search cancel

Client Automation - How to temporary disable bitlocker during SD Job execution

book

Article ID: 200381

calendar_today

Updated On:

Products

CA Client Automation - IT Client Manager CA Client Automation CA Client Automation - Software Delivery

Issue/Introduction

Sometimes SD Jobs execution need a reboot of computer and continue after the reboot.

If a drive is encrypted with Bitlocker (Microsoft Drive Bitlocker), the reboot may ask for a PIN or password at boot time.

(User authentication mode: This mode requires that the user provide some authentication to the pre-boot environment in the form of a pre-boot PIN or password.)

 

This stops the SD jobs installation process and is waiting manual action from end user.

How to disable temporary Bitlocker on the drive to disable the ask of PIN or password during reboot of machine ?

 

Environment

Client Automation - All Versions.

 

Resolution

One solution is to configure the parameter "CAF: Custom reboot command" to this value in configuration policy applied on the agents :

DSM/Common Components/CAF/General/CAF: Custom reboot command = cmd /c "c:\windows\sysnative\manage-bde -protectors -disable c: -RebootCount 1 & shutdown /r /t 0"

 

"Custom reboot command. When caf is asked to reboot the computer, caf can use this command instead of the usual OS method. This is normally used for specialised hardware that needs custom actions to be performed before the reboot takes place."



 

When caf is requested to do a reboot (by SD jobs for example), it executes this command line :

cmd /c "c:\windows\sysnative\manage-bde -protectors -disable c: -RebootCount 1 & shutdown /r /t 0"




Command
manage-bde -protectors -disable c: -RebootCount 1
disables bitlocker protection on drive C and enable it again automatically after 1 reboot.
So at next reboot no password or PIN code are asked and reboot could be done without manual action.

Command
shutdown /r /t 0
does the reboot of the machine.