Showing posts with label BitLocker. Show all posts
Showing posts with label BitLocker. Show all posts

Sunday, 3 June 2012

SCCM - Enable BitLocker with TPM and PIN

In our environment we are using BitLocker with the TPM and a PIN. SCCM has the option to enable BitLocker as part of a Task Sequence.

However, you cannot set a PIN. Now if you have the settings in Group Policy to force a PIN this wont add the registry settings until AFTER the TS has completed. Not very useful.

The solution:
Use the built in SCCM Task for Enable BitLocker. Choose TPM only and save the recovery info into AD:

This will enable BitLocker and start encrypting the disk. I have not tested it yet, but I cant see why you couldnt have this straight after the step "Setup windows and ConfigMgr". In theory this would leave you much further in the encryption process by the time the TS ends.

From an encrypted PC you want to export the registry with your settings. Remember to re-do this if you change your BitLocker policy. The registry you want is located here:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]

With this all at the end of the TS, I add a reboot after the above step. I have had some odd results with the first login without doing this reboot. However if this is at the begining, you will most likely have a reboot somewhere.

Apply the registry you exported above, using a "Command Line", or create a package.
regedit /s <filename.reg>

Ok, so we have encryption enabled, and our registry added. Now we can set a PIN. Add another "Command Line"
manage-bde.exe -protectors -add c: -tp %EnPass%
%EnPass% is a task sequence variable. How you set this is up to you, you can set this manually here if you want. I have an HTA with some options, one of which asks for this password and sets this variable.


Posted by at No comments:
Labels: , , , ,

Monday, 12 December 2011

DEP and BitLocker

Enabling DEP (Data Execution Protection), or to change it its configuration is done in one of 2 ways.
Through Properties on Computer
Or using the command line "bcdedit /set nx "

Either method will work and do what you want it to (In my case it was OptOut which allows you to specify applications to be exempt from DEP).

The issue comes in when you are running OS disk encryption with BitLocker. Changing DEP settings changes boot.ini and as such will lock the user out of BitLocker requiring them to enter the recovery key until the PIN is changed. Even this may not stop them getting the prompt.

Obviously this isn’t ideal for a mass deployment, where having to manually change the BitLocker PIN for every user means you may as well manually set DEP.

The solution, start and stop BitLocker. 
manage-bde -protectors -disable c
bcdedit /set nx OptOut
manage-bde -protectors -enable c
The above added to a batch script, or SCCM will pause BitLocker (and not prompt for a PIN), changes the setting for DEP in boot.ini and then restarts BitLocker.

When you stop BitLocker is irrelevant, as long as it is restarted AFTER you have made the changes to boot.ini. The same stop and start will be needed for some changes to the BIOS or hardware.
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)