Introduction

All businesses want to protect their data to make sure it is safe from unauthorized users. A big part of this is to encrypt the disks of their devices using BitLocker. This can easily be done during OS installation for all new computers but it might be troublesome to enable BitLocker on existing devices.

BitLocker can use multiple key information methods but in this case, I will focus on TPM. TPM is a hardware component that is installed by the manufacturer and can be used to ensure that the computers have not been tampered with while the computer was powered off.

In this case, I will use SCCM and a Task Sequence to enable BitLocker. First off we need to find out which computers require BitLocker and if they are ready to be enabled. I will use a Configuration Baseline (CB) to determine this and also to find the computers that are not ready to encrypt the disks.

During this How-to there might be some changes you need to perform in your SCCM environment but they are minor and shouldn’t be an issue for you.

Please note that you need to make sure that your environment is prepared for BitLocker before taking these steps!

Instructions

These are the steps we need to perform to enable bitlocker on existing devices.

  • Allow unsigned scripts to be run from SCCM
  • Create two Configuration Items (CI). One to verify that TPM is activated and one to check if BitLocker is already enabled.
  • Create the Configuration Baseline using our new CIs and deploy it to clients
  • Create a collection with compliant devices
  • Create a Task Sequence to set encryption level and enable BitLocker

Allow unsigned scripts to be run from SCCM

This is a requirement for one of the Configuration Items that we will create later. If this is left as default you will get an error message that read Script is not signed. You can read more about this setting here.

Go to Administration > Client Settings
Open Properties on Default Client Settings
Go to Computer Agent and find the setting PowerShell execution policy
Select Bypass from the dropdown and click OK

Bypass Powershell execution policy

You can create a new Client Settings instead if you want to test this on a few clients first. The part you want is under Hardware Inventory.

Create the Configuration Item that will evaluate if TPM is activated on the client

The first step of enabling BitLocker is to find out which of your clients that has a TPM chip. This is a required part to make use of this solution. There are other ways to do it, such as USB or TPM and USB, but they add a level of complexity and arn’t what we are looking for here.

The reason I use a CI to check whether TPM is activated is because of how SCCM and Hardware Inventory works. You could add the TPM and BitLocker classes to hardware inventory and use a collection with a query to determine what clients are supported, but this is not recommended for two reasons.

Reason one is that hardware inventory is collected data, which means it might be old depending on when the client last ran the Hardware Inventory cycle. The default settings are configured to run every 7 days and during that time the status might change without being represented within SCCM.

Reason two is that you can’t query the status of TPM to see if it is active or not. A WQL query can be used to find the IsActived_InitialValue, which could be True, but since this value isn’t updated it could be disabled later and not be represented here. Because of this I use a CI with a powershellscript that executes a method to see that current state in realtime.

Go to Assets and Compliance > Compliance Settings
Click Configuration Items and Create Configuration Item
Give it a name, such as BitLocker – TPM Activated, and click Next >
Uncheck all versions and check Windows 10 (64-bit). click Next >
In the Settings view click New… and give it the following settings

NameIsActivated
Setting typeScript
Data typeBoolean
Create Configuration Item setting

Click Add Script…
Select Windows PowerShell from the Script language dropdown
Copy and paste the following code and click OK

(Get-WmiObject -Class win32_tpm -Namespace root\cimv2\Security\MicrosoftTpm).IsActivated().IsActivated
Add discovery script

In the Create Setting you want to change tab to Compliance Rules
Click New…
Give the rule a name, such as IsActivated -eq True
Check the box for Report noncompliance if this setting instance is not found

Create rule for compliance


Click OK twice
Click Summary and verify the details before you click Next > to create the CI

You will now have a Configuration Item that verifies if the TPM chips is activated and ready to be used with BitLocker. It will also report noncompliance if the settings cannot be found on the client, which could be due to the TPM not being enabled in the BIOS or if the client doesn’t have TPM.

Create the Configuration Item that will evaluate if BitLocker is active

The second step is to check whether BitLocker is active or not on the client. This WQL query checks the ProtectionStatus propery of the drive and returns a 1 or 0 depending on the status. In this case we are looking for clients that doesn’t have a status of 1, and evaluate them as compliant to be used later.

Go to Assets and Compliance > Compliance Settings
Click Configuration Items and Create Configuration Item
Give it a name, such as BitLocker – C: Not Protected, and click Next >
Uncheck all versions and check Windows 10 (64-bit). click Next >
In the Settings view click New… and give it the following settings

NameBitLocker – C: Not Protected
Setting typeWQL query
Data typeInteger
NamespaceROOT\CIMV2\Security\Microsoftvolumeencryption
ClassWin32_encryptablevolume
PropertyProtectionStatus
Where clausesdriveletter = ‘C:’

Make sure that you use the correct quotations for your region. It could be either straight ‘ or curly marks

In the Create Setting you want to change tab to Compliance Rules
Click New…
Give the rule a name, such as ProtectionStatus -ne 1
Select Not equal to from the dropdown and set the value to 1
Check the box for Report noncompliance if this setting instance is not found

Bitlocker Protection Status Value


Click OK twice
Click Summary and verify the details before you click Next > to create the CI

You will now have a Configuration Item that checks whether the disk is already encrypted or not. In this case we want to look for devices that doesn’t have encryption enabled, which is why we chose Not equal to. If you want to use a similar CI to find clients that already are protected, just change the condition to Equals instead.

Create the Configuration Baseline using our new CIs and deploy it

Go to Assets and Compliance > Compliance Settings
Click Configuration Baselines and Create Configuration Baseline
Give it a name, such as Windows 10 – Enable BitLocker

Create a Configuration Baseline


Click Add and select Configuration Items
Select the two CIs that we created from the list that appears and click OK.
In my example they are called BitLocker – C: Not Protected and BitLocker – TPM Activated

Add Configuration Items to the Baseline

Verify your settings and click OK if everything looks good.

Create a collection with compliant devices

Now that we have prepared SCCM and created the Configuration Base line with our Configuration Items we are ready to create a collection with computers that are compliant.
Compliance in our case means that the TPM chip is Activated and ready to be used but BitLocker hasn’t been enabled in Windows.

This is a very easy step which I have explained in another blog post. It can be found here.
When you have created a collection with the compliant computers you can move on with the next steps.

For the purposes of this post I will call my collection Windows 10 – BitLocker Ready.

Create a Task Sequence to set encryption level and enable BitLocker

In this step we will create a new Task Sequence that will be used to configuare and enable BitLocker on the clients. I will use the encryption algorithm called XTS_AES_256. In the following image you can see the available options. The one I want has the number 7, which is what I will specifiy in the Task Sequence.

NOTE: Microsoft has issued a statement in the Security Baseline mentioning that XTS_AES_256 is unnecessary and can cause older hardware to perform slow.
You should instead use the default value of XTS_AES_128.
SOURCE: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1903-and-windows-server/ba-p/701084

Encryption algorithm alternatives

Go to Software Library > Operating Systems
Click Task Sequence and Create Task Sequence
Click Create a new custom task sequence
Give it a name, BitLocker – Enable on existing devices

Create a Task Sequence

Click Next > and then Close
Right-click the new Task Sequence and click Edit
Click Add and then New Group

Create a New Group

Rename the Group to Enable BitLocker
Click Add and then General > Run Command Line

Add the Run Command Line step

Rename the step to Set BitLocker Encryption Method XTS-AES 256
Open the step and paste the following into the Command line box

reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 7 /f
Configure the Run Command Line step

Click Add and then Disk > Enable BitLocker

Add Enable BitLocker step

I suggest using the default settings, unless you want to encrypt the whole drive immediately or if you are using MBAM to store your keys instead of Active Directory.

Configure the Enable BitLocker step

Deploy the Task Sequence to the ready computers

Now we are ready to deploy the Task Sequence to the collection that we created with the clients that are ready to have BitLocker enabled. As I mentioned above, my collection is called Windows 10 – BitLocker Ready and contains my compliant clients.

Right-click the Task Sequence and click Deploy

Deploy the task sequence

Click Browse… and select the collection Windows 10 – BitLocker Ready and click Next

Select target collection

Change the Purpose to Required and click Next

Set the purpose to required

Click New… and select Assign immediately after this event: As soon as possible and click Next

As soon as possible

Uncheck Show Task Sequence Progress and leave the rest as default. Click Summary, Next and Close

Remember to uncheck Show Task Sequence progress

That was the last step of this process. Now all compliance devices should receive this Task Sequence and try to enable BitLocker. You can now go to Monitoring and Deployments to monitor your process.
Search for the Task Sequence name and you will see the progress of BitLocker being rolled out.

Status monitoring

Summary

Phew, all done! There are quite a few steps to be made even though they are quite easy when you know what you are looking for.

This is just one way of doing this, but I feel that it is very dynamic and it’s possible to customize it as you wish. Using this method I’ve been able to enable Bitlocker on existing devices at multiple customers and it has worked almost perfect every time.

The most common issues I’ve encounted is that the clients doesn’t have TPM or that TPM isn’t enabled in the BIOS of the clients. To resolve the second issue is much more complicated than actually encrypting them, and deserves a whole post for itself in the future.

A few things you might want to do differently could be to use another encryption algorithm, check whether TPM is already owned, add other checks to your Configuration Baseline or use a standard query-based collection instead of the CB. (Just note what I wrote about that earlier)

If you have any feedback or want to know more about preparing your environment for BitLocker then go ahead and leave a comment below and I’ll get back to you.

This Post Has 17 Comments

  1. Russell Johnson

    Thanks for putting this all together and sharing! I’m having problems where a PC has more than one drive. Although the system drive (always C:) is encrypted, the CI sees the other drive as not encrypted so the client is compliant (in this case). Is there a way to just check the C:\ drive?

    1. Niclas Andersson

      Hi!

      Thanks for reading my post!

      You should be able to add a WHERE clause to the CI that detects ProtectionStatus.
      Add driveletter = 'C:' to the field and it should filter by that property.

      I’ve updated the post with this information.

      Regard, Niclas

  2. Rodolfo Pena Cedeno

    Hi Niclas,

    I trust this finds you very well.

    I am following ur instructions and i have learned a lot thanks to you bro!!!

    Thank you very much for all ur help and support!

    I wish u and ur family a wonderful and healthy year!

    Sincerely,

    Rodolfo.

  3. Roman

    Hi Niclas,
    It’s work very well! Thank you very much!
    Can you tell me please how can I configure TS to encrypt ALL local drives if I don’t know which letter it use, D, E, F … (include OS Drive)?
    Best Regards,
    Roman

  4. Mark Corry

    The copy code for the isActivated script leaves out the slashes \
    This cause some confusion until I saw what was missing

  5. Vipin Venugopalan

    Hi Niclas,

    First of all your document is very simple and easy to understand.
    It works very well! Thank you very much! and really appreciate your effort in giving us such a wonderful document.
    Now I have one question. how can we enable the BitLocker for fixed drives? ( if we have more than 1 partition, D: E: etc)

    Sincerely,

    Vipin Venugopalan

  6. Sneha

    Hello Niclas,

    Please also add a step to add a default PIN on devices.

    Thanks
    Sneha

  7. Jacob E

    Hey Niclas!

    The UI has changed significantly (in current branch at least) so that you create a Configuration Item, and then change the Settings and Compliance Rules within that Item. Does that mean we should put both Settings and Compliance Rules in one Item, or do we need to create two separate Configuration Items for this? Thanks!!!

  8. Jacob E

    Also, people first applying this, be wary, there are two things you’ll need to change/check:

    1) Copying the script from the code above is missing the slashes, as commenter Mark Corry pointed out.
    2) driveletter = ‘C:’ had the wrong quotation marks for me. I had to delete the quotation marks and type them in again, and it recognized the quotation marks.

    So far I’m getting failures but will report back if I start to see Complaint/Non-Compliant with this setup.

  9. Kostas

    Great article but unfortunately i fail big time. I check the smsts.log and i see failure messages like

    ‘Encrypt’ failed (2147942487) OSDBitLocker 7/13/2021 4:17:26 PM 13764 (0x35C4)
    Failed to encrypt volume ‘C:’ (0x80070057) OSDBitLocker 7/13/2021 4:17:26 PM 13764 (0x35C4)
    Failed to run the action: Enable BitLocker. Error -2147024809 TSManager 7/13/2021 4:17:26 PM 3248 (0x0CB0)
    The execution of the group (Enable Bitlocker) has failed and the execution has been aborted. An action failed. Error 0x80004004 TSManager 7/13/2021 4:17:26 PM 3248 (0x0CB0)
    Failed to run the last action: Enable BitLocker. Result -2147024809. Execution of task sequence failed. TSManager 7/13/2021 4:17:26 PM 3248 (0x0CB0)
    Task Sequence Engine failed! Code: enExecutionFail TSManager 7/13/2021 4:17:26 PM 3248 (0x0CB0)
    Task sequence execution failed with error code 80004005 TSManager 7/13/2021 4:17:26 PM 3248 (0x0CB0)

    I am trying to enable Bitlocker for a new batch of laptops with TPM 2.0 and if i run the appropriate command on Powershell it succeeds, the SSCM method fails

    What i run on Powershell: Enable-BitLocker -MountPoint “C:” -UsedSpaceOnly -EncryptionMethod Aes256 -TPMProtector -SkipHardwareTest

  10. ITgeek

    Thanks a lot for the great work above.

    I just wanted to ask if you have already configure a group policy ?

  11. Karl

    yes it should be driveletter = ‘C:’

  12. Mohak

    Is there a way I can also store the Encryption Keys in SCCM Database using this approach?

    1. Niclas Andersson

      Hi,

      It depends on what you mean.
      This post was written before MBAM features were implemented into SCCM.
      However, if you have Bitlocker Management set up in SCCM and a policy assigned to the device, SCCM will escrow the recovery key to the database.
      I also belive that you can choose to save the recovery key to the SCCM database in the Task Sequence step Enable Bitlocker.
      See this link for more information.

Leave a Reply