How to Enable BitLocker on Existing Devices Using SCCM

All businesses want to protect their data to make sure it is safe from unauthorized users. A big part of this is to encrypt the disks of their devices using BitLocker. This can easily be done during OS installation for all new computers but it might be troublesome to enable bitlocker on existing devices.

BitLocker can use multiple key information methods but in this case I will focus on TPM. TPM is a hardware component that is installed by the manufacturer and can be used to ensure that the computers has not been tampered with while the computer was powered of.

In this case I will use SCCM and a Task Sequence to enable BitLocker. First off we need to find out which computers require BitLocker and if they are ready to be enabled. I will use a Configuration Baseline (CB) to determine this and also to find the computers that are not ready to encrypt the disks.

During this How-to there might be some changes you need to perform in your SCCM environment but they are minor and shouldn’t be an issue for you.

Please note that you need to make sure that your environment is prepared for BitLocker before taking these steps!


These are the steps we need to perform to enable bitlocker on existing devices.

  • Allow unsigned scripts to be run from SCCM
  • Create two Configuration Items (CI). One to verify that TPM is activated and one to check if BitLocker is already enabled.
  • Create the Configuration Baseline using our new CIs and deploy it to clients
  • Create a collection with compliant devices
  • Create a Task Sequence to set encryption level and enable BitLocker

Allow unsigned scripts to be run from SCCM

This is a requirement for one of the Configuration Items that we will create later. If this is left as default you will get an error message that read Script is not signed. You can read more about this settings here.

Go to Administration > Client Settings
Open Properties on Default Client Settings
Go to Computer Agent and find the setting PowerShell execution policy
Select Bypass from the dropdown and click OK

Bypass Powershell execution policy

You can create a new Client Settings instead if you want to test this on a few clients first. The part you want is under Hardware Inventory.

Create the Configuration Item that will evaluate if TPM is activated on the client

The first step of enabling BitLocker is to find out which of your clients that has a TPM chip. This is a required part to make use of this solution. There are other ways to do it, such as USB or TPM and USB, but they add a level of complexity and arn’t what we are looking for here.

The reason I use a CI to check whether TPM is activated is because of how SCCM and Hardware Inventory works. You could add the TPM and BitLocker classes to hardware inventory and use a collection with a query to determine what clients are supported, but this is not recommended for two reasons.

Reason one is that hardware inventory is collected data, which means it might be old depending on when the client last ran the Hardware Inventory cycle. The default settings are configured to run every 7 days and during that time the status might change without being represented within SCCM.

Reason two is that you can’t query the status of TPM to see if it is active or not. A WQL query can be used to find the IsActived_InitialValue, which could be True, but since this value isn’t updated it could be disabled later and not be represented here. Because of this I use a CI with a powershellscript that executes a method to see that current state in realtime.

Go to Assets and Compliance > Compliance Settings
Click Configuration Items and Create Configuration Item
Give it a name, such as BitLocker – TPM Activated, and click Next >
Uncheck all versions and check Windows 10 (64-bit). click Next >
In the Settings view click New… and give it the following settings

Setting typeScript
Data typeBoolean
Create Configuration Item setting

Click Add Script…
Select Windows PowerShell from the Script language dropdown
Copy and paste the following code and click OK

(Get-WmiObject -Class win32_tpm -Namespace root\cimv2\Security\MicrosoftTpm).IsActivated().IsActivated
Add discovery script

In the Create Setting you want to change tab to Compliance Rules
Click New…
Give the rule a name, such as IsActivated -eq True
Check the box for Report noncompliance if this setting instance is not found

Create rule for compliance

Click OK twice
Click Summary and verify the details before you click Next > to create the CI

You will now have a Configuration Item that verifies if the TPM chips is activated and ready to be used with BitLocker. It will also report noncompliance if the settings cannot be found on the client, which could be due to the TPM not being enabled in the BIOS or if the client doesn’t have TPM.

Create the Configuration Item that will evaluate if BitLocker is active

The second step is to check whether BitLocker is active or not on the client. This WQL query checks the ProtectionStatus propery of the drive and returns a 1 or 0 depending on the status. In this case we are looking for clients that doesn’t have a status of 1, and evaluate them as compliant to be used later.

Go to Assets and Compliance > Compliance Settings
Click Configuration Items and Create Configuration Item
Give it a name, such as BitLocker – C: Not Protected, and click Next >
Uncheck all versions and check Windows 10 (64-bit). click Next >
In the Settings view click New… and give it the following settings

NameBitLocker – C: Not Protected
Setting typeWQL query
Data typeInteger
BitLocker protection status

In the Create Setting you want to change tab to Compliance Rules
Click New…
Give the rule a name, such as ProtectionStatus -ne 1
Select Not equal to from the dropdown and set the value to 1
Check the box for Report noncompliance if this setting instance is not found

Bitlocker Protection Status Value

Click OK twice
Click Summary and verify the details before you click Next > to create the CI

You will now have a Configuration Item that checks whether the disk is already encrypted or not. In this case we want to look for devices that doesn’t have encryption enabled, which is why we chose Not equal to. If you want to use a similar CI to find clients that already are protected, just change the condition to Equals instead.

Create the Configuration Baseline using our new CIs and deploy it

Go to Assets and Compliance > Compliance Settings
Click Configuration Baselines and Create Configuration Baseline
Give it a name, such as Windows 10 – Enable BitLocker

Create a Configuration Baseline

Click Add and select Configuration Items
Select the two CIs that we created from the list that appears and click OK.
In my example they are called BitLocker – C: Not Protected and BitLocker – TPM Activated

Add Configuration Items to the Baseline

Verify your settings and click OK if everything looks good.

Create a collection with compliant devices

Now that we have prepared SCCM and created the Configuration Base line with our Configuration Items we are ready to create a collection with computers that are compliant.
Compliance in our case means that the TPM chip is Activated and ready to be used but BitLocker hasn’t been enabled in Windows.

This is a very easy step which I have explained in another blog post. It can be found here.
When you have created a collection with the compliant computers you can move on with the next steps.

For the purposes of this post I will call my collection Windows 10 – BitLocker Ready.

Create a Task Sequence to set encryption level and enable BitLocker

In this step we will create a new Task Sequence that will be used to configuare and enable BitLocker on the clients. I will use the encryption algorithm called XTS_AES_256. In the following image you can see the available options. The one I want has the number 7, which is what I will specifiy in the Task Sequence.

NOTE: Microsoft has issued a statement in the Security Baseline mentioning that XTS_AES_256 is unnecessary and can cause older hardware to perform slow.
You should instead use the default value of XTS_AES_128.

Encryption algorithm alternatives

Go to Software Library > Operating Systems
Click Task Sequence and Create Task Sequence
Click Create a new custom task sequence
Give it a name, BitLocker – Enable on existing devices

Create a Task Sequence

Click Next > and then Close
Right-click the new Task Sequence and click Edit
Click Add and then New Group

Create a New Group

Rename the Group to Enable BitLocker
Click Add and then General > Run Command Line

Add the Run Command Line step

Rename the step to Set BitLocker Encryption Method XTS-AES 256
Open the step and paste the following into the Command line box

reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 7 /f
Configure the Run Command Line step

Click Add and then Disk > Enable BitLocker

Add Enable BitLocker step

I suggest using the default settings, unless you want to encrypt the whole drive immediately or if you are using MBAM to store your keys instead of Active Directory.

Configure the Enable BitLocker step

Deploy the Task Sequence to the ready computers

Now we are ready to deploy the Task Sequence to the collection that we created with the clients that are ready to have BitLocker enabled. As I mentioned above, my collection is called Windows 10 – BitLocker Ready and contains my compliant clients.

Right-click the Task Sequence and click Deploy

Deploy the task sequence

Click Browse… and select the collection Windows 10 – BitLocker Ready and click Next

Select target collection

Change the Purpose to Required and click Next

Set the purpose to required

Click New… and select Assign immediately after this event: As soon as possible and click Next

As soon as possible

Uncheck Show Task Sequence Progress and leave the rest as default. Click Summary, Next and Close

Remember to uncheck Show Task Sequence progress

That was the last step of this process. Now all compliance devices should receive this Task Sequence and try to enable BitLocker. You can now go to Monitoring and Deployments to monitor your process.
Search for the Task Sequence name and you will see the progress of BitLocker being rolled out.

Status monitoring


Phew, all done! There are quite a few steps to be made even though they are quite easy when you know what you are looking for.

This is just one way of doing this, but I feel that it is very dynamic and it’s possible to customize it as you wish. Using this method I’ve been able to enable Bitlocker on existing devices at multiple customers and it has worked almost perfect every time.

The most common issues I’ve encounted is that the clients doesn’t have TPM or that TPM isn’t enabled in the BIOS of the clients. To resolve the second issue is much more complicated than actually encrypting them, and deserves a whole post for itself in the future.

A few things you might want to do differently could be to use another encryption algorithm, check whether TPM is already owned, add other checks to your Configuration Baseline or use a standard query-based collection instead of the CB. (Just note what I wrote about that earlier)

If you have any feedback or want to know more about preparing your environment for BitLocker then go ahead and leave a comment below and I’ll get back to you.

21 Responses

  1. Sanj

    Hi Nian,

    This was really helpful, As I was able to encrypt all the system drives in the network. What is the easiest way to encrypt other drives (Ex: D Drive / E Drive), Because each workstation differs from one to another when it comes to Drive letters. Appreciate a feedback.


      • S.K

        Hi Niclas
        Your post here was a blessing , its doing exactly whats it supposed to do but where there is additional partition D or a 2nd disk as D drive it will not encrypt it since its not a system drive , Will highly appreciate if You could give an additional pointer to a remedy …didnt find any reference on the link You gave Sanj.

  2. Hisham

    I am getting this error (error 2147942487: The parameter is incorrect. ) any Idea ?

  3. Sal R.

    my options do not look like this… which version of System Center is this one?

  4. stefano


    There are some way to set also corporate amdin pin?

  5. JP

    Hi Niclas Andersson;

    I have a report requirement to validate the preboot by means of a pin by means of bitlocker. How can I identify the preboot registration key by PIN

  6. Itsarapong

    Hi Nicolas,

    I’ve try your method.

    Then I got error (0x80070057) for Enable Bitlocker on My client machine. It OS’s Windows 10 1903 and SCCM version is 1902

    This client machine has TPM 2.0, Connected with domain, It had been auto encrypted first after join the domain (There’s GPO about bitlocker to store key on AD) then I turn bitlocker off to test your method.

    I still able to turn it on manually though.

    Any idea on this issues ?

    Thank you.

  7. Andrei

    Hi Niclas,

    Thanks for the post! Very useful! I’m encountering an error with the CI created based on the PowerShell script. The SCCM Monitoring says that all the computers are failing on this CI with the error “script execution failed with error code -1”. Any idea what that might be?


  8. Avanish

    Hi Nicolas,

    Thanks for the nice blog!

    Have you posted any blog on how to handle devices if “TPM isn’t enabled in the BIOS of the clients”?



  9. Venky

    I followed the steps mention in your blog, A list shows enable bit blocker.
    How to enable bit locker from SCCM? As the machines have been already having windows 10 ent.
    Please show steps to enable bitlocker on laptops which already have Windows 10.

  10. Chris

    I set up and deployed only the baseline that checks if the computer has a TPM as well as if it is bitlocked to a collection of 10,000 laptops/tablets. I copy and pasted directly from the website.

    It has ran on a total of 4,451 clients and an error has occurred on 1,761 clients. 1,707 of those clients show the error ID: 0XFFFFFFFF “Script execution failed with error code -1”

    I’ve checked CIAgent.log CITaskmgr.log and DCMAgent.log and they mention the configuration item, but I don’t see any major errors.

    What exactly does that mean? Whats the best way to troubleshoot issues with Configuration Baselines?

    • aron

      I know this doesn’t help, but I’m seeing the same thing. I’m guessing it’s an error returned for the TPM Check because Windows doesn’t see the TPM for whatever reason, so it fails when that Class is queried.

      This whole thing is pretty frustrating and the numbers just don’t add up. No fault of the blog, but SCCM itself.

  11. Joel


    Thanks for these steps, I’m about to attempt them on a few test machines. I had a question though, by following your methods, will I have to enable any group policies first?

    Also, we use SCCM to image over PXE, and we select from predefined task sequences. If I was to add in the bitlocker steps, where would I put those into the list? Currently we have:
    1. Start in Windows PE
    2. Partition the Disk
    3. Assign C:\ to Boot Drive
    4. Apply Operation System
    5. Apply Windows Settings
    6. Apply Network Settings
    7. Apply Device Drivers.

    What would make the most sense in inserting the bitlocker steps? Thanks in advance for your consideration on this.

Leave a Reply

Your email address will not be published. Required fields are marked *