Share This Post

BitLocker/MBAM–Endorsement Keys and TPM Ownership

At my company we are in the process of evaluating the use of BitLocker/MBAM in place of another competing product (who will remain nameless) as we migrate our clients over to Windows 7.  As such, we’ve had to deal with the headaches of utilizing TPM, shrinking partitions to create the boot partition, etc.  Needless to say it’s been an experience.

Credit goes to my colleague Joel Cook for discovering this issue and writing the script below to resolve it.  One problem that we ran into was the absence of the TPM Endorsement Key Pair existing on some of our Dell Latitude systems (specifically the Latitude E6400 and E6410).  With this public/private key pair missing, BitLocker was unable to take ownership over TPM and thus it wasn’t actually able to encrypt the system (unless you manually do it and use a local PIN).

Save the script (attached to this post) to your MDT Toolkit Package.  To use this script, insert a new "Run Command Line" step in your Task Sequence after enabling TPM (using CCTK or another method) but before actually installing the BitLocker/MBAM client.  This should ensure that BitLocker is able to take ownership of the TPM chip on your client system during any TS (and should work regardless of manufacturer).

Here is a standalone TS sample showing you the steps we took for existing clients.  This can be easily adapted to your MDT/SCCM TS:

Enable BitLocker

Share This Post

1 Comment

  1. Nice job!

Leave a Reply