A few months ago I was requested to implement Bitlocker Encryption for Windows 7 Clients.

At the time, Mbam 2.5 had been available since a few weeks only, and the documentation and implementation details were mostly linked to Windows 8 / 8.1 scenarios. Furthermore, most Bitlocker implementation details that I found on internet implied the use of Bitlocker GPOs and Active Directory as storage location, not Mbam.

However, after reading  the documentation, blog posts and support forums, I ended up being pretty confident that most new features made available for Windows 8 could also be used for Windows 7, so I ended up with the following goals:

1. Pre-provision Bitlocker: this allows you to enable bitlocker encryption before the OS is deployed. The resulting encryption targets used space only and is thus very quick. This task sequence step is part of SCCM 2012 and requires WinPe 4.

2. Allow MBAM to take ownership of the TPM so that both TPM and drive recovery information are stored and accessible through Mbam web console.

Basically this ensures that all the computers are encrypted during the Task Sequence, not after.

Here are the firsts steps I use in my Task Sequence:


Bitlocker must find the TPM in a specific state in order to be able to use it, ie. Enabled in the Bios,  Active but not Owned.

A VbScript takes care of this through WMI with the function SetPhysicalPresenceRequest(6) in order to enable and activate the TPM. (see  http://msdn.microsoft.com/en-us/library/windows/desktop/aa376478(v=vs.85).aspx)

As you can see this runs within WinPE

A reboot is needed if the state of TPM has changed, then standard preparation steps are used. I define the OS partition as %System% so that I can use it in the Pre Provisining Bitlocker  step as this

manage-bde -on %system% -Used

If you enable it for your TS and press F8 durning the Task sequence you can use manage-bde -status to control the state of encryption. You will see that the drive is encrypted before data is written to it, so it takes only a few seconds.

Further in the TS, we install the Mbam Client for all clients, TPM or NOT, which allows to get effective reporting for the enterprise.


The encryption itself uses Alex Semi’s Script slightly modified as well as the reg entries from Mbam 2.5 documentation.

see http://blogs.msdn.com/b/alex_semi/archive/2013/08/12/start-mbam-encryption-on-bitlocker-pre-provisioned-and-windows-to-go-drives.aspx

Since he uses AD to store TPM, the script would work, but this is not what we want. We need Mbam to take care and store the information for both disks and TPM.  I just made the comments in the scripts as seen below.

Function SetTpmOwner (sTpmOwnerPassword)
Dim iRetVal, oExec, sOwnerAuthDigest, sErrCode
‘ iRetVal = Failure

On Error Resume Next
‘// Convert password to Digest

‘  iRetVal = oTpm.ConvertToOwnerAuth(sTpmOwnerPassword, sOwnerAuthDigest)
‘  TestAndFail iRetVal, 6749, “Convert owner p@ssword to owner authorization”

‘// Set owner

‘  If not bEndorsementKeyPairPresent then
‘   iRetVal = oTpm.CreateEndorsementKeyPair
‘   TestAndFail iRetVal, 6750, “Create endorsement key pair”

‘  End if

‘  iRetVal = oTpm.TakeOwnership(sOwnerAuthDigest)
‘  oLogging.CreateEntry “Starting owner authorization process on the TPM”, LogTypeInfo
‘  TestAndFail iRetVal, 6751, “Change owner authorization”

SetTpmOwner = Success

End Function

We run Net stop mbamagent, Add registry keys created for our environment

see http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx for details.

Then we restart the agent, Net start mbamagent

We then run the script :

Cscript.exe StartMbamencryption.wsf /MbamServiceEndpoint:http://yourmbamserverfqdn/MbamRecoveryandHardwareService/CoreService.svc

That’s it.

Some remarks:

First of course, use this in a test environment. Make sure you don’t loose/delete the TPM key as you might loose data.

Hardware differences might force you to check for missing endorsement keys (http://support.microsoft.com/kb/2640178). I did not have this problem.

Use manage-bde to get the different states of the encryption.

Do not forget the ztiutility.vbs script. it is being used by StartMbamencryption.wsf

Make sure the correct SPN for Mbam is published to AD. There was a mistake in the Setspn command in the documentation.

Update: Note that Windows 7’s manage-bde command does not support Used Space Encryption, so the Manage-bde -status command when run in Windows 7 OS will report “Fully Encrypted” while it would report “Used Space Only Encrypted” when in Windows 8 or Winpe 5.

Hope it helps.

Here are the scripts: http://1drv.ms/1tmdZkA