Enable BitLocker Task Sequence Step

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

BitLocker drive encryption provides low-level encryption of the contents of a disk volume. BitLocker requires at least two partitions on the hard drive. The first active partition contains the Windows bootstrap code. Another partition contains the operating system. The bootstrap partition must remain unencrypted.


For more information about managing BitLocker without using task sequences, see BitLocker Drive Encryption Overview.

The Enable BitLocker task sequence action runs only in a standard operating system and will not run in the Windows PE. For information about task sequence variables for this task sequence action, see Enable BitLocker Task Sequence Action Variables.


BitLocker is used with computers running Windows Vista and Windows Server 2008 or later.

If you specified TPM Only or TPM and Startup Key on USB, before you can run the Enable BitLocker task sequence step, the Trusted Platform Module (TPM) must be in the following state:

  1. Enabled

  2. Activated

  3. Ownership Allowed

The task sequence step can complete any remaining TPM initialization, because the remaining steps do not require physical presence or reboots. The remaining TPM initialization steps which can be completed transparently by Enable BitLocker (if necessary) include:

  • Create endorsement key pair

  • Create owner authorization value and escrow to Active Directory, which must have been extended to support this value

  • Take ownership

  • Create the storage root key, or reset if already present but incompatible

If you want the Enable BitLocker action to wait until the drive encryption process has been completed before continuing with the next step in the task sequences, select the Wait check box. If you do not select the Wait check box, the drive encryption process will be performed in the background and task sequence execution will proceed immediately to the next step.

BitLocker can be used to encrypt multiple drives on a computer system (both operating system and data drives). To encrypt a data drive, the operating system must already be encrypted and the encryption process must be completed, because the key protectors for the data drives are stored on the operating system drive. As a result, if you encrypt the operating system drive and the data drive in the same process, the wait option must be selected for the step that enables BitLocker for the operating system drive.

You can configure the following settings:

If the hard drive is already encrypted but BitLocker is disabled then Enable BitLocker re-enables the key protector or protectors and will be completed almost instantly. Re-encryption of the hard drive is not necessary in this case. For more information about disabling BitLocker, see Disable BitLocker Task Sequence Step.

  • Name
    Specifies a descriptive name for this task sequence step.
  • Description
    Allows you to optionally enter a description for this task sequence step.
  • Choose the drive to encrypt
    Specifies the drive to encrypt. To encrypt the current operating system drive, select Current operating system drive and then configure the key management. To specify that the Trusted Platform Module (TPM) should be used for key management, select TPM only. To specify that the startup key should be on USB only, select Startup key on USB only. To specify the key management for both the TPM and USB select TPM and startup key on USB only. To encrypt a specific drive (a non-operating system data drive) select Specific drive.


    If you select USB, you must have a USB drive attached to the computer when the operating system deployment is performed. The startup key is written to the USB drive.

  • Chose where to create the recovery key
    To specify where the recovery password should be created, select In Active Directory to escrow the password in Active Directory. If you select this option you must extend Active Directory for the site so that the associated BitLocker recovery information is saved. Select not to create a password at all by selecting Do not create recovery key, which is not recommended.
  • Wait for BitLocker to complete the drive encryption process on all drives before continuing task sequence execution
    Select this option to allow the BitLocker drive encryption to be completed prior to running the next step in the task sequence. If this option is selected the entire disk volume will be encrypted before the user is able to log in to the computer.

    The encryption process can take hours to be completed when a large hard drive is being encrypted. Not selecting this option will allow the task sequence to proceed immediately.

See Also


Disable BitLocker Task Sequence Step

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.