Manage-bde command equivalent to Enable bitlocker TS step RRS feed

  • Question

  • Greetings,

      Ever since we upgraded to SCCM 2012 R2, the Enable bitlocker step in our TS fails with:

    Failed to run the action: Enable BitLocker on C:\. 

    The extended attributes are inconsistent. (Error: 000000FF; Source: Windows)

      It had worked fine before the upgrade.

      I am looking to replace this step with the equivalent manage-bde commands.

     In the step I use TPM only and create the recovery key in AD.

      We use the Pre provision step which works fine - the drives are encrypted (this is doing the manage-bde -on bit)

      I figured out that manage-bde -protectors -add c: -tpm turns on the TPM bit for the C drive.

      What I cannot work out is how to do the ad recovery for both C and D drives using manage-bde and whether there is anything else we need to do to "enable" bitlocker.


    David Z

    Friday, October 25, 2013 4:52 AM


  • Most of the solution is now in place.

    During the WinPE phase we dont run the builtin pre-provision step any more as it defaults to 128 bit encryption. So we replaced it with the following commands:

    manage-bde -on C: -UsedSpaceOnly -encryptionmethod aes256

    manage-bde -on D: -UsedSpaceOnly -encryptionmethod aes256

    This works great on our Windows 7 machines (but the usedspaceonly switch only works if you are running winPE V4 or higher).

    Once the OS is loaded, we replaced the builtin enable bitlocker steps with the following commands:

    manage-bde -protectors -add c: -tpm

    manage-bde -autounlock -enable d:

    manage-bde -protectors -enable c:

    manage-bde -protectors -enable d:

    And all is working fine.

    The only thing we cannot get to work is the saving of recovery keys to AD. However, we are going to use MBAM so I will just have to wait as the current MBAM is not supported in CM2012 R2.


    David Z

    • Marked as answer by David Zemdegs Monday, October 28, 2013 11:34 PM
    Monday, October 28, 2013 11:33 PM