BitLocker Info – a list of resources

Looking for BitLocker info ?
the following should help, the list below is Bit Locker info compiled from
several sources.

BitLocker Support

1. –


Two builtin steps for managing BitLocker Drive Encryption during a task
sequence are provided: Disable BitLocker and Enable BitLocker
This content is preliminary and may be subject to correction.

Disable BitLocker

As the name implies, the “Disable BitLocker” step disables
BitLocker Drive Encryption.  This step does not decrypt the volume; it
disables the BitLocker key protection for that volume.  This means the
drive, while still encrypted, is accessible by any BitLocker-aware operating
system (e.g., Vista and Windows PE 2.0).  It also means that the key
protectors are temporarily stored unencrypted on the hard drive.

This step is required if you plan to access a BitLocker protected volume
in Windows PE but don’t plan to re-format the volume first.  In addition,
if you are using the boot integrity verification feature of your TPM, you
should use this step before any Reboot to Windows PE step, since
replacing the bootloaders will trigger the boot integrity verification unless
BitLocker Drive Encryption is temporarily disabled.

Enable BitLocker

The “Enable BitLocker” step provides a convenient way to
enable BitLocker in a task sequence, but only exposes a subset of the available
BitLocker options.  For more advanced options, consider using the
manage-bde.wsf script (which ships with Vista) in a Run Command Line step.

BitLocker cannot be enabled in Windows PE.  It is recommended that
you enable BitLocker as the first step in the new operating system (e.g.,
immediately after the “Setup Windows and ConfigMgr” step).

TPM Requirements

If you choose to use the Trusted Platform Module (TPM) for key
protection, and the TPM has never been initialized, then it may be necessary to
perform a manual one-time initialization.  See “Step 1: Turn on the
TPM” at
It may also be necessary to first enable the TPM in the BIOS. 

Once the TPM is enabled, activated, and ownership is allowed,
“Enable BitLocker” can complete any remaining initialization, since
the remaining steps do not require physical presence or reboots.  The
remaining steps which may be completed transparently by “Enable
BitLocker” (if necessary) include:

  • Create
    endorsement key pair
  • Create
    owner authorization value and escrow to Active Directory (see Active
    Directory Requirements, below)
  • Take
  • Reset
    the storage root key

Active Directory Requirements

If you are using the TPM for key protection, and the Enable BitLocker
step determines that it is necessary to create an owner authorization value,
then you must have Active Directory extended to allow ConfigMgr to escrow the
owner authorization value to Active Directory (see for
details on how to do this).

In addition, if you choose to create a recovery password, the Enable
BitLocker step requires that Active Directory be extended so that the recovery
password can be escrowed.  The Enable BitLocker step does not expose the
option to save the recovery password to a removable USB drive.

Specifying a Recovery Password

If you would like to specify a recovery password instead of having one
randomly generated, you can set the value of the Task Sequence environment
variable OSDBitLockerRecoveryPassword to be any valid BitLocker
numerical password (see

Specifying a Startup Key

Similarly, if you are using either of the “Startup key on USB”
key protection options, you can specify a startup key instead of having one
randomly generated by setting OSDBitLockerStartupKey in the Task
Sequence environment.  The specified value should be the Base64 encoding
of the 256 bit external key.


2. Enabling BitLocker by Using a WMI Script

3. Official deployment guide from Technet.

BitLocker Drive Encryption Deployment Guide for Windows 7


4. Enabling bit locker from Group policy
after applying the image.

5. Create multiple partitions for Bit

The below lists the steps taken within the
task sequence to deploy a multipled partition of Windows 7.

1.     In the Configuration Manager Console, select
the Task Sequence and the from Actions pane select Edit.

2.     The Task Sequence Editor will open. In the
left pane select Partition Disk

3.     Double click on the first item under Volume
to bring up the Partition Properties. Under Formatting options, select Quick
Format and under the Advance Options in the Variable field, type BOOTPART.
Click OK.

4.     Double click on the second item under Volume
to bring up the Partition Properties. In the Partition options, select Use a
percentage of remaining free space. The Size(%) should be set to 100. 
Under Formatting options, select Quick Format and under the Advance Options in
the Variable field, type OSPART. Click OK.

5.     Select Apply Operating System.  Change
the Image drop down menu from 1-1 to 2-2.  Select from the Destination
drop-down menu Logical drive letter stored in variable. In the Variable name
field, type OSPART. Click OK.

6.     Click on the Apply Data Image 1. Click on the
Options tab and select Disable this step. Click Ok.



6. Enable Bitlocker


7. Enable BitLocker Task Sequence Action
Variables –

These task sequence variables govern the operation of the task sequence
action. Variables marked as input variables are read or used by the task
sequence action. In most cases, input variables correspond to task sequence
action fields in the task sequence editor and can be set via that user
interface. Alternatively, input variables can be set at runtime from
per-collection or per-computer variables, via the Set Task Sequence Variable
action or via the TSEnvironment COM object. Variables marked as output
variables are written or set by the task sequence action to be read by later
actions in the task sequence.

BitLocker Task Sequence Action


Variable Name




Instead of generating a random recovery password, the Enable
task sequence action will use the specified value
as the recovery password. The value must be a valid numerical BitLocker
recovery password.





Instead of generating a random startup key for the key management option “Startup
Key on USB only,
” the Enable BitLocker
task sequence action will use the Trusted Platform Module (TPM) as the
startup key. The value must be a valid, 256-bit Base64-encoded BitLocker
startup key.







8. Enable Bitlocker Task, where is it

BitLocker must be enabled in the full operating system, not in Windows
PE.  It’s not possible to enable BitLocker on the operating system volume
while there is no data on it.  So the short answer to your question is
that you should put the Enable BitLocker step right after the Setup Windows and
ConfigMgr step so that it is the first action in the new operating system.

9. Using manage-bde.exe within OSD.

First off, to get the command line to run properly you have to check the
“disable 64-bit file system redirection” otherwise system32 could be
getting redirected in the Run Command
task sequence step .

The string you need is:

%SYSTEMROOT%\system32\manage-bde.exe -protectors -add c: -tp somepin

The other step is importing registry configuration for bitlocker.  We
currently have a group policy that configures things like encryption strength
(the default of AES 128 is used if you dont do this, we wanted
256) and allowing the use of complex pin’s and startup pin’s.  The
only problem is group policy doesnt process during task sequence builds so that
will error saying “change your startup options for bitlocker” when it
tries to set a pin.  What I did was export the registry from a built win7
machine with the bitlocker policy applied.  The location is HKLM\software\policies\microsoft\fve. 
I create a package and program regedit.exe /s regfile.reg and added that to the
task sequence as a software install.

The order is Setup bitlocker which is a software install step that runs the
program to run the reg file import that sets the polices.  Then an enable
bitlocker task.  Then the set temporary bitlocker pin task command line. I
do all of this very last in the seqeunce.


10. How to properly set up a Task Sequence
to deploy Windows 7 images captured via an SCCM 2007 Capture CD

If the 100MB partition for BitLocker is desired, Method 1 is preferred
because it is cleaner and less complex. If no 100MB partition is desired for
BitLocker, use Method 3.

Method 1

1. Right click the affected Task Sequence and choose “Edit”.

2. In the left pane of the Task Sequence select “Partition Disk”.

3. Double click on the first item under “Volume” to bring up the “Partition

4. Under “Formatting options”, select “Quick Format”. Make
sure that the option “Make this the boot partition” is set.
Click on the “OK” button.

5. Double click on the second item under “Volume:” to bring up the
Partition Properties”.

6. Under “Partition options”, select “Use a percentage of
remaining free space
”. Set the “Size(%)” field to “100”. 
Under “Formatting options”, select “Quick Format”.

7. Select the “Apply Operating System” task.

8. Under the “Apply operating system from a captured image” option,
make sure that the “Image:” drop down menu is set to “2-2”.

9. Select the “Apply Data Image 1” task.

10. Under the “Select the image from this package that you want to
apply. This image can not contain any operating system.
” option, make
sure the “Image:” drop down menu is set  to “1-1”.

11. Move the “Apply Data Image 1” task immediately BEFORE
the “Apply Operating System” task, but AFTER
the “Partition Disk” task.

In Method 1, we apply the Data Image first via the “Apply Data
Image 1
” task, although the data image really doesn’t contain
anything we need. The reason we take this step is so that the “Apply
Operating System
” task that follows it moves on to the second
partition via the option “Next available formatted partition“.
If we did not include the “Apply Data Image 1” task, the
Task Sequence would try to apply the OS image on the first partition instead of
the second partition.

11. 80070070 Error on a machine with
BitLocker enabled


No, the problem, I have discovered, is that the 100mb partition is too
small to carry the modified boot image. This is the source of the 80070070
error. So when you PXE boot a non-booting windows installation, and the OS you
want to install is a different architecture than the WinPE it has booted to, it
downloads into an available partition the new WinPE image.

Now if the OS drive was encrypted by bitlocker, that partition is
unavailable until formated. Which leaves the boot partition, which is too
small, hence the task sequence fails for lack of disk space.

Anyway, I have got round this now by creating a script that scans the hard
drives and determines if any are unavailable. If they are, the script prompts
the user to format the disk, freeing it for use by WinPE to download the new
image and solving my problem. The last pice of the puzzle was how to get this
to hook into the boot sequence before that Task Sequence executed and that was
answered here:


12. Bitlocker Task Sequence Procedure
without TPM?

Bitlocker can use a USB key to store this information when you start
Bitlocker manually, but through the OSD task sequence it is not possible. I am
sure this is just the way the OSD calls the Bitlocker installer. However, it
still remains that if you want to use OSD to image a machine without a TPM
chip, you can not use the “Enable Bitlocker” task to do so.


13. Partition the disk for Bitlocker

Use the following command using “Run Command Line” in the task sequence to partition the
disk for Bitlocker.

“bdehdcfg.exe -target default -quiet” with a restart afterwards.
then use the built-in functions in SCCM to enable bitlocker.

There is a lot of additional information regarding Bitlocker here:


14. BitLocker and Trusted Platform Module
(TPM) mof edit

Panu Saukko, a configMgr MVP, forwarded this mof edit to share:

// BitLocker related information
// Panu Saukko, 17.11.2010

[ SMS_Report     (TRUE),
  SMS_Group_Name (“BitLocker Volume Encryption”),
  SMS_Namespace  (FALSE),

class Win32_EncryptableVolume : SMS_Class_Template
    [SMS_Report (TRUE), key
]        string    
    [SMS_Report (TRUE)     
]        string    
    [SMS_Report (FALSE)    
]        string    
    [SMS_Report (TRUE)     
]        uint32    

[ SMS_Report     (TRUE),
  SMS_Group_Name (“Trusted Platform Module”),
  SMS_Namespace  (FALSE),
(“\\\\\\\\localhost\\\\root\\\\cimv2\\\\security\\\\MicrosoftTPM”) ]

class Win32_TPM : SMS_Class_Template
    [SMS_Report (TRUE)     
]        boolean   
    [SMS_Report (TRUE)     
]        boolean   
    [SMS_Report (TRUE)     
]        boolean   
    [SMS_Report (FALSE),
key]        uint32    
    [SMS_Report (TRUE)     
]        string    
    [SMS_Report (FALSE)    
]        string    
    [SMS_Report (FALSE)    
]        string    
    [SMS_Report (TRUE)     
]        string    



15. Enable TPM in task sequence with SCCM and CCTK

During work me and a colleague have tested some utilities for handling
hardware settings on both servers and clients. One of the more useful utilites
we found was CCTK, Client Configuration ToolKit. This utility lets you change
settings in BIOS, both during OSD and otherwise. The main usage we found for it
was to enable and activate the TPM-chip on Dell client computers.

So how is it done?

You’ll need to download CCTK from Dells site.

And then run the script in the CCTK-folder to include it in your WinPE
image. There’s one script for WinPE 2.1 and one for 3.0. This is due to the
fact that the hardware driver needs to be local, it can’t be run from UNC.

Once it’s included you can run CCTK from command line in your task sequence.

The commands available can be found here or you can enable CMD-support in
your WinPE and run it manually. It’ll then query BIOS for available switches
and you can try it out before putting it in a task sequence.

Our TS looks like this:

All those reboots are because the computer needs to power cycle to both turn
on and activate TPM. Once that’s done we apply our OS as usual and finish off
with running the bdehdcfg.exe-utility which creates the necessary disk layout
for Bitlocker and then we run the standard SCCM task “Enable Bitlocker”. If you
don’t apply patches or anything else that’ll make the computer reboot you’ll
need to have a “Restart Computer”-action after the disk has been configured.

16. MDT/SCCM: BitLocker and Windows 7 OSD

The Deployment Guys have published a script that will check if the TPM chip is
enabled and activated. Cool stuff, but now what? Set a condition that
checks for the Task Sequence variables TPMEnabled = FALSE and TPMActivated =
FALSE and create a step that enables the TPM chip.

Need help enabling the TPM chip? If you are working with DELL hardware
then take a look
here – if you are working with HP hardware then take a look here


17. USMT 4.0, Hardlink and Bitlocker in SCCM OSD

  • How
    can I do a backup of a machine, and keep the files on the encrypted drive,
    and then be able to reinstall that same drive with a new OS, ginning
    access to the backup that was on the encrypted drive?
  • How
    do I stage WinPE on the Bitlocked disk, and then gain access to that same
    disk for the OS installation part when inside WinPE.Or at least something
    like that?

The thing is, that not only is it possible, it will also save you the
time it takes to encrypt the drive again, because, even though a new OS is applied
to the disk, the encryption is still in effect…

So lets look at the scenarios….

If we have a machine, where bitlocker is enabled, and we choose to do a
bare metal installation, where the disk is formatted, we will have to make sure
to create the 300+ bitlocker partition, and then start encrypting the entire
drive once again…

We could also do a refresh scenario, where the TS is advertised to the
running XP/vista/win7 client, and executed from there. In that case, running a
standard wizard build TS (unless its a MDT Task Sequence, and I’ll get back to
that), the TS is either going to backup to the SMP (state migration point), or
boot directly to WinPE depending on whether or not the USMT part is enabled.
either way, the TS I going to fail, because we cannot stage WinPE on a locked
drive, and therefore, not boot into WinPE!

This small bump in the road, is easily fixed though, by adding an extra
step to the TS, that temporarily disables Bitlocker


By adding this step, bitlocker is temporarily disabled, and access to
the locked drive will become available, enabling the TS to put WinPE on to the

Be aware though, that by default SCCM cannot stage WinPE on a bitlocked
harddisk if it is in the process of being either encrypted or decrypted. There
is however no problem, if the disk is fully de-or encrypted. For testing
scenarios where you might be I the proses of doing exactly that, WinPE can be
stage on the Bitlocker Boot partition if it has a drive letter assigned, 
and  has at least 500 MB free space.

Once WinPE is on the disk, the computer will reboot, pick up the TS, and
format the drive. You then have to create the Bitlocker boot partition again,
enable bitlocker on the OS drive, and do the encryption all over again!

With Hardlink!

Now, lets say that we choose to use hardlinking. In that case all the
backup data is stored locally on the disk, which means, we cannot format it, or
the data will be lost.. The standard Wizard build TS already has taken this
into account, like you se in the picture beneath.


As you can see, The partition step will only run if _SMSTSClientChache,
does not exist. When doing hardlink USMT, this variable will be set, and
the TS will skip the partitioning step. The “Apply Operating system Image” step
will by default clean the disk, but not format (basically leaving the USMT data
intact). The Clean/wipe of the disk also keeps the disk bitlocked, so all you
will have to do is enable bitlocker again at the end of the task sequence, and
the disk will be locked, and fully encrypted straight away.


Note: If you, like me, have a step that creates the Bitlocker boot partition,
just put a “continue on error” on it, as it will fail if the boot partition is
already there!

So, what can be concluded from this! Well the most important thing is
that Hardlink and Bitlocker works perfect together, but also that it actually
gives you the benefit of not having to run the entire process of locking down
the disk again, as it is already locked… So if you are reinstalling machines
with bitlocker enabled, and you do not do and USMT or use the SMP to store the
data, make sure to do refresh, and set options on your partition step so that
the disk is not formatted… If you use a MDT build TS, this is default, and so
is hardlinking if you have the step “Determine Local or Remote UserState”


18. How to use Hash of TPM from AD to reset
your TPM password

1. Open notepad and copy the below information.

<?xml version=”1.0″ encoding=”UTF-8″?>


2. Get the hash information from ms-TPMOwnerInformation attribute and
replace the hash information between the <ownerAuth>……</ownerAuth>


3. Save the file as whatevername.tpm.

4. Open TPM Administration Console (tpm.msc) and Click on Change Owner


5. Select “I have the Owner Password File” and point it to .tpm file which
you got in Step 2.

6. Now you can successfully change the TPM password.

For more information on Group Policies for Bitlocker, see my blog below.

Bitlocker Policies for Windows 7 on Windows Server 2003 or Windows Server

19. BitLocker Resources I’ve done !

Customising Windows 7 deployments – part 5.
Enabling Bitlocker in WinPE on Dell computers [Jul 2011]

How can I determine if theres a TPM chip on my Dell system for BitLocker ?
Using the following script [Aug 2011]

Is the TPM Chip Enabled or Disabled in the Bios on my system ?
Use this WMI query to find out [Aug 2011]

How can I determine if the drive is Encrypted (Protected) or not during a BitLocker task sequence in WinPE ?
Using the GetProtectionStatus Method [Aug 2011]?

How can I determine if there’s a TPM chip on my Lenovo system for BitLocker ?
Easy when you know how [Sep 2011]

How can I retrieve my BitLocker Recovery Key from MBAM in WinPE
Connecting to MBAM from WinPE [Sep 2011]

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.