Paul Jones - Microsoft Corporation

I am a Technology Solutions Professional for Microsoft. I have been with the company since 2004 and live in Lafayette, LA.

How to Enable BitLocker with SCCM OSD

How to Enable BitLocker with SCCM OSD

  • Comments 6
  • Likes

The hardware and software requirements for BitLocker are:

  • A computer running Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server 2008 R2.
  • A TPM microchip, version 1.2, turned on for use with BitLocker on operating system drives is recommended for validation of early boot components and storage of the BitLocker master key. If the computer does not have a TPM, a USB flash drive may be used to store the BitLocker key.
  • A Trusted Computing Group (TCG)-compliant BIOS for use with BitLocker on operating system drives.
  • A BIOS setting to start up first from the hard drive, not the USB or CD drives.

Configuration Manager Task Sequence:

1. Create 2 Partitions under Partition Disk 0 Step:

1st Partition for BitLocker

    • Partition Name: BDE
    • Partition Type: Primary
    • Use specific size: 300 MB
    • Check Make this the boot partition
    • File system: NTFS (Quick Format)
    • Variable: BDEPART

2nd Partition for Operating System

    • Partition Name: OS
    • Partition Type: Primary
    • Use a percentage of remaining free space: 100%
    • File system: NTFS (Quick Format)
    • Variable: OSPART

2. Apply Operating System Step:

Select the location where you want to apply this operating system

    • Destination: Logical drive letter stored in a variable
    • Variable Name: OSPART

3. Add Run Command Line: Script to enable TPM / BIOS Password / Etc

4. Add Restart Computer Step

5. Enable BitLocker Step

  • Hi Paul,

    I was wondering if you could provide a starting point for the script required to enable to TPM / BIOS password etc...


  • This is a great post, and beggars can't be choosers.  However, it would be helpful to have a starting point for the script to enable the TPM.

  • Look at this for DELL and HP:

  • Can we enable Bitlocker on additional drives? Please explain all require steps

  • This is the command line we are running in our SCCM Task sequence to turn on the TPM chip.

    cmd.exe /C "%SystemRoot%\System32\manage-bde -tpm -turnon"

  • I'm getting Error 50 in the last step: The request is not supported.

    The TPM chip is enabled ..