BitLocker drive encryption provides low-level encryption of the contents of a disk volume. BitLocker requires at least two partitions on the hard drive. The first active partition contains the Windows bootstrap code. Another partition contains the operating system. The bootstrap partition must remain unencrypted.
The Enable BitLocker task sequence action runs only in a standard operating system and will not run in the Windows Preinstallation Environment (WinPE). For information about task sequence variables for this task sequence action, see Enable BitLocker Task Sequence Action Variables.
Note |
---|
BitLocker is used with computers running Windows Vista and Windows Server 2008 or later. |
If you specified TPM Only or TPM and Startup Key on USB, before you can run the Enable BitLocker task sequence step, the Trusted Platform Module (TPM) must be in the following state:
- Enabled
- Activated
- Ownership Allowed
The task sequence step can complete any remaining TPM initialization, because the remaining steps do not require physical presence or reboots. The remaining TPM initialization steps which can be completed transparently by Enable BitLocker (if necessary) include:
- Create endorsement key pair
- Create owner authorization value and escrow
to Active Directory, which must have been extended to support this
value
- Take ownership
- Create the storage root key, or reset if
already present but incompatible
If you want the Enable BitLocker action to wait until the drive encryption process has been completed before continuing with the next step in the task sequences, select the Wait check box. If you do not select the Wait check box, the drive encryption process will be performed in the background and task sequence execution will proceed immediately to the next step.
BitLocker can be used to encrypt multiple drives on a computer system (both operating system and data drives). To encrypt a data drive, the operating system must already be encrypted and the encryption process must be completed, because the key protectors for the data drives are stored on the operating system drive. As a result, if you encrypt the operating system drive and the data drive in the same process, the wait option must be selected for the step that enables BitLocker for the operating system drive.
You can configure the following settings:
If the hard drive is already encrypted but BitLocker is disabled then Enable BitLocker re-enables the key protector or protectors and will be completed almost instantly. Re-encryption of the hard drive is not necessary in this case. For more information about disabling BitLocker, see Disable BitLocker.
- Name
- Specifies a descriptive name for this task sequence step.
- Description
- Allows you to optionally enter a description for this task sequence step.
- Choose the drive to encrypt
- Specifies the drive to encrypt. To encrypt the current
operating system drive, select Current operating system
drive and then configure the key management. To specify that
the Trusted Platform Module (TPM) should be used for key
management, select TPM only. To specify that the startup key
should be on USB only, select Startup key on USB only. To
specify the key management for both the TPM and USB select TPM
and startup key on USB only. To encrypt a specific drive (a
non-operating system data drive) select Specific drive.
Note If you select USB, you must have a USB drive attached to the computer when the operating system deployment is performed. The startup key is written to the USB drive.
- Chose where to create the recovery key
- To specify where the recovery password should be created, select In Active Directory to escrow the password in Active Directory. If you select this option you must extend Active Directory for the site so that the associated BitLocker recovery information is saved. Select not to create a password at all by selecting Do not create recovery key, which is not recommended.
- Wait for Bitlocker to complete the drive encryption process on all drives before continuing task sequence execution
- Select this option to allow the BitLocker drive encryption to be completed prior to running the next step in the task sequence. If this option is selected the entire disk volume will be encrypted before the user is able to log in to the computer. The encryption process can take hours to be completed when a large hard drive is being encrypted. Not selecting this option will allow the task sequence to proceed immediately.