BitLocker Drive Encryption Preparation instructions

1)    Allow AD to store TPM information

a.     Download Add-TPMSeflWriteACE.vbs from http://archive.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?ReleaseId=3205

b.     Using an account that is a domain admin, open an elevated command prompt and navigate to the file you just downloaded.

c.     Type in “cscript  Add-TPMSeflWriteACE.vbs” and press enter

2)    Add Bitlocker Feature to all Domain Controllers

a.     Go to all Domain Controllers and open Features

b.     Add Features

c.     Navigate to Remote Server Administration Tools\Feature Administration Tools\BitLocker Drive Encryption Administration Tools

d.     Check the box next to this and click Next

e.     Install the Feature

3)    Set up group policy

a.     Open Group policy Editor (GPMC) and navigate to: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

b.     Open “Store BitLocker information in AD DS”

                  i.    Check the box for “Require Bitlocker to back up to AD DS”

c.     Open “Provide the unique identifiers for your organization”

                  i.    Enable it and type in TLG for the identifiers

4)    Install MBAM client

a.     Find the MBAM client msi file on the MBAM server

b.     Package the msi file

c.     Distribute it to all Windows 7 computers

5)    Install the MBAM Server

6)    Install the MBAM Group Policy Template

a.     Start the MBAM installation wizard on a server with group policy management (GPMC) on it

b.     Click Install

c.     Accept license terms and click Next

d.     Clear all features except for Policy Template, and click Next

e.     Click Finish

7)    Configure MBAM group policy

a.     Open GPMC and go to Computer configuration\Policies\ Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management)

b.     Open “Provide the unique identifiers…” and type in TLG in both fields

c.     Open the Client management folder

d.     Open “Configure MBAM Services”

                  i.    Recovery and Hardware Service Endpoint: http://sccm01:8540/MBAMRecoveryAndHardwareService/CoreService.svc

                   ii.    Status Reporting Service Endpoint: http://sccm01:8540/MBAMComplianceStatusService/StatusReportingService.svc

e.     Allow Hardware Compatibility checking :Allow

f.      Click on Operating System Drive folder

g.     Operating system drive encryption options

                    i.    Enable

                   ii.    TPM only

                  iii.    Check box

                  iv.    Minimum PIN length: 4

8)    Prepare Client computers for Bitlocker

a.     Turn on TPM chip

                    i.    manage-bde -tpm -TurnOn

b.     Take ownership of TPM chip

                    i.    manage-bde -tpm -TakeOwnership TLTPMp@ss

c.     Make sure there is a BitLocker partition on the drive

                    i.    %windir%\sysnative\BdeHdCfg.exe -target c: shrink -newdriveletter x: -size 300 -quiet

9)    Package EnableBitlocker.vbs

a.     Download EnableBitLocker.vbs from http://archive.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?ReleaseId=3205

b.     Package it in SCCM using the command: cscript EnableBitLocker.vbs /on:tpm /l:C:\SWsetup\Bitlocker.log

c.     Distribute to DPs and deploy to whomever you want to encrypt

Resources:

Recommended BitLocker Settings

http://technet.microsoft.com/en-us/library/jj571500.aspx

Share on Google Plus

About Tom DeMeulenaere

Highly accomplished information technology professional with extensive knowledge in System Center Configuration Manager, Windows Server, SharePoint, and Office 365.