![]() ![]() Note: Jonathan Conway has a great blog on how to use Manage-bde with the Task Sequence called SCCM Windows 10 Upgrade Task Sequence: BitLocker PIN Protector Issues on Laptops. This can be useful if you have several reboots during a Task Sequence and you need to make sure that BitLocker stays suspended (optional method listed below). There is a new parameter called -RebootCount or -rc that takes a value between 0 and 15, where 0 suspends the protection indefinitely. The most important one is the ability to control the reboot count when the protectors have been suspended. The Microsoft TechNet documentation on Manage-bde is a bit stale and has not been updated to reflect some of the new capabilities that have been added in the newer releases. Manage-bde – this is a built in command line tool that allows for the enabling, disabling, updating and reporting on BitLocker. This step is generally be used in New Computer or Wipe-and-Load Task Sequences. ![]() Once in the full operating system, use the Enable BitLocker step to apply the key management options. It also encrypts the used drive space, which makes encryption times faster. Pre-provision BitLocker – this step runs under WinPE (only) and is used to enable BitLocker during the WinPE phase of the Task Sequence. This step can be used to re-enable BitLocker if the drive is already encrypted with BitLocker but in a disabled state. If selected for use, the TPM must already be enabled, activated, and allow ownership prior to running this step. It only runs in a full operating system (in other words, it does not run in WinPE). Also, for just a Windows 10 In-place Upgrade with BitLocker (not doing MBR2GPT), it is not required to disable BitLocker, however, there have been reports of BitLocker not being suspended long enough during the upgrade (see the link to Jonathan Conway’s blog below) .Įnable BitLocker – this step will enable BitLocker encryption on a drive. Note: before running MBR2GPT, BitLocker should be disabled. Also, if there are data drives encrypted, then they need to be disabled before disabling the operating system drive. If you need BitLocker to be disabled for more than one restart, then you can use manage-bde with a Run Command Line step (see below). This means that BitLocker will be enabled again after the restart. ![]() This step only disables BitLocker for one reboot (if you would like to see this step updated, vote for my Configuration Manager Uservoice item Add Reboot Count functionality to the Disable BitLocker TS Step). ![]() It does not decrypt the drive, but it does leave the key protectors visible in clear text on the hard drive. In Configuration Manager, there are a few Task Sequence steps that are for BitLocker configuration and management:ĭisable BitLocker – this step will disable BitLocker encryption on the current operating system drive or one that you specify and runs in a full operating system (does not run in WinPE). This can be useful (and necessary) when performing activities like flashing the BIOS, running the new MBR2GPT utility, or upgrading to a newer version of Windows. In this blog post, I am going to show some simple steps that you can add to your Task Sequences to be able to detect, disable, and enable BitLocker status. ![]()
0 Comments
Leave a Reply. |