task sequence copies it there from the package you created before it is modified).
This is the TS step that will run the program in this package.
Copy XML file to Logs folder
A Run Command Line TS step is used to copy the XML file from your package to the Logs folder. Configure the step to use the package and use the xcopy command as illustrated below. This step will be placed in the TS prior to the step that creates the scheduled task.
Steps in Task Sequence
Putting it all together, this is how the relevant steps look in the TS.
The Wait one minute step just runs a script that pauses for one minute. You can get details on this at the end of this blog post. You don't really need the "Dump Variables" step unless you want to look at their values from a text file.
SCCM