BitLocker is one of the features included with the Ultimate and Enterprise editions of Windows 7 for a full disk encryption of the hard disks. This additional feature helped me during a migration project to Windows 7 to get rid of the additional third party application (Safeboot) for disk encryption. Enabling Bitlocker on a single system is no problem but the challenges I had for enterprise deployment were:

• Prepare Active Directory schema for Bitlocker and TPM attributes
• Additional configuration for Group Policy Objects linked to Computer Configuration
• Activating and/or enabling the TPM security chip during the installation of Windows 7
• Automation during the post configuration of Windows 7 to backup the recovery keys and start the encryption of the System drive.

The first two bullets were matter of proper project management, and execution of those changes on the Active Directory forest and linking Group Policy. Activating and enabling TPM security chip I solved by having system BIOS changed during the first boot before the installation.

Most challenging part of my enterprise deployment was to create some kind of script to enable Bitlocker after Windows 7 was installed. For Windows 7 we used only one thick image and same image was used for notebooks and desktop models. After doing research I found a sample script that can be used to automate the deployment of BitLocker using the BitLocker WMI interfaces.

By having the EnableBitLocker.vbs script I still needed to run some additional steps to finalize process for encrypting the drive.

How to enable Bitlocker during a enterprise deployment of Windows 7?

Some objectives I had before creating the script:

• The script should only run on notebook models
• The script should write log files for troubleshooting and analysis
• The script should work with all installed MUI languages on the thick image
• Integrate script with a Sysprep answer file

The thick image was installed with several MUI packs and during the pilot I run into some kind of bug. The EnableBitLocker.vbs script failed when de-DE German MUI language was used. I needed to fix that with setting the preferred language to English for local  Administrator account.

Enable-notebook-bitlocker.vbs

Please create a new text file and save this file as Enable-notebook-bitlocker.vbs in C:\Deployment folder. Please also copy EnableBitLocker.vbs to C:\Deployment.

Dim Manufacturer, ModelType, ChassisType,LogFile, q1, reg
'on error resume next
Set colNamedArgs = WScript.Arguments.Named
argLog = LCase(colNamedArgs.Item("log"))
Get_ChassisTypes

If colNamedArgs.Exists("log") Then
    LogFile = argLog 
    'MsgBox LogFile
    Else
    MsgBox "No log file has been provided", vbError
    WScript.Quit
End If

q1=""""
reg = "reg add " & q1 & "HKCU\Control Panel\Desktop" & q1 & " /v PreferredUILanguagesPending /t REG_MULTI_SZ /d en-US /f"
If (ChassisType="Notebook") then
    'MsgBox "Notebook", vbInformation
    Run_Command(reg)
    Run_Command("cscript c:\Deployment\EnableBitLocker.vbs /on:tpm /l:" & LogFile )
End if

Sub Get_ChassisTypes
    Dim strComputer, objWMIService, objItem, colItems
    strComputer = "." 
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") 
    Set colItems = objWMIService.ExecQuery( "select * from Win32_SystemEnclosure",,48) 
    For Each objItem in colItems 
        ChassisType =  Join(objItem.ChassisTypes, ",")
        Model = objItem.Model
    Next

    If (ChassisType  = "10") or (ChassisType  = "9") or (ChassisType  = "8") then
        'Msgbox "ChassisType: " & "Notebook" & "(" & ChassisType &")" 
        ChassisType = "Notebook"
    Else
        'Msgbox "ChassisType: " & "Desktop" & "(" & ChassisType &")"  
        ChassisType = "Desktop"
    End if
End Sub

Sub Run_Command(Command)
    Dim shell
    Set shell = CreateObject("WScript.Shell")
    shell.Run Command, 1, true
    Set shell = Nothing
End Sub

I am not going into VBScript details but couple things to note.

EnableBitLocker.vbs script needs to run two times:

• Enable and activate the TPM in Windows.
• Taking ownership and resetting password for TPM. Creating recovery password, saving to Active Directory and initiating BitLocker drive encryption

After the EnableBitLocker.vbs run for the first time it will reboot the system. In my oobeSystem Sysprep phase I enabled Autologon for Administrator to log on two times. During my first log on I run the first time Enable-notebook-bitlocker.vbs script which was executed from another PowerShell script which run due to the FirstLogonCommands SynchronousCommand. After the reboot I had RunOnce configured to run the second part of the PowerShell script and here I configured the second run time of Enable-notebook-bitlocker.vbs.

I am using Sysprep and an answer file after Windows 7 image has loaded. These steps can easily be integrated with any software deployment solution like SCCM server.

Just make sure the following command is run two times:

cscript c:\Deployment\enable-notebook-bitlocker.vbs /log:c:\Deployment\1st-boot-EnableBitLocker.log
cscript c:\Deployment\enable-notebook-bitlocker.vbs /log:c:\Deployment\2nd-boot-EnableBitLocker.log

After one week of research, creating and testing the script I was able to automate the Bitlocker encryption process. The encryption on the notebook took between 2-5 hours. Depending on the hard disk size and the age of the hardware.

References

• Technet – Enabling BitLocker by Using a WMI Script
• BitLocker Deployment Sample Resources
• Technet – Backing Up BitLocker and TPM Recovery Information to AD DS
• Technet – Enabling BitLocker by Using the Command Line