BitLocker is one of the features included with the Ultimate and Enterprise editions of Windows 7 for a full disk encryption of the hard disks. This additional feature helped me during a migration project to Windows 7 to get rid of the additional third party application (Safeboot) for disk encryption. Enabling Bitlocker on a single system is no problem but the challenges I had for enterprise deployment were:
- Prepare Active Directory schema for Bitlocker and TPM attributes
- Additional configuration for Group Policy Objects linked to Computer Configuration
- Activating and/or enabling the TPM security chip during the installation of Windows 7
- Automation during the post configuration of Windows 7 to backup the recovery keys and start the encryption of the System drive.
The first two bullets were matter of proper project management, and execution of those changes on the Active Directory forest and linking Group Policy. Activating and enabling TPM security chip I solved by having system BIOS changed during the first boot before the installation.
Most challenging part of my enterprise deployment was to create some kind of script to enable Bitlocker after Windows 7 was installed. For Windows 7 we used only one thick image and same image was used for notebooks and desktop models. After doing research I found a sample script that can be used to automate the deployment of BitLocker using the BitLocker WMI interfaces.
By having the EnableBitLocker.vbs script I still needed to run some additional steps to finalize process for encrypting the drive.
How to enable Bitlocker during a enterprise deployment of Windows 7?
Some objectives I had before creating the script:
- The script should only run on notebook models
- The script should write log files for troubleshooting and analysis
- The script should work with all installed MUI languages on the thick image
- Integrate script with a Sysprep answer file
The thick image was installed with several MUI packs and during the pilot I run into some kind of bug. The EnableBitLocker.vbs script failed when de-DE German MUI language was used. I needed to fix that with setting the preferred language to English for local Administrator account.
Please create a new text file and save this file as Enable-notebook-bitlocker.vbs in C:\Deployment folder. Please also copy EnableBitLocker.vbs to C:\Deployment.
Dim Manufacturer, ModelType, ChassisType,LogFile, q1, reg 'on error resume next Set colNamedArgs = WScript.Arguments.Named argLog = LCase(colNamedArgs.Item("log")) Get_ChassisTypes If colNamedArgs.Exists("log") Then LogFile = argLog 'MsgBox LogFile Else MsgBox "No log file has been provided", vbError WScript.Quit End If q1="""" reg = "reg add " & q1 & "HKCU\Control Panel\Desktop" & q1 & " /v PreferredUILanguagesPending /t REG_MULTI_SZ /d en-US /f" If (ChassisType="Notebook") then 'MsgBox "Notebook", vbInformation Run_Command(reg) Run_Command("cscript c:\Deployment\EnableBitLocker.vbs /on:tpm /l:" & LogFile ) End if Sub Get_ChassisTypes Dim strComputer, objWMIService, objItem, colItems strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") Set colItems = objWMIService.ExecQuery( "select * from Win32_SystemEnclosure",,48) For Each objItem in colItems ChassisType = Join(objItem.ChassisTypes, ",") Model = objItem.Model Next If (ChassisType = "10") or (ChassisType = "9") or (ChassisType = "8") then 'Msgbox "ChassisType: " & "Notebook" & "(" & ChassisType &")" ChassisType = "Notebook" Else 'Msgbox "ChassisType: " & "Desktop" & "(" & ChassisType &")" ChassisType = "Desktop" End if End Sub Sub Run_Command(Command) Dim shell Set shell = CreateObject("WScript.Shell") shell.Run Command, 1, true Set shell = Nothing End Sub
I am not going into VBScript details but couple things to note.
EnableBitLocker.vbs script needs to run two times:
- Enable and activate the TPM in Windows.
- Taking ownership and resetting password for TPM. Creating recovery password, saving to Active Directory and initiating BitLocker drive encryption
After the EnableBitLocker.vbs run for the first time it will reboot the system. In my oobeSystem Sysprep phase I enabled Autologon for Administrator to log on two times. During my first log on I run the first time Enable-notebook-bitlocker.vbs script which was executed from another PowerShell script which run due to the FirstLogonCommands SynchronousCommand. After the reboot I had RunOnce configured to run the second part of the PowerShell script and here I configured the second run time of Enable-notebook-bitlocker.vbs.
I am using Sysprep and an answer file after Windows 7 image has loaded. These steps can easily be integrated with any software deployment solution like SCCM server.
Just make sure the following command is run two times:
cscript c:\Deployment\enable-notebook-bitlocker.vbs /log:c:\Deployment\1st-boot-EnableBitLocker.log cscript c:\Deployment\enable-notebook-bitlocker.vbs /log:c:\Deployment\2nd-boot-EnableBitLocker.log
After one week of research, creating and testing the script I was able to automate the Bitlocker encryption process. The encryption on the notebook took between 2-5 hours. Depending on the hard disk size and the age of the hardware.