How to use SCCM Task Sequence to enable, configure and monitor Bitlocker

MBAM is out of support soon (09/07/2019) and right now they are two options to manage Bitlocker with Azure on cloud or on prem with SCCM, AD and PowerShell.

In this article I will cover the second scenario, pre Provision Bitlocker with SCCM, store the recovery key in AD, Bitlocker Group Policy for more settings, PowerShell for status and reports, SCCM for Reports.

Microsoft links with details for each step

More details about Task Sequnce pre-provision Bitlocker:

https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh846237(v=technet.10)#BKMK_PreProvisionBitLocker

More details about Task Sequnce enable Bitlocker:

https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh846237(v=technet.10)#BKMK_EnableBitLocker

More details about manage Bitlocker with Group Policy Object:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)

More details about manage Bitlocker with PowerShell:

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises#powershell-examples

First let’s review the disk partition, ned’s to be done in UEFI schema SCCM-enable-bitlocker-disk

Add a step in Task Sequence for Pre-provision BitLocker right after disk partition. SCCM-enable-bitlocker-pre-provision

At the end of you TS add Enable Bitlocker step. In my example I have used to store the key only in TPM chipset. Also very important is to store the key in Active Directory Domain Services. A big disadvantage of store the key in AD is that each time the encryption key it will be renewed it will be store in AD without to remove the old one. I will end with a lot of keys for each computer, you can still sort to see which is the newest to be used for unblock the computer. I have also chose to encrypt only the used space to be more faster. SCCM-enable-bitlocker

After computer is joined in domain you can check the logs and AD to ensure that everything is ok and the key is stored in ad.

A very easy way to test the recovery key is to change the BIOS, disable Secure boot for example, it will triggered immediately the recovery mode and you can test the Bitlocker key

1. with PowerShell command check the status , manage-bde -status

PS C:\WINDOWS\system32> manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]

    Size:                 471.56 GB
    BitLocker Version:    2.0
    Conversion Status:    Used Space Only Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Key Protectors:
        Numerical Password
        TPM

2. Check the logs on client going to Event Viewer à Applications and Services à Microsoft à Windows à BitLocker-API à Management bitlocker-event-viewer-log