Enabling BitLocker in SCCM Task Sequence
With the continued onslaught of news about companies being hacked, security is at an all-time high in terms of importance. Part of this effort is to encrypt computers, especially laptops that leave the building. SCCM comes with the ability to use BitLocker to encrypt during imaging. It, however, is not as simple as just adding the step.
Here is what the BitLocker step looks like:
You can change these options as your organizational policy dictates. Some things to pay attention to are the key assignment and whether or not to store the recovery key in AD. The “TPM only” option is standard BitLocker – users will only be prompted for the password if a BIOS or hardware change is detected, or if the drive is removed from the computer. The second option, “Startup Key on USB only”, will build a USB key that must be in the machine for the computer to boot into the operating system. The third option, “TPM and Startup Key on USB” requires the TPM chip and the startup key. Finally, you can select “TPM and PIN”. This option requires the TPM chip, and the user to type in a PIN to boot the machine.
Next, you have the option to store the recovery key in AD. I always recommend this. In order to view the keys, you must be a domain admin (or have the attribute delegated to you). This is an extra level of recovery in case the key is lost.
The main hurtle to enabling BitLocker is the TPM chip. Some computers, especially on the consumer line, do not have them. Most business class machines come with the TPM module, but ships with it disabled. If the chip is disabled, the BitLocker step will fail in your task sequence. Another issue here is that to enable the chip, there also has to be BIOS password. Luckily, you can setup the chip in the task sequence if you know how. I will go through the steps for Dell models. These steps work up to the time of this posting, but are not guaranteed for future models. Instructions for other vendors can be found online.
In order to set the BIOS password and enable the TPM module, you will need to download the Dell Command | Configure software (used to be known as the Dell Client Configuration Toolkit, or CCTK), located here: https://en.community.dell.com/techcenter/enterprise-client/w/wiki/7532.dell-command-configure. Create a package for both the 32-bit and 64-bit version of the downloaded software. You need individual packages per architecture. You do not need to create and programs, we just need to be able to reference the package in a “Run Command Line” task sequence step.
Once the package is created, open your task sequence. I would create a folder that contains all of these steps. Because these steps are manufacturer-specific, you will want to add a condition to the folder so that it will only execute on Dell computers. This WMI query will do the trick:
SELECT * FROM Win32_ComputerSystem WHERE Manufacturer LIKE “%Dell%”
I suggest doing LIKE instead of equals because some Dell models say “Dell”, some say “Dell, Inc”, and some say “Dell Inc.”. Again, creating a folder and adding this condition there works best because you only have to add it once. Be sure to include the “Enable BitLocker” step in this folder as well.
Now add a “Run Command Line” step. Give it a name, such as “Set BIOS Password”. For the command line, enter this:
Enter whatever you want to be your BIOS password. This will make the BIOS password the same on every computer. If you do not want this, set this to a variable of some kind. Doing that is out of scope of this article. Next, check the “Package” box and select the package that you created of the Dell Command | Configure software. Be sure to select the correct architecture.
Next, add another “Run Command Line” step and name it “Enable TPM”. Configure it extactly like the previous step and enter this as the command (be sure to insert your BIOS password):
cctk –tpm=on –valsetuppwd=
Next, Next, add another “Run Command Line” step and name it “Activate TPM”. Configure it extactly like the previous two steps and make this the command (be sure to insert your BIOS password):
cctk –tpmactivation=activate –valsetuppwd=
On some models you have to restart the computer between turning TPM on and activating it. You will just have to test which models these are. Another option is to just stick a restart in there for everything.