Enabling BitLocker during deployment
Hi,
New to KACE and have just learnt how to deploy an image via PXE to workstations.
I created and install that installed Windows 7 and some Apps. I need to know how to enable BitLocker as part of the deployment?
Would really appreciate the help!
Thanks
B
New to KACE and have just learnt how to deploy an image via PXE to workstations.
I created and install that installed Windows 7 and some Apps. I need to know how to enable BitLocker as part of the deployment?
Would really appreciate the help!
Thanks
B
0 Comments
[ + ] Show comments
Answers (2)
Please log in to answer
Posted by:
pjgeutjens
13 years ago
Bandon,
seems like you can enable BitLocker using WMI scripting. For more info on this have a look here.
Rgds,
PJ
seems like you can enable BitLocker using WMI scripting. For more info on this have a look here.
Rgds,
PJ
Comments:
-
We are now able to deploy Bitlocker using a K2000 post installation task to Windows 7 x64 machines. However it only works for us if we run the post install command before installing the K1000 agent.
Also at the moment we currently manually configure the BIOS so that TPM is enabled before kicking off the build process however you should be able to install Dell's CCTK and configure it using a post install command.
The commands which we run in order to enable Bitlocker are (note - I'm not using our production password in this example and you will need to change it to something else):
%windir%\system32\manage-bde.exe -tpm -takeownership 12312312
%windir%\system32\manage-bde.exe -on C: -recoverypassword
Important:
We have already configured a GPO in AD so that the keys auto save to AD. - White Belt 11 years ago-
I am new to Kace as well and have been tasked to do the same. How did you get your keys to save to AD? - tmac0701 7 years ago
-
Create a file called keys.vbs with the following content:
' DESCRIPTION:
' This script will backup bitlocker recovery information to active directory for drives which are already encrypted.
' DEVELOPED BY:
' Himanshu Singh (himanshu.singh@microsoft.com)
' Microsoft Corporation
' DATE: 20/08/2013
' VERSION: 1.0
' DISCLAIMER:
' This script is provided "as-is". You bear the risk of using it. No express warranties, guarantees or conditions are provided.
' The script is not supported under any Microsoft standard support program or service.
Option Explicit
' Define global constants
Private Const wmiSec = "winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!//./root/cimv2"
Private Const VolEnc = "/Security/MicrosoftVolumeEncryption"
' Define global variables
Dim EncryptedVols, objFSO, objFile
' Initialize Logging
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile("C:\WINDOWS\TEMP\BDEAdBackup.log", True)
objFile.WriteLine "Starting Script" & vbNewLine
' Get all the encrypted volumes and then attempt to backup recovery information to AD-DS
Set EncryptedVols = GetEncryptedVolumes
BackupADDS EncryptedVols
objFile.WriteLine vbNewLine & "Script Ended."
'This function gets a list of all the volumes encrypted using bitlocker
Private Function GetEncryptedVolumes()
Set GetEncryptedVolumes = GetObject(wmiSec & VolEnc & ":Win32_EncryptableVolume").Instances_
If Err <> 0 Then
objFile.WriteLine "Unable to connect to Win32_VolumeEncryption WMI Class" & vbNewLine & _
"Bitlocker may not be enabled on this machine." & VbCrLf & _
"Error Returned:" & vbNewLine & err.number & vbTab & err.description
wscript.quit
End If
Err.clear
End Function
Private Function BackupADDS(ByVal EncryptedVols)
Dim evol, vLockStat, vProtectID
objFile.WriteLine "Starting To backup recovery infromation to AD-DS for bitlocker enabled volume(s)"
For Each evol In EncryptedVols
objFile.WriteLine "Processing Volume: " & evol.DriveLetter
'See if the volume is locked or not. If the Volume is Locked, we cannot backup information to AD-DS.
objFile.WriteLine "Checking if the volume is unlocked."
Dim VolLockStat : VolLockStat = evol.GetLockStatus(vLockStat)
Select Case vLockStat
Case 0
objFile.WriteLine "Volume is unlocked, getting the protector ID for numerical password."
Dim GetProtect: GetProtect = evol.GetKeyProtectors(3, vProtectID)
If GetProtect <> 0 Then
objFile.WriteLine "Error getting ID for numerical password protector of volume " & evol.DriveLetter & ", " & GetProtect
objFile.WriteLine "Error Returned: " & Err.Number & ", " & Err.Description
Else
objFile.WriteLine "Backing up information to AD-DS."
Dim BkpStat : BkpStat = evol.BackupRecoveryInformationToActiveDirectory(vProtectID(0))
If BkpStat <> 0 Then
objFile.WriteLine "Backup to AD-DS failed for volume " & evol.DriveLetter
objFile.WriteLine "Error Returned: " & Err.Number & ", " & Err.Description
Else
objFile.WriteLine "Backup to AD-DS successful for volume " & evol.DriveLetter
End If
End If
Case 1 'try to disable the key protectors so that we can access the drive
objFile.WriteLine "Volume is locked, cannot backup recovery information to AD-DS."
End Select
Next
Err.clear
End Function
Then call it like so: cscript.exe $(KACE_DEPENDENCY_DIR)\keys.vbs
That should write the key to AD. - JonnyBarr 7 years ago
Posted by:
JonnyBarr
7 years ago
Hi,
ShellCommandTextReturn(%windir%\sysnative\manage-bde.exe -protectors c: -get)
I find it handier to write the key to the Custom Inventory field.
Create a custom Software item with a shell command:
ShellCommandTextReturn(%windir%\sysnative\manage-bde.exe -protectors c: -get)
J.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.
