Enabling BitLocker by Using a WMI Script

Applies To: Windows 7

The Windows Management Instrumentation (WMI) deployment method should be used for large enterprise deployments. The WMI providers that are associated with BitLocker Drive Encryption can also be used to develop a custom solution for your organization. This may be especially important when you are integrating the support of BitLocker computers into your help desk environment, or if you decide to let users choose if they want to install BitLocker.

EnableBitLocker.vbs is a fully functional sample deployment script that uses the publicly available BitLocker and Trusted Platform Module (TPM) WMI providers that can be used as is or customized to meet the needs of your organization.

To deploy BitLocker with a WMI script, such as EnableBitLocker.vbs, after the operating system has been installed, you must have:

To enable BitLocker by using a WMI script, complete the following tasks in order:

  • Configuring the hard disk for BitLocker

  • Using a WMI script to deploy BitLocker after installing Windows 7

  • Verifying that BitLocker is enabled

Configuring the hard disk for BitLocker

To function correctly on operating system drives, BitLocker requires a separate, active, unencrypted NTFS partition that contains the files needed to start the operating system. This partition is referred to as the system partition. The system partition should be at least 100 MB for BitLocker, Windows 7 recovery, and Windows 7 servicing. The operating system partition must meet the Windows 7 installation requirements. When installed on an unformatted hard disk, Windows 7 will install the proper partitions for BitLocker. The system partition will be hidden and will not have a drive letter.

If you are installing Windows 7 on a previously partitioned hard drive, BitLocker will inspect the hard disk configuration and attempt to repartition the disk drive if necessary to support BitLocker. You will need to approve the repartitioning recommendation as part of the BitLocker setup wizard before BitLocker can successfully be enabled. This will require the computer be restarted to complete the repartitioning process. This procedure can also be accomplished by using the BitLocker Drive Preparation command-line tool as an alternative to the BitLocker setup wizard. For more information see, Using the BitLocker Drive Preparation Tool for Windows 7.

Using a WMI script to deploy BitLocker after installing Windows 7

You can customize the sample WMI script provided, EnableBitLocker.vbs, to deploy BitLocker on computers in your organization after Windows 7 is installed.

Warning

This topic uses the EnableBitLocker.vbs sample script to perform multiple changes to configuration settings to enable BitLocker as part of a standardized deployment. It is very likely that your environment will differ from the default settings in the sample script. You must ensure that you have a thorough understanding of how WMI works, what your environment's current settings are regarding disk encryption, and how your design team has planned BitLocker configuration for the organization.

The EnableBitLocker.vbs script automates the BitLocker configuration settings to:

  • Enable and activate the TPM.

  • Take ownership of the TPM and generate a random owner password.

  • Enable BitLocker protection by using any of the following authentication modes:

    • TPM

    • TPM + PIN

    • TPM + startup key

    • Startup key

  • Create an additional recovery key.

  • Create a recovery password.

  • Specify an encryption method.

  • Reset the TPM owner information.

See BitLocker Deployment Sample Resources (https://go.microsoft.com/fwlink/?LinkID=151997) for specific information about the EnableBitLocker.vbs sample script.

You can use any of the following methods to run the WMI script:

  • Startup script applied with Group Policy

  • Microsoft Systems Management Server (SMS) 2003 software distribution

  • Microsoft System Center Configuration Manager 2007

  • Business Desktop Deployment 2007 automation

  • Other software distribution tools

These methods are not detailed in this guide.

Note

You can also run the WMI script at the command line on a single computer. However, we recommend that you use one of the deployment methods above. If you choose to run the script in a Command Prompt window, we strongly recommend that you review the EnableBitLocker.vbs Parameter Reference, which is available in BitLocker Deployment Sample Documentation (https://go.microsoft.com/fwlink/?LinkID=167127).

When you review the log file that the script creates, you may see hexadecimal error codes that occur with BitLocker-specific WMI methods. For detailed error code information, see BitLocker Drive Encryption Provider (https://go.microsoft.com/fwlink/?LinkID=80600).

Verifying that BitLocker is enabled

To ensure that all of the steps completed as intended, you should verify that BitLocker was successfully enabled as part of your deployment.

To verify that BitLocker is enabled

  1. Verify that BitLocker encryption is occurring by using fvenotify.exe. You can run this command at the command prompt.

  2. If a notification message does not appear in the notification area, do one of the following:

    1. Open an administrative Command Prompt window, and run %systemdrive%\Windows\System32\ manage-bde.exe –status DriveLetter**:**, replacing DriveLetter with the appropriate drive letter for the drive on which you enabled BitLocker. Verify that encryption has completed.

    2. Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes. Verify that BitLocker is turned on.