Bitlocker Drive Encryption using SCCM Baremetal TS

Hi Folks,

Writing after a long time. Recently I was at a client site doing the Windows 10 deployments using SCCM & I faced some issues during the deployments which made me write this post.

Infra -

Deployment Tool - Configuration Manager 2012 R2
Client OS - Windows 10 Build version 1511
Hardware devices - Lenovo Thinkpad 540
Deployment scenario - Baremetal deployment

We created the SCCM infra and had a baremetal task sequence which does the OS install then application install & then encrypts the drive using Bitlocker manage-bde command.

We wanted to save the key in AD. So, somebody from the Team asked to apply the GPO on the client machines which saves the key in AD.

So, we ran the TS on the machine & the first error we saw in the log file was this :-

The problem here was TPM was enabled in the BIOS but when we checked the TPM status in TPM.msc console it says "TPM is not ready for use" and because of which the bitlocker encryption was failing.

resolution of this was to include a VBSscript in the task sequence which checks for TPM status & enables the TPM.

I will include the link to the TPM script that's a very cool script.

After putting this script in the task sequence, The encryption started but we face one more issue. The recovery key were not written to AD.

The task sequence execution was designed in a way that after the OS install it was installing applications which in the process reboots the machine for couple of times and the design team thought the GPO's will be applied when the machines reboots in the application install phase.

But the GPO's are not applied when the SCCM Task Sequence is running.

So, to fix this we exported the reg key which was created on a Windows 10 machine after the bitlocker GPO is applied, The bitlocker reg key location is :-


So, I exported the reg key present in the above location & applied it with the SCCM Baremetal task sequence & now while knowing the manage-bde command SCCM checks for this registry & knows that it has to write the key to AD & now the deployment is working fine with bitlocker recovery key in AD.

Task Sequence Steps :-

No comments:

Post a Comment