If your organisation uses BitLocker's PIN protectors as part of it's encryption strategy then you'll soon find out that it becomes a small obstacle when you're doing a Refresh or Upgrade deployment. The problem lies in that the default Disable BitLocker step is inadequate for Windows 8.1 and Windows 10 and how those operating systems suspends BitLocker.
In Windows 7, when you suspended BitLocker, it remained in a suspended state until it was re-enabled, either using the command line or GUI. That behaviour has changed in Windows 8.1 (I didn't get to test Windows 8 much so perhaps it started there) and carries over into Windows 10.
https://technet.microsoft.com/en-us/library/jj649830(v=wps.630).aspx
https://technet.microsoft.com/en-us/itpro/powershell/windows/bitlocker/suspend-bitlocker
Ignoring the RebootCount parameter for the moment, when BitLocker is suspended, it will automatically re-enable after it's finished the next restart. And this is the underlying issue. The inbuilt Disable BitLocker task does not include a reboot count so BitLocker re-enables on next restart.
In a SCCM Refresh Scenario there will be at least two restarts. The first to restart the computer in WinPE so it can do the pre-installation tasks. The second is after it's finished applying the image. If you have used the in-built task sequence step then the deployment will halt waiting for a PIN every time the computer is restarted from the second restart on.
So what's the solution?
If you search the internet you'll see the mention of using manage-bde.exe to suspend BitLocker. That solution will do the job but you have to specify the drive letter of the volume. Then the question becomes "will that drive letter always stay the same"? The solution I prefer is this little PowerShell script below.
$OSDrive = Get-BitlockerVolume | Where-Object {$_.VolumeType -eq "OperatingSystem"} $DriveLetter = $OSDrive.MountPoint Suspend-Bitlocker -Mountpoint $DriveLetter -RebootCount 0
It detects the encrypted operating system drive letter automatically and then suspends BitLocker indefinitely.
All you need to do is create a package in SCCM (or add to an existing package that contains all your scripts). Disable/Remove the inbuilt Disable BitLocker step and add the following Run PowerShell Script step before the computer restarts into WinPe. In the example below, I've placed it in State Capture folder.
I add these couple of rules just to be certain that it will only run if BitLocker is detected.
At the end of the task sequence, I re-enable BitLocker.
A simple yet elegant solution.
No comments:
Post a Comment