CM - WinPE and bitlocker

David Zemdegs 1,561 Reputation points
2021-07-04T23:26:20.93+00:00

Greetings,
We'd like to run the Dell command and configure utility to do stuff in the BIOS but this can only be done under Winpe.
So we'd like to set up a task sequence.
It appears that the task sequence first step will have to be to disable bitlocker as bitlocker is used for most of our computers.
However at the end of the task sequence I need to re-enable it again but I have a problem. The enable bitlocker step asks whether its TPM only or TPM and pin.
We have some computers that are tpm only and some that are TPM and pin. Is there any way i can just re-enable bitlocker and say "Just use the configuration you had before the disable'?
And how do I handle computers that dont have bitlocker enabled at all? I could do a WMI query on the disable step - or simply continue on error.
But how then do I make sure the enable step doesnt run on computers that never had bitlocker enabled in the first place?

Thanks
David Z

Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,151 Reputation points Microsoft Employee
    2021-07-07T14:40:08.273+00:00

    Yes. Disable doesn't remove the protector, just disables it temporarily.

    Also, as noted, you don't need to use the -enable option to re-enable it if you use -rc (or -rebootcount) option, it will automatically get re-enabled after the specified number of reboots.

    From the command-line help on -disable:

    "Suspends protection. Allows anyone to access encrypted data by making the encryption key available unsecured on disk. No keyprotectors are removed. If the optional RebootCount parameter is not specified, BitLocker protection of the OS volume automatically resumes after Windows is restarted. If a RebootCount parameter is specified, BitLocker protection of the OS volume will resume after Windows has been restarted the number of times specified in the RebootCount parameter."

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Jason Sandys 31,151 Reputation points Microsoft Employee
    2021-07-06T19:53:07.057+00:00

    Use manage-bde from a run command-line task as alluded to by @HanyunZhu-MSFT . There's even a -rc option so that it will automatically re-enable after a certain number of reboots so there's no need for any additional tasks.

    1 person found this answer helpful.
    0 comments No comments

  2. HanyunZhu-MSFT 1,841 Reputation points
    2021-07-05T08:50:29.607+00:00

    Hi,

    Thanks for posting in Microsoft Q&A forum.

    I did do a lot of research, but still cannot find out an accurate method.

    Here is a thought that can be provided as a reference, this might be worked

    1. Before disabling BitLocker, we could add a step "Run PowerShell Scripts" or "Run Command Line" to backup the BitLocker configuration of each device
    2. After the steps in WinPE are completed, restart the computer and run commands to recovery the BitLocker configuration.
      The task sequence may resemble the screenshot below:
      111745-ts.png

    Hope it is helpful to you.


    If the response is helpful, please click "Accept Answer"and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. David Zemdegs 1,561 Reputation points
    2021-07-06T22:06:14.703+00:00

    So if you do manage-bde protectors disable and enable it will remember the type of protectors it has?

    0 comments No comments

  4. David Zemdegs 1,561 Reputation points
    2021-07-07T21:35:34.55+00:00

    Thanks
    It's the constant misnaming that is frustrating and can lead to confusion.
    -disable = 'suspends protection'
    why isnt it -suspend?

    0 comments No comments