SCCM Windows 10 Upgrade Task Sequence: BitLocker PIN Protector Issues on Laptops

I’ve recently been looking at using SCCM Windows Upgrade Task Sequences to migrate from Windows 10 1511 to Windows 10 1607 for a customer.

On desktop devices this process ran through as expected and didn’t cause any real problems (i.e. nothing that I wasn’t expecting or that couldn’t be easily resolved).

Laptops with PIN protectors enabled did present a problem however…

It seems that while the upgrade process disables BitLocker automatically, PIN protectors become active again too early (i.e. before the end of the Task Sequence) meaning that end users would need to enter their PIN at least twice (possibly more depending on any additional Restart Computer actions in the Task Sequence) before the Task Sequence completes successfully.

Obviously this might be a pain in the arse for end users so it would be nice to find a way to avoid them having to enter their PIN repeatedly.

My solution for this is shown in the image and text below (steps highlighted in red are the ones required to resolve this specific issue):


The commands for each of the highlighted tasks are:

# Disable BitLocker Protectors Indefinitely
cmd.exe /c "manage-bde -protectors -disable C: -RC 0"

# Re-enable BitLocker Protectors
cmd.exe /c "manage-bde -protectors -enable C:"

# Disable BitLocker Protectors for Single Reboot
cmd.exe /c "manage-bde -protectors -disable C:"

The first highlighted command disables BitLocker protectors indefinitely (Reboot Count = “0” turns off protectors until you issue an “-enable” command) which means you can reboot the device as many times as you like without BitLocker rearing it’s ugly head at all.

The second highlighted command re-enables all BitLocker protectors which therefore reverses the “Disable BitLocker Protectors Indefinitely” command.

The final highlighted command (“Disable BitLocker Protectors for Single Reboot”) disables BitLocker protectors on the C: drive again but using the default Reboot Count (when “-RC” isn’t specified the default value is used which is “1”) which only disables the protectors for a single reboot.

This means that after the final “Restart Computer” task the OS has been upgraded, all custom actions in the TS will have completed and all protectors for the C: drive are all switched back on.

Bloody marvellous.

/ JC

This entry was posted in OSD, SCCM Current Branch. Bookmark the permalink.

12 Responses to SCCM Windows 10 Upgrade Task Sequence: BitLocker PIN Protector Issues on Laptops

  1. Jason Ross says:

    I have one question, do you have the 2nd and 3rd commands only run on your laptops or do they run on all computers? I want it to enable BitLocker only on computer that had BitLocker before, not all computers. Trying to figure out how to use logic to make that happen.

    • jonconwayuk says:

      I have them running on all computers. You’d be able to filter this using WMI queries – there are a number of WMI classes that refer to laptop specific items (think battery, chassis type etc.) or you can query for BitLocker-specific WMI classes as well. Should be straightforward if you choose your criteria using something like wbemtest.exe or wmiexplorer.exe (see a previous post on this blog for more details on these tools).

    • Neil Bourne-Harris says:

      To filter only for devices that have bit locker enabled, use this:
      WMI Namespace: root\cimv2\Security\MicrosoftVolumeEncryption
      WMI Query: SELECT * from Win32_EncryptableVolume WHERE DriveLetter = ‘C:’ AND ProtectionStatus = ‘1’

  2. Pingback: How to detect, suspend, and re-enable BitLocker during a Task Sequence | Mike's Tech Blog

  3. awesome info, thanks very much!

  4. Me says:

    Exactly what I was looking for. Cheers!

  5. Pingback: BitLocker during a Task Sequence – IT Stuff

  6. Amnon Feiner says:

    How about computers or laptops with MBAM? any special steps for those?

    • jonconwayuk says:

      All the machines for this customer use MBAM so no, you don’t need any special treatment for machines with the MBAM client.

      • Jepetto says:

        OK, thanks. What about windows 10 refresh? Should I make any special consideration when re-imaging MBAM protected machines deploying to clients from a running OS since the MBAM agent re-installs?

  7. mattski says:

    or task sequence variable: IsLaptop = “True”

  8. MaryMary says:

    Hi, I’m upgrading Win1709 to Win1803 using the exact method described above. Bitlocker is not prompting after restarts for the software download and installations. However, I am getting bitlocker prompts after installation is complete and computer restarts, and after both setupcomplete.exe command run. What am I missing?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s