With the new 1803 feature update for Windows 10 we got some new and exciting commands for the Windows Setup that we can use in a upgrade task sequence in SCCM to be able to upgrade without suspending BitLocker. For more information about the 1803 feature update, please see this blogpost.
With these new Setup commands you can set a specific value in your task sequence that will try to keep BitLocker active or force it to be active during the upgrade. You can also use the AlwaysSuspend option but as the word explains this will actually suspend BitLocker and that’s not what we want in this post. The different commands are as follows:
- /BitLocker TryKeepActive
- /BitLocker ForceKeepActive
- /BitLocker AlwaysSuspend
In your upgrade task sequence you need to set the variable OSDSetupAdditionalUpgradeOptions to one of the options above depending on how you want the upgrade to handle BitLocker. In this scenario we are using the /BitLocker TryKeepActive value that will attempt to do the upgrade without suspending BitLocker, but if the upgrade fails, Windows Setup will suspend BitLocker and complete the upgrade.
Please note that there are some requirements to get this setup to work.
- The device being upgraded should be Windows 10 1709 or higher.
- The Windows device needs to be using Secure Boot and have a TPM.
- BitLocker needs to be using a TPM protector only.
- The user profile folder can’t be on a separate volume that is also BitLocker protected.
If setup correctly you will find that the command line for the Windows Setup upgrade will add the /BitLocker TryKeepActive to it, as shown below. This can be viewed in the smsts.log.
Command line of Windows Setup upgrade: '"C:\WINDOWS\ccmcache\8\SETUP.EXE" /ImageIndex 3 /auto Upgrade /quiet /noreboot /postoobe "C:\WINDOWS\SMSTSPostUpgrade\SetupComplete.cmd" /postrollback "C:\WINDOWS\SMSTSPostUpgrade\SetupRollback.cmd" /DynamicUpdate Disable /BitLocker TryKeepActive'
If you have any questions, feel free to email me at firstname.lastname@example.org.