SCCM Windows 10 Upgrade Task Sequence: BitLocker PIN Protector Issues on Laptops

I’ve recently been looking at using SCCM Windows Upgrade Task Sequences to migrate from Windows 10 1511 to Windows 10 1607 for a customer.

On desktop devices this process ran through as expected and didn’t cause any real problems (i.e. nothing that I wasn’t expecting or that couldn’t be easily resolved).

Laptops with PIN protectors enabled did present a problem however…

It seems that while the upgrade process disables BitLocker automatically, PIN protectors become active again too early (i.e. before the end of the Task Sequence) meaning that end users would need to enter their PIN at least twice (possibly more depending on any additional Restart Computer actions in the Task Sequence) before the Task Sequence completes successfully.

Obviously this might be a pain in the arse for end users so it would be nice to find a way to avoid them having to enter their PIN repeatedly.

My solution for this is shown in the image and text below (steps highlighted in red are the ones required to resolve this specific issue):

upgradets

The commands for each of the highlighted tasks are:

# Disable BitLocker Protectors Indefinitely
cmd.exe /c "manage-bde -protectors -disable C: -RC 0"

# Re-enable BitLocker Protectors
cmd.exe /c "manage-bde -protectors -enable C:"

# Disable BitLocker Protectors for Single Reboot
cmd.exe /c "manage-bde -protectors -disable C:"

The first highlighted command disables BitLocker protectors indefinitely (Reboot Count = “0” turns off protectors until you issue an “-enable” command) which means you can reboot the device as many times as you like without BitLocker rearing it’s ugly head at all.

The second highlighted command re-enables all BitLocker protectors which therefore reverses the “Disable BitLocker Protectors Indefinitely” command.

The final highlighted command (“Disable BitLocker Protectors for Single Reboot”) disables BitLocker protectors on the C: drive again but using the default Reboot Count (when “-RC” isn’t specified the default value is used which is “1”) which only disables the protectors for a single reboot.

This means that after the final “Restart Computer” task the OS has been upgraded, all custom actions in the TS will have completed and all protectors for the C: drive are all switched back on.

Bloody marvellous.

/ JC

Advertisements
This entry was posted in OSD, SCCM Current Branch. Bookmark the permalink.

4 Responses to SCCM Windows 10 Upgrade Task Sequence: BitLocker PIN Protector Issues on Laptops

  1. Jason Ross says:

    I have one question, do you have the 2nd and 3rd commands only run on your laptops or do they run on all computers? I want it to enable BitLocker only on computer that had BitLocker before, not all computers. Trying to figure out how to use logic to make that happen.

    • jonconwayuk says:

      I have them running on all computers. You’d be able to filter this using WMI queries – there are a number of WMI classes that refer to laptop specific items (think battery, chassis type etc.) or you can query for BitLocker-specific WMI classes as well. Should be straightforward if you choose your criteria using something like wbemtest.exe or wmiexplorer.exe (see a previous post on this blog for more details on these tools).

  2. Pingback: How to detect, suspend, and re-enable BitLocker during a Task Sequence | Mike's Tech Blog

  3. awesome info, thanks very much!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s