3 of 3 people found this helpful
We have ~8000 Windows systems that are all running bitlocker.
We have HP and Lenovo systems that we use the vendor provided scripts for enabling secure boot and their TPM chips while provisioning. We just wrap them with a script that detects vendor/model and runs the proper commands to enable them.
Then we also include the manage-bde functions in our WinPE environments. See: How to: Update your boot.wim and boot_x64.wim to newer versions of Windows 10 on this page I include a script that contains the commands to add the "secure-startup" modules required to manage bitlocker in WinPE.
We also configure the boot order and then reboot from 32bit winpe to 64bit winpe if needed.
As a pre-req if you want to automate this during provisioning regardless of using SCCM or IEM, you will need MBAM setup otherwise it takes a few manual clicks (from my understanding).
So general order of operations:
1. Enable secure boot / tpm
2. Set boot order to boot to nic first
3. Reboot into 64bit winpe if not already in it
4. Run: x:\windows\system32\manage-bde.exe -protectors -add C: -rp -used (encrypts the disk in about 2 seconds)
5. Lay down image using imagex / dism (file based) and they will be encrypted while it gets imaged instead of encrypting after the fact, you cannot use imagew (sector based) or it removes the encryption
6. Boot to OS
7. Install MBAM agent
8. Run MBAM powershell (or legacy vbscript) script to "complete" encryption process (take 2-3 seconds and just finishes enabling it and escrowing the recovery key)
For systems that are already provisioned but joined to the domain - you should be able to setup a GPO to configure the bitlocker settings to escrow to AD/MBAM. This will automatically trigger bitlocker encryption prompts for users and force the encryption. Again doesn't matter if you are using SCCM or IEM since its done all in GPO.
Either tool can use the manage-bde commands to manage bitlocker as well. See: Manage-bde
This is not an easy undertaking and will take effort to get setup - so be sure to do lots and lots of testing. Once setup properly, you never think about it again though since it just works in the background. We also upgraded all of our systems in-place from 7 to 10 already using IEM and had no issues with bitlocker since the Windows 10 upgrades seamlessly support it.
Hope this helps,