SCCM, OSD and Bitlocker PIN

I’ve been having some fun this week sorting out a task sequence with SCCM that will deploy everything and enable bitlocker with a PIN. I want users to be prompted for a password when they boot their PC. I have the tasks correct, I used HP’s BIOS configuration tool to turn on the TPM. I then take ownership it with the following command

%systemroot%\System32\manage-bde.exe -tpm -o information

It’s then rebooted just to be sure. The problem I had was when I was running the command to enable the pin. I received a Group Policy error “The task sequence execution engine failed executing the action xxx in the group yyy with the error code 2150695008” and “Group Policy settings do not permit the use of a PIN at startup. Please choose a different BitLocker startup option.” I double checked and all my Group Policy options were correct. What gives?

Well, it turns out that the OSD doesn’t pick up any group policies that I could find. Running a gpupdate after using the F8 debug just hung and eventually errored. My solution was to export the registry settings from a working PC on the domain and then run an import as part of the task sequence. The settings are located HKLM\Software\microsoft\policies\fve . These are exported to a package with a program that just calls “regedit /s bitlocker.reg”. After the import, I run the command

%SYSTEMROOT%\system32\manage-bde.exe -protectors -add %SystemDrive% -tp 1234567890

This sets the pin and everything is now working well. Obviously, swap 1234567890 to something a bit less obvious 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *