Bitlocker - How to implement for Field Laptop Users


  • I am looking to implement MBAM and Bitlocker into my company during our Windows XP to Windows 7 migration.  We will be standing up an MBAM infrastructure very shortly.


    1. I was wondering how I would be able to implement Bitlocker onto remote/field laptop users and then register it into MBAM or SCCM 2007 R2?
    2. For these Field Users, if there system board gets replaced (and therefore gets a different TPM Chip) while the local hard drive is encrypted with Bitlocker, what happens when the hard drive is rebooted against the new system board?

    Thank you in advance for any thoughts or suggestions.

    Wednesday, April 24, 2013 3:45 PM


All replies

  • You need to deploy a Group Policy Object to control the Bitlocker settings. There's also a small MSI which installs an MBAM Client service.

    You will also obviously need to ensure their laptops have their TPM switched on and Initialized.

    Finally you when you get to the point in which the machines are ready to be encrypted. The first task which will be carried out, is that Bitlocker creates a small reserved partition and then if you selected with your Bitlocker Group Policy, the drives recovery key will be stored in Active Directory and the drive will start to encrypt which will take some time, depending on the type of drive and size.

    Once the encryption has started the laptop can be taken offline, the user can shutdown the laptop and the encryption should begin again once they start the laptop up. It's really just prepping for encryption that you need to consider connectivity and possible manual intervention (TPM may require enabling through the BIOS)


    Wednesday, April 24, 2013 5:52 PM
  • Hi Rorymon,

    Thank you for the quick reply.  I am planning on using MBAM, therefore wont the recovery key be stored in the MBAM SQL database and not in AD?

    If I don't plan on having the Field Users connect via VPN and using the GPO (offline), can I initiate the encryption process by running a command?  After the drive is encrypted offline, can I have the user connect via VPN and sync their encryption key to MBAM?

    For these Field Users, if there hard drive is encrypted with Bitlocker and their system board gets replaced (and therefore gets a different TPM Chip) what happens when the hard drive is rebooted against the new system board?  What is the process when a system board/new TPM chip is replaced with a current Bitlocker encryption?

    Wednesday, April 24, 2013 6:01 PM
  • Hi,

    I'm trying to involve someone familiar with this topic to further look at this issue. There might be some time delay.

    Appreciate your patience.

    Niki Han
    TechNet Community Support

    Thursday, April 25, 2013 6:44 AM
  • Hi,

    Microsoft BitLocker MBAM provides enterprise management capabilities for BitLocker and BitLocker to Go. MBAM simplifies deployment and key recovery, provides centralized compliance monitoring and reporting, the recovery key can be stored in SQL. For more information about MBAM requirements, please refer to the following articles:

    We can use BdeHdCfg and Manage-bde commands to initiate the encryption process, please refer to below articles about these commands:



    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, April 26, 2013 9:20 AM