Through Properties on Computer
Or using the command line "bcdedit /set nx "
Either method will work and do what you want it to (In my case it was OptOut which allows you to specify applications to be exempt from DEP).
The issue comes in when you are running OS disk encryption with BitLocker. Changing DEP settings changes boot.ini and as such will lock the user out of BitLocker requiring them to enter the recovery key until the PIN is changed. Even this may not stop them getting the prompt.
Obviously this isn’t ideal for a mass deployment, where having to manually change the BitLocker PIN for every user means you may as well manually set DEP.
The solution, start and stop BitLocker.
manage-bde -protectors -disable cThe above added to a batch script, or SCCM will pause BitLocker (and not prompt for a PIN), changes the setting for DEP in boot.ini and then restarts BitLocker.
bcdedit /set nx OptOut
manage-bde -protectors -enable c
When you stop BitLocker is irrelevant, as long as it is restarted AFTER you have made the changes to boot.ini. The same stop and start will be needed for some changes to the BIOS or hardware.
No comments:
Post a Comment