How to use SCCM Task Sequence to enable, configure and monitor Bitlocker

MBAM is out of support soon (09/07/2019) and right now they are two options to manage Bitlocker with Azure on cloud or on prem with SCCM, AD and PowerShell.

In this article I will cover the second  scenario, pre Provision Bitlocker with SCCM, store the recovery key in AD, Bitlocker Group Policy for more settings, PowerShell for status and reports, SCCM for Reports.

Microsoft links with details for each step

More details about Task Sequnce pre-provision Bitlocker:

More details about Task Sequnce enable Bitlocker:

More details about manage Bitlocker with Group Policy Object:

More details about manage Bitlocker with PowerShell:


First let’s review the disk partition, ned’s to be done in UEFI schema SCCM-enable-bitlocker-disk

Add a step in Task Sequence for Pre-provision BitLocker right after disk partition. SCCM-enable-bitlocker-pre-provision

At the end of you TS add Enable Bitlocker step. In my example I have used to store the key only in TPM chipset. Also very important is to store the key in Active Directory Domain Services. A big disadvantage of store the key in AD is that each time the encryption key it will be renewed  it will be store in AD without to remove the old one. I will end with a lot of keys for each computer,  you can still sort to see which is the newest to be used for unblock the computer. I have also chose to encrypt only the used space to be more faster. SCCM-enable-bitlocker

After computer is joined in domain you can check the logs and AD to ensure that everything is ok and the key is stored in ad.

A very easy way to test the recovery key is to change the BIOS, disable Secure boot for example, it will triggered immediately the recovery mode and you can test the Bitlocker key

1. with PowerShell command check the status , manage-bde -status   

PS C:\WINDOWS\system32> manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]

    Size:                 471.56 GB
    BitLocker Version:    2.0
    Conversion Status:    Used Space Only Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Key Protectors:
        Numerical Password

2.  Check the logs on client going to Event Viewer à Applications and Services à Microsoft à Windows à BitLocker-API à Management bitlocker-event-viewer-log

3. Check the key in AD, you have two option, in computer object properties or right click on domain tree and from the menu select find BitLocker Key


ad-bitlocker-search-key-menu ad-bitlocker-search-recovey-key

4. Reports, you can still use SCCM with MBAM integration for reports or you can use PowerShell commands

A few examples of reports using MBAM integration. You don’t need MBAM server just MBAM integration with .mof file modified  see the Microsoft link SCCM-bitlocker-computer-compliant2 SCCM-bitlocker-computer-non-compliant

This are  two examples of reporting using PowerShell scripts from Microsoft

Was easy no, happy SSCM-ing :)