Solved Re-imaging Bitlocker Enabled Computer SCCM

---

Hello!
After the help that I had from previous questions, I have another one that someone might have the experience to give an opinion.
We are implementing Bitlocker on a new AD so we are starting fresh and more secure. I'm ending the tests on this environment and until now I have all green (saving keys to AD, etc. etc.)

Now the question is: this encryption was made manually on Windows. We use SCCM and on another test I successfully encrypted the disk as the last step of my Task Sequence. Now I'm thinking the next step - what is the correct step to re-imagine the computer? I now that if I decrypt the disk prior to WinPE boot (we enter there by Network boot) I can do the task without any issue. But with that I would:

• Reset the computer account prior to re-join to the domain

• The last recovery key will be there

• Upon encryption I will have a new set of keys

I can also wipe the disk without decrypt, avoiding data recovery from the decryption. But I wanted to know if it's possible to re-imagine the disk maintaining the encryption and the same recovery key.
I have no PINs, just TPM as the authentication method during boot.

I searched on the Internet, MS forums, saw all the possibilities but missing what the correct step to do for this re-image mainting encripted. Thank you in advance!

Fabio,

I hope all is well. Take a look at the following, as it outlines the general steps needed, and provides good background and context around the solution as well:

https://www.windows-noob.com/forums/topic/11766-how-can-i-reinstall-bitlockered-uefi-computers-using-network-boot-and-system-center-2012-r2-configuration-manager/

Good Luck !!

Cheers,

Adam

Hello Adam,

Thank you for the link. Yesterday found this link: https://miketerrill.net/2017/04/19/how-to-detect-suspend-and-re-enable-bitlocker-during-a-task-sequence/ and tried it. In fact it worked. Never started a deployment from Windows (normally, as we talking about dozens of computers on a LAB in an University we just wipe them down, so never tried really to re-image from the OS.

But created a new collection, added the computer, made the task available for that collection on Config Manager Client, updated the policy and then from software center installed all again. I used the CMD line disable described in the link because on the OSD I would have at least 2 restarts. In the end enable it again with TPM only.

Bottom line, I have a new recover password. the idea was retrying to use the same but I think that is the way Windows work, new Bitlocker enabling, new recovery password, for security measures I'm sure. I just wanted to avoid to many recovery keys on AD and I'm not going to MBAM because it's going to be discontinued by MS. But I think like this is still great because, in fact, it's working.

Regards.

Fabio,

Thank you for sharing the additional information that you found for this. You are correct, MBAM is going away and so your approach will be better over time.

I was not sure what version of SCCM you were using and what infrastructure you had in place, so I tried to provide a resource that would work across different possible situations.

Adam

Thank you Adam for the feedback. We are using the Current Version. In fact I was trying to re-use the Recovery Password for re-image, but after some test on the Task Sequences I realized if I suspend the protection and then clean the disk I need a new encryption. Well when I'm re-imaging a computer in reality I want a clean base so on a new encrypt, the AD will have the new key. If there is only one key there (no USB recovery password for example) I just delete the account and start fresh.

Thank you again