1 Reply Latest reply on Aug 3, 2017 10:46 PM by Peter Massa

    Deploying BitLocker

    ecoidan Specialist

      Endpoint Manager 2017.1

      Windows 10 Pro Clients


      Looking for some ways that folks have deployed Bitlocker using Endpoint Manager (LDMS)?  I have an upcoming project to deploy Bitlocker to 800 systems and I keep being told that it can only be deployed with SCCM. I truly hope that is not true. Anyone have any experience with this, just thought to ask before spending a few hours researching and testing.

        • 1. Re: Deploying BitLocker
          Peter Massa Expert

          Hi ecoidan,


          We have ~8000 Windows systems that are all running bitlocker.


          We have HP and Lenovo systems that we use the vendor provided scripts for enabling secure boot and their TPM chips while provisioning.  We just wrap them with a script that detects vendor/model and runs the proper commands to enable them.


          Then we also include the manage-bde functions in our WinPE environments.  See: How to: Update your boot.wim and boot_x64.wim to newer versions of Windows 10   on this page I include a script that contains the commands to add the "secure-startup" modules required to manage bitlocker in WinPE.


          We also configure the boot order and then reboot from 32bit winpe to 64bit winpe if needed.


          As a pre-req if you want to automate this during provisioning regardless of using SCCM or IEM, you will need MBAM setup otherwise it takes a few manual clicks (from my understanding).


          So general order of operations:

          1. Enable secure boot / tpm

          2. Set boot order to boot to nic first

          3. Reboot into 64bit winpe if not already in it

          4. Run: x:\windows\system32\manage-bde.exe -protectors -add C: -rp -used   (encrypts the disk in about 2 seconds)

          5. Lay down image using imagex / dism (file based) and they will be encrypted while it gets imaged instead of encrypting after the fact, you cannot use imagew (sector based) or it removes the encryption

          6. Boot to OS

          7. Install MBAM agent

          8. Run MBAM powershell (or legacy vbscript) script to "complete" encryption process (take 2-3 seconds and just finishes enabling it and escrowing the recovery key)


          For systems that are already provisioned but joined to the domain - you should be able to setup a GPO to configure the bitlocker settings to escrow to AD/MBAM.  This will automatically trigger bitlocker encryption prompts for users and force the encryption.  Again doesn't matter if you are using SCCM or IEM since its done all in GPO.


          Either tool can use the manage-bde commands to manage bitlocker as well.  See:  Manage-bde


          This is not an easy undertaking and will take effort to get setup - so be sure to do lots and lots of testing.  Once setup properly, you never think about it again though since it just works in the background.  We also upgraded all of our systems in-place from 7 to 10 already using IEM and had no issues with bitlocker since the Windows 10 upgrades seamlessly support it.


          Hope this helps,


          4 of 4 people found this helpful