How to Enable BitLocker on Existing Devices Using SCCM

Background

All businesses want to protect their data to make sure it is safe from unauthorized users. A big part of this is to encrypt the disks of their devices using BitLocker. This can easily be done during OS installation for all new computers but it might be troublesome to enable bitlocker on existing devices.

BitLocker can use multiple key information methods but in this case I will focus on TPM. TPM is a hardware component that is installed by the manufacturer and can be used to ensure that the computers has not been tampered with while the computer was powered of.

In this case I will use SCCM and a Task Sequence to enable BitLocker. First off we need to find out which computers require BitLocker and if they are ready to be enabled. I will use a Configuration Baseline (CB) to determine this and also to find the computers that are not ready to encrypt the disks.

During this How-to there might be some changes you need to perform in your SCCM environment but they are minor and shouldn’t be an issue for you.

Please note that you need to make sure that your environment is prepared for BitLocker before taking these steps!

Solution

These are the steps we need to perform to enable bitlocker on existing devices.

  • Allow unsigned scripts to be run from SCCM
  • Create two Configuration Items (CI). One to verify that TPM is activated and one to check if BitLocker is already enabled.
  • Create the Configuration Baseline using our new CIs and deploy it to clients
  • Create a collection with compliant devices
  • Create a Task Sequence to set encryption level and enable BitLocker

Allow unsigned scripts to be run from SCCM

This is a requirement for one of the Configuration Items that we will create later. If this is left as default you will get an error message that read Script is not signed. You can read more about this settings here.

Go to Administration > Client Settings
Open Properties on Default Client Settings
Go to Computer Agent and find the setting PowerShell execution policy
Select Bypass from the dropdown and click OK

Bypass Powershell execution policy

You can create a new Client Settings instead if you want to test this on a few clients first. The part you want is under Hardware Inventory.

Create the Configuration Item that will evaluate if TPM is activated on the client

The first step of enabling BitLocker is to find out which of your clients that has a TPM chip. This is a required part to make use of this solution. There are other ways to do it, such as USB or TPM and USB, but they add a level of complexity and arn’t what we are looking for here.

The reason I use a CI to check whether TPM is activated is because of how SCCM and Hardware Inventory works. You could add the TPM and BitLocker classes to hardware inventory and use a collection with a query to determine what clients are supported, but this is not recommended for two reasons.

Reason one is that hardware inventory is collected data, which means it might be old depending on when the client last ran the Hardware Inventory cycle. The default settings are configured to run every 7 days and during that time the status might change without being represented within SCCM.

Reason two is that you can’t query the status of TPM to see if it is active or not. A WQL query can be used to find the IsActived_InitialValue, which could be True, but since this value isn’t updated it could be disabled later and not be represented here. Because of this I use a CI with a powershellscript that executes a method to see that current state in realtime.

Go to Assets and Compliance > Compliance Settings
Click Configuration Items and Create Configuration Item
Give it a name, such as BitLocker – TPM Activated, and click Next >
Uncheck all versions and check Windows 10 (64-bit). click Next >
In the Settings view click New… and give it the following settings

NameIsActivated
Setting typeScript
Data typeBoolean
Create Configuration Item setting

Click Add Script…
Select Windows PowerShell from the Script language dropdown
Copy and paste the following code and click OK

(Get-WmiObject -Class win32_tpm -Namespace root\cimv2\Security\MicrosoftTpm).IsActivated().IsActivated
Add discovery script

In the Create Setting you want to change tab to Compliance Rules
Click New…
Give the rule a name, such as IsActivated -eq True
Check the box for Report noncompliance if this setting instance is not found

Create rule for compliance


Click OK twice
Click Summary and verify the details before you click Next > to create the CI

You will now have a Configuration Item that verifies if the TPM chips is activated and ready to be used with BitLocker. It will also report noncompliance if the settings cannot be found on the client, which could be due to the TPM not being enabled in the BIOS or if the client doesn’t have TPM.

Create the Configuration Item that will evaluate if BitLocker is active

The second step is to check whether BitLocker is active or not on the client. This WQL query checks the ProtectionStatus propery of the drive and returns a 1 or 0 depending on the status. In this case we are looking for clients that doesn’t have a status of 1, and evaluate them as compliant to be used later.

Go to Assets and Compliance > Compliance Settings
Click Configuration Items and Create Configuration Item
Give it a name, such as BitLocker – C: Not Protected, and click Next >
Uncheck all versions and check Windows 10 (64-bit). click Next >
In the Settings view click New… and give it the following settings

NameBitLocker – C: Not Protected
Setting typeWQL query
Data typeInteger
NamespaceROOT\CIMV2\Security\Microsoftvolumeencryption
ClassWin32_encryptablevolume
PropertyProtectionStatus
BitLocker protection status

In the Create Setting you want to change tab to Compliance Rules
Click New…
Give the rule a name, such as ProtectionStatus -ne 1
Select Not equal to from the dropdown and set the value to 1
Check the box for Report noncompliance if this setting instance is not found

Bitlocker Protection Status Value


Click OK twice
Click Summary and verify the details before you click Next > to create the CI

You will now have a Configuration Item that checks whether the disk is already encrypted or not. In this case we want to look for devices that doesn’t have encryption enabled, which is why we chose Not equal to. If you want to use a similar CI to find clients that already are protected, just change the condition to Equals instead.

Create the Configuration Baseline using our new CIs and deploy it

Go to Assets and Compliance > Compliance Settings
Click Configuration Baselines and Create Configuration Baseline
Give it a name, such as Windows 10 – Enable BitLocker

Create a Configuration Baseline


Click Add and select Configuration Items
Select the two CIs that we created from the list that appears and click OK.
In my example they are called BitLocker – C: Not Protected and BitLocker – TPM Activated

Add Configuration Items to the Baseline

Verify your settings and click OK if everything looks good.

Create a collection with compliant devices

Now that we have prepared SCCM and created the Configuration Base line with our Configuration Items we are ready to create a collection with computers that are compliant.
Compliance in our case means that the TPM chip is Activated and ready to be used but BitLocker hasn’t been enabled in Windows.

This is a very easy step which I have explained in another blog post. It can be found here.
When you have created a collection with the compliant computers you can move on with the next steps.

For the purposes of this post I will call my collection Windows 10 – BitLocker Ready.

Create a Task Sequence to set encryption level and enable BitLocker

In this step we will create a new Task Sequence that will be used to configuare and enable BitLocker on the clients. I will use the encryption algorithm called XTS_AES_256. In the following image you can see the available options. The one I want has the number 7, which is what I will specifiy in the Task Sequence.

Encryption algorithm alternatives

Go to Software Library > Operating Systems
Click Task Sequence and Create Task Sequence
Click Create a new custom task sequence
Give it a name, BitLocker – Enable on existing devices

Create a Task Sequence

Click Next > and then Close
Right-click the new Task Sequence and click Edit
Click Add and then New Group

Create a New Group

Rename the Group to Enable BitLocker
Click Add and then General > Run Command Line

Add the Run Command Line step

Rename the step to Set BitLocker Encryption Method XTS-AES 256
Open the step and paste the following into the Command line box

reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 7 /f
Configure the Run Command Line step

Click Add and then Disk > Enable BitLocker

Add Enable BitLocker step

I suggest using the default settings, unless you want to encrypt the whole drive immediately or if you are using MBAM to store your keys instead of Active Directory.

Configure the Enable BitLocker step

Deploy the Task Sequence to the ready computers

Now we are ready to deploy the Task Sequence to the collection that we created with the clients that are ready to have BitLocker enabled. As I mentioned above, my collection is called Windows 10 – BitLocker Ready and contains my compliant clients.

Right-click the Task Sequence and click Deploy

Deploy the task sequence

Click Browse… and select the collection Windows 10 – BitLocker Ready and click Next

Select target collection

Change the Purpose to Required and click Next

Set the purpose to required

Click New… and select Assign immediately after this event: As soon as possible and click Next

As soon as possible

Uncheck Show Task Sequence Progress and leave the rest as default. Click Summary, Next and Close

Remember to uncheck Show Task Sequence progress

That was the last step of this process. Now all compliance devices should receive this Task Sequence and try to enable BitLocker. You can now go to Monitoring and Deployments to monitor your process.
Search for the Task Sequence name and you will see the progress of BitLocker being rolled out.

Status monitoring

Summary

Phew, all done! There are quite a few steps to be made even though they are quite easy when you know what you are looking for.

This is just one way of doing this, but I feel that it is very dynamic and it’s possible to customize it as you wish. Using this method I’ve been able to enable Bitlocker on existing devices at multiple customers and it has worked almost perfect every time.

The most common issues I’ve encounted is that the clients doesn’t have TPM or that TPM isn’t enabled in the BIOS of the clients. To resolve the second issue is much more complicated than actually encrypting them, and deserves a whole post for itself in the future.

A few things you might want to do differently could be to use another encryption algorithm, check whether TPM is already owned, add other checks to your Configuration Baseline or use a standard query-based collection instead of the CB. (Just note what I wrote about that earlier)

If you have any feedback or want to know more about preparing your environment for BitLocker then go ahead and leave a comment below and I’ll get back to you.

Leave a Reply

Your email address will not be published. Required fields are marked *