Automatically enable BitLocker and set a PIN during an SCCM Task Sequence

Getting your operating system deployment one step closer to being zero touch is always a good goal, so with that in mind here is how to automatically enable BitLocker during OSD using a PIN that you define in a variable at the beginning of the Task Sequence.

The first thing to do is add the OSDBitlockerPIN variable to the collection you advertise your OSD Task Sequences too. This is very likely the All Unknown Computers collection. Right click on it and select Properties. Navigate to the Collection Variable tab and click New. The name is OSDBitlockerPIN and you should untick “Do not display this value in the Configuration Manager console”.

Capture

Next up open your Task Sequence and add the Enable BitLocker step. This can be placed anywhere after the Setup Windows and ConfigMgr step.1 Make sure Current operating system drive is selected and then select TPM and PIN. You can then enter anything into this field as it will be overwritten by what you enter into the OSDBitlockerPIN variable when you start the Task Sequence.

Capture

Finally, go ahead boot your client into the WinPE environment. Select your Task Sequence and click next and you will be presented with the Edit Task Sequence Variables step. You may already use the OSDComputerName variable in which case you will already be familiar with this! Double click on OSDBitlockerPIN and enter the PIN you wish to use for this machine.

Capture

Click Next and the Task Sequence will run and complete. BitLocker will be enabled and the PIN will be set. Now you don’t have to configure BitLocker after the operating system has been deployed!

1I would add the Enable BitLocker step at the very end of your Task Sequence, otherwise you will have to enter the PIN each time the machine reboots after applications or updates are installed. You could suspend BitLocker before each reboot, but why go to the extra effort.

8 thoughts on “Automatically enable BitLocker and set a PIN during an SCCM Task Sequence”

  1. Many thanks for this!

    We’ve built on it because we set the PIN to be different for each user. We’ve got a step in the task sequence before this which looks up the machine owner in a database and then gets the number to use as their PIN and stores it in the OSDBitlockerPIN variable.

    We often want to build shared use laptops which are encrypted but don’t need a PIN (otherwise the PIN just gets stuck on the machine!) This is done by setting the variable to NO_PIN and the encryption step has a condition – if the value is NO_PIN then the encryption process configures TPM only otherwise a second step encrypts with TPM and PIN by checking to see that the value is not NO_PIN.

    1. Is there a way to set a default value for OSDBitlockerPIN so that you encrypt TPM only when the desktop tech deploying the image enters a PIN in the window? They would like to default encrypt “TPM only” if they don’t enter anything in the collection variable. I can’t seem to find a way to make the logic work unless they either enter an actual PIN or the string “NO_PIN”.

  2. I would love to know how you do the AD lookup from your task sequence, and where you’re storing the pin in AD. That sounds like something we’d really like to implement.

  3. We don’t store the PIN in AD.
    We have a database which lists every MAC address allowed to connect to our network, its hostname, owner’s username and a few other fields.
    At the start of the task sequence there’s a step which queries that database to get the user ID of the owner and its hostname.
    Another step queries a separate database to find the ID number for that person (we’re a university – everyone has an ID number which is used by HR, student registry etc) and that number will be used as the PIN. That number is stored in the registry. This PowerShell script is run as a user with permission to query the SQL database.
    The next step uses this code:
    $tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
    $tsenv.Value(“OSDBitlockerPIN”) = $PIN
    and from then on the process is as Kevin describes at the start of this blog post.
    We’ve added a bit more complexity; if the device is a slate (eg Microsoft Surface) we don’t set a PIN at all because you can’t put in the PIN at bootup on a Surface and our host database has an option to flag that the machine shouldn’t have a PIN; if that is found then we use the encrypt with TPM only option instead of TPM and PIN.

  4. Thanks alot but i have a problem.I did everything like you said but after Enabeling Bitlocker and installing Win10 i see a blue screen and a “One Moment Please” on it with no action after that.I have a Dell Precision 7530 with TPM 2.0.Can you help to solve this Problem?

  5. Customisation of BitLocker Pins.

    If you set a second variable on the all unknown computers, you could use an asset number as part of the BitLocker pin. I set a variable “ASSET” and left it blank. In the variable “OSDBitlockerPIN”, I input the following: (your required stuff)%ASSET%.
    Example “OSDBitlockerPIN” text: KyZ%ASSET%

    At the same time of inputting the “OSDComputerName” when building, I also input “ASSET”. Example text: 9705

    When the machine restarts after BitLocker is applied the example Pin would be: KyZ9705

    This method has been tried and tested.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s