BitLocker Support

Two builtin steps for managing BitLocker Drive Encryption during a task sequence are provided: Disable BitLocker and Enable BitLockerThis content is preliminary and may be subject to correction.

Disable BitLocker

As the name implies, the "Disable BitLocker" step disables BitLocker Drive Encryption.  This step does not decrypt the volume; it disables the BitLocker key protection for that volume.  This means the drive, while still encrypted, is accessible by any BitLocker-aware operating system (e.g., Vista and Windows PE 2.0).  It also means that the key protectors are temporarily stored unencrypted on the hard drive.

This step is required if you plan to access a BitLocker protected volume in Windows PE but don't plan to re-format the volume first.  In addition, if you are using the boot integrity verification feature of your TPM, you should use this step before any Reboot to Windows PE step, since replacing the bootloaders will trigger the boot integrity verification unless BitLocker Drive Encryption is temporarily disabled.

Enable BitLocker

The "Enable BitLocker" step provides a convenient way to enable BitLocker in a task sequence, but only exposes a subset of the available BitLocker options.  For more advanced options, consider using the manage-bde.wsf script (which ships with Vista) in a Run Command Line step.

BitLocker cannot be enabled in Windows PE.  It is recommended that you enable BitLocker as the first step in the new operating system (e.g., immediately after the "Setup Windows and ConfigMgr" step).

TPM Requirements

If you choose to use the Trusted Platform Module (TPM) for key protection, and the TPM has never been initialized, then it may be necessary to perform a manual one-time initialization.  See "Step 1: Turn on the TPM" at  It may also be necessary to first enable the TPM in the BIOS. 

Once the TPM is enabled, activated, and ownership is allowed, "Enable BitLocker" can complete any remaining initialization, since the remaining steps do not require physical presence or reboots.  The remaining steps which may be completed transparently by "Enable BitLocker" (if necessary) include:

  • Create endorsement key pair
  • Create owner authorization value and escrow to Active Directory (see Active Directory Requirements, below)
  • Take ownership
  • Reset the storage root key

Active Directory Requirements

If you are using the TPM for key protection, and the Enable BitLocker step determines that it is necessary to create an owner authorization value, then you must have Active Directory extended to allow ConfigMgr to escrow the owner authorization value to Active Directory (see for details on how to do this).

In addition, if you choose to create a recovery password, the Enable BitLocker step requires that Active Directory be extended so that the recovery password can be escrowed.  The Enable BitLocker step does not expose the option to save the recovery password to a removable USB drive.

Specifying a Recovery Password

If you would like to specify a recovery password instead of having one randomly generated, you can set the value of the Task Sequence environment variable OSDBitLockerRecoveryPassword to be any valid BitLocker numerical password (see

Specifying a Startup Key

Similarly, if you are using either of the "Startup key on USB" key protection options, you can specify a startup key instead of having one randomly generated by setting OSDBitLockerStartupKey in the Task Sequence environment.  The specified value should be the Base64 encoding of the 256 bit external key.

Comments (2)

  1. thomas says:

    Hi Victor

    Great initiative writing this blog.

    I have a newbie question (like so many others).

    I am using SCCM 2007R2 to deploy Vista. I would like to implement BitLocker during the installation.

    What is the best way to go about?

    Should I use a task sequence to partition the disks or should I use BdeHdCfg.exe? If BdeHdCfg, how do I use it? I have copied the tool to the image. Can I run it from a task sequence (Run a command) or will that not work?

    If I get past this step, is the only remaining step to enable BitLocker in a task?



  2. scott barnard says:

    Great idea on the blog

    I’m coming from a different angle though. I have vista and bitlocker deployed with TPM and pin codes.

    That’s ok but I want to be able to remotely rebuild these units in case of serious failure.

    However as soon as you start the rebuild process the pin code kicks in and the job is no longer a remote one.

    I have a great capability from SCCM but it seems strangled by bitlocker?

    Is there a way around this?

Skip to main content