Enable BitLocker with pre-set PIN during ConfigMgr OSD

If you’ve tried enabling a BitLocker PIN during a OSD TS, you’ve found that it does not work with the native Task Sequence steps. In the post below, I will detail how I worked around this issue at a client.

The Environment:
ConfigMgr 2012R2 CU1
MDT 2013 (integrated)
Client OS’s: Win7 (x86/x64) and Win8 (x64)
Pre-Boot Auth is required on Laptops/Tablets, not required on Desktops/VM’s

A Task Sequence variable “OSDBitLockerMode” needs to be set to a value of “TPM” (Do this near the top of the Task Sequence, right after the Gather step.)

(Optional Step)
This client requires 256bit encryption (as opposed to the default 128bit)
We just need to set a Registry key, while inside WinPE, I set it just prior to the “Enable BitLocker Offline” step.
Task Step Name: Add 256-bit Encryption Cipher
Execute: “REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 4”

This client is leveraging MBAM for storage of the recovery keys.
We have a Custom Task Group, that carries out the rest of the steps.

Install the MBAM Client on the device.


Set “isBDEPreProvisioned” to “TRUE”

We have two steps in the TS, one imports the MBAM registry keys that are required for a Desktop/VM
The other imports the registry keys required for a Laptop/Tablet. (We use conditions on the steps so only the correct one is run.
(These are a export of the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE hive, from a machine that group policy has applied.)

Task Step Name: Enable Bitlocker (This is the built-in step)

Restart Computer

Task Step Nam: Encryption -WithPIN
Execute: cscript.exe StartMBAMEncryption.wsf /addRegFile:AddMBAMRegEntries.reg /removeRegFile:RemoveMBAMRegEntries.reg
Condition: IsLaptop = TRUE

Task Step Name: Enable TPM-Pin
Execute: “manage-bde -protectors -add c: -tp
Condition: IsLaptop = TRUE

Task Step Name: Resume BitLocker (Built-In Step)

About the Author

Leave a Reply

You may also like these