Client Automation - How to temporary disable bitlocker during SD Job execution
search cancel

Client Automation - How to temporary disable bitlocker during SD Job execution


Article ID: 200381


Updated On:


CA Client Automation - IT Client Manager CA Client Automation CA Client Automation - Software Delivery


Sometimes SD Jobs execution need a reboot of computer and continue after the reboot.

If a drive is encrypted with Bitlocker (Microsoft Drive Bitlocker), the reboot may ask for a PIN or password at boot time.

(User authentication mode: This mode requires that the user provide some authentication to the pre-boot environment in the form of a pre-boot PIN or password.)


This stops the SD jobs installation process and is waiting manual action from end user.

How to disable temporary Bitlocker on the drive to disable the ask of PIN or password during reboot of machine ?



Client Automation - All Versions.



One solution is to configure the parameter "CAF: Custom reboot command" to this value in configuration policy applied on the agents :

DSM/Common Components/CAF/General/CAF: Custom reboot command = cmd /c "c:\windows\sysnative\manage-bde -protectors -disable c: -RebootCount 1 & shutdown /r /t 0"


"Custom reboot command. When caf is asked to reboot the computer, caf can use this command instead of the usual OS method. This is normally used for specialised hardware that needs custom actions to be performed before the reboot takes place."


When caf is requested to do a reboot (by SD jobs for example), it executes this command line :

cmd /c "c:\windows\sysnative\manage-bde -protectors -disable c: -RebootCount 1 & shutdown /r /t 0"

manage-bde -protectors -disable c: -RebootCount 1
disables bitlocker protection on drive C and enable it again automatically after 1 reboot.
So at next reboot no password or PIN code are asked and reboot could be done without manual action.

shutdown /r /t 0
does the reboot of the machine.