Hello!Im trying to understand the different solutions available to deploy Bitlocker on multiple clients running Windows 7 using a central server running Windows Server 2008 in an enterprise scenario. I have read a lot of material that covers this for deployment on clients using Windows Vista but I havnt found any specific infomration regarding Windows 7. When deploying in Vista you start with deploying a Bitlocker-enabled OS image to clients (correct?) wich means a fresh install of the OS and loss of previous information (correct?) and then you configure TPM long with Bitlocker through either WMI scripts of the use of the manage-bde interface, wich can be centralized through scripts.Now when ive told some background, lets get back to Windows 7. As Bitlocker now configures the extra bootpartition automatically, and im guessing that the partition problem was solved by the OS image(?), I am wondering:When deploying Bitlocker (without desktopuser involvment) in a large environment. Do you have to deploy the Bitlocker-enabled OS image? (with SMS or some other management tool) or is it possible to just use WMI-scripts or manage-bde interface to activate Bitlocker on clients? (with for example a startupscript)As you may have noticed I have alot of questions about this. Im hoping that someone could spare a minute to sheed some light on how deployment in Windows 7 differs from Windows Vista.Thanks in advance!

It can just be turned on (the same goes for Vista SP1 or SP2by the way - by using the BitLocker Drive Preparation Toolyou can take an already-installed Vista computer and partition/configure it for Bitlocker after the fact). There is no GP to just turn on Bitlocker (although there are 2 dozen policies to control its behavior for removable drives, bitlocker-to-go, where to store recovery passwords, etc). There's no way to automatically enable and fully configure BL to my knowledge, because the user will need to provide passwords and password backup devices, as well as keystroke through the BIOS TPM being enabled. In order to ensure Bitlocker is configured correctly and safely, your IT staff is going to have to be involved - either at OS installation/upgrade, or after the fact.Ned Pyle [MSFT] - MS Enterprise Platforms Support - Beta Team

Thanks for your answer! just a followup question. Would it be possible to use a startupscript with manage-bde (or WMI-script) to enable BL on clients? You mentioned that the user always need to be involved in some degree (enter PIN-code and confirm TPM activation) but does the user also need to be involved during the rest of the installation when using script-methods? When i did a testrun with BL on Windows 7 I activated it through the controlpanel, but im interesting in how the activation works when using manage-bde or WMI-script. Im getting the feeling that deploying BL isnt verry transparent to the clientuser and needs some/a lot of attention, but i would like to get this confirmed. Thanks!

Seems like manage-bde would definitely be an option to try, but I've never done so as part of a startup script. Would be worth trying out in a test environment to see how that pans out. You could use -tpm and -on. But since the user is going to have to turn on stuff in the BIOS and decide where to save recovery keys (USB or network drives) and etc... well... they are going to have a lot of trouble there, and frankly shouldn't necessarily be trusted with this anymore than they should be trusted with installing their own OS in a corporate environment or picking the complexity level of their password.Ned Pyle [MSFT] - MS Enterprise Platforms Support - Beta Team