none
MDT Re-Imaging and Bitlocker. RRS feed

  • Question

  • I'm sure I likely asked this before.
    On a pc that is encrypted, does MDT wipe out the Bitlocker encryption during a TS by default?
    I've been on a round or two with my org where they insist that each pc be manually decrypted before reimaging. We do not use a refresh TS, only deploying a new OS onto a pc.

    I am not sure what they state the issue is, but they say that they 'run into problems' on computers that were reimaged without being decrypted first. We do not use MDT to encrypt drives, we do that manually during the desktop build.

    Can anyone point out where, in MDT, that the encryption is gone from a full OS deployment? Since the encryption lies in the OS and not the BIOS, it makes complete sense to me that just recloning would wipe the whole drive, encryption and all. I somehow can't be convincing enough.

    Thanks

    Wednesday, November 15, 2017 6:48 PM

Answers

  • Oh crap, where to start...

    First off, you need to understand the difference between Decrypting a BitLocker Drive and Suspending a BitLocker drive. There will be a test later.

    You are mostly on the right track. For new computer installations, where the old OS is not needed any more, I don't see *ANY* reason to decrypt the drive, in fact in most scenarios, that could make is WORSE! Before decrypting the drive, all the data was protected through Bitlocker, but if you decrypt the drive, the old data will now be visible to any disk forensics tools. Best to just leave it encrypted, and when you install the New OS, it will just blindly remove the old partitions (gone forever), and lay down a new partition configuration.

    Side note: Don't get me started on the stupid Department of Defense Secure Wipe apps out there, if the drive is Bitlocker Encrypted, and you have *not* suspended Bitlocker, installing a new OS is the easiest way to install a new OS, and ensure the old OS is securely removed. 

    Additionally, you should be using the TPM chip, which will ensure that even if you were to remove the Hard Disk, it couldn't be read by another machine. 

    I would look into setting up MDT with BitLocker Pre-Provisioning, if you are installing Windows 10 with the intention to secure it later with BitLocker. This performs all the hard work of encrypting the data on the disk, but leaves the machine in a suspended state until such time as you enable the protectors.

    AS for TPM Clearing... Um yea... everytime you clean install the OS, Windows 10 will automatically take ownership of the TPM chip if it hasn't already been taken. If you didn't clear it out previously, the ownership will be under the previous, version of Windows 10, but the new OS can't take ownership because we forgot the ownership password. No problem, go through the TPM clearing process and take ownership again, this should be part of your Bitlocker Provisioning process.

    Task Sequence:

    * Reformat and partition disk

    * Enable Bitlocker Pre-provisioning

    * Install new OS

    Afterwards (in the new OS)

    * Clear the TPM chip

    * Enable Bitlocker (either via the wizard or through manage-bde.exe)


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Thursday, November 16, 2017 5:42 AM
    Moderator

All replies

  • Since MDT wipes the disk, there is no need to perform BitLocker decryption. The only reason to decrypt is if you are performing user state migration. Keep in mind that you will need to clear TPM during re-imaging so that Windows can auto-provision TPM chip (assuming you are deploying W8/10). Check my blog on instructions how to perform this step via MDT TS.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Wednesday, November 15, 2017 7:19 PM
  • That's the part that stumps me...clear the TPM during re-imaging. Is that a default action in MDT? I'm guessing this is a BIOS change during MDT rather than an OS TPM clearing? I'm not aware of what AD does, but once a pc is recloned/renamed, they remove that old pc name from AD and the new pc name gets the new code.
    Wednesday, November 15, 2017 7:24 PM
  • Basically you need this: http://www.vacuumbreather.com/index.php/blog/item/43-how-to-clear-the-tpm-chip-using-mdt Please be aware that on some models you do not need to clear TPM chip (Fujitsu jumps to mind). It is all down to TPM module vendor...

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Wednesday, November 15, 2017 7:35 PM
  • Oh crap, where to start...

    First off, you need to understand the difference between Decrypting a BitLocker Drive and Suspending a BitLocker drive. There will be a test later.

    You are mostly on the right track. For new computer installations, where the old OS is not needed any more, I don't see *ANY* reason to decrypt the drive, in fact in most scenarios, that could make is WORSE! Before decrypting the drive, all the data was protected through Bitlocker, but if you decrypt the drive, the old data will now be visible to any disk forensics tools. Best to just leave it encrypted, and when you install the New OS, it will just blindly remove the old partitions (gone forever), and lay down a new partition configuration.

    Side note: Don't get me started on the stupid Department of Defense Secure Wipe apps out there, if the drive is Bitlocker Encrypted, and you have *not* suspended Bitlocker, installing a new OS is the easiest way to install a new OS, and ensure the old OS is securely removed. 

    Additionally, you should be using the TPM chip, which will ensure that even if you were to remove the Hard Disk, it couldn't be read by another machine. 

    I would look into setting up MDT with BitLocker Pre-Provisioning, if you are installing Windows 10 with the intention to secure it later with BitLocker. This performs all the hard work of encrypting the data on the disk, but leaves the machine in a suspended state until such time as you enable the protectors.

    AS for TPM Clearing... Um yea... everytime you clean install the OS, Windows 10 will automatically take ownership of the TPM chip if it hasn't already been taken. If you didn't clear it out previously, the ownership will be under the previous, version of Windows 10, but the new OS can't take ownership because we forgot the ownership password. No problem, go through the TPM clearing process and take ownership again, this should be part of your Bitlocker Provisioning process.

    Task Sequence:

    * Reformat and partition disk

    * Enable Bitlocker Pre-provisioning

    * Install new OS

    Afterwards (in the new OS)

    * Clear the TPM chip

    * Enable Bitlocker (either via the wizard or through manage-bde.exe)


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Thursday, November 16, 2017 5:42 AM
    Moderator
  • Even though a new OS is completely deployed to a pc (which has no key in AD), you must clear the TPM chip? We never use a refresh scenario, only clone over a computer, which has a new pc name in AD without any Bitlocker key stored there.

    Wouldn't deploying a new OS onto a pc wipe out the data and the encryption? I see Anton's PS to clear it, but is it a must to do? We don't currently clear that now...unless it's required in a scenario we don't encounter.
    Thanks

    Thursday, November 16, 2017 5:39 PM
  • Installing a new OS *DOES* wipe the old data and old encryption.

    Clearing the TPM chip is... complicated... 

    If you *know* you were the last person to setup the PC, and the TPM was owned properly. THen you installed a new OS, and the TPM chip was placed into a "reduced functionality" mode... Meh... You might be able to get away with not taking ownership of the TPM chip within the NEW OS, if the procedure is time consuming, and the devices are designed for Banking/Department of Defense, or other line of work where the data must remain secure, and there is process around that. For my PC, if I had the time, I would take ownership of the TPM chip if I had time, and it was my Primary Laptop. If it was just a secondary device, for occasional web browsing etc... I might not bother to take ownership.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Thursday, November 16, 2017 5:56 PM
    Moderator
  • Thanks. It's a new concept I'm trying to grasp. All along in our Public Safety org, when we get an old pc in, we decrypt the drive (which I don't understand why because we will reimage it).
    When we're ready to reuse the pc, we deploy a new custom image via MDT. The pc name we give it is new...freshly added to AD with no prior Bitlocker key. Then when MDT is completed, we sign on as Admin and start an encryption, a full HDD and New Encryption. We've never cleared the TPM and I really never knew about this until a few days ago. I'm guessing what we're doing so far is working. I just need to check with our GPO group to have them change the defaults to Full HDD and New Encryption Mode so MDT can automate encrypting the drive.
    Does this sound legit?
    • Edited by the1rickster Thursday, November 16, 2017 6:03 PM
    Thursday, November 16, 2017 6:02 PM
  • I would never decrypt a drive if I am doing wipe and load - there is simply no reason to. Clearing TPM is not always necessary - for instance, I was working with a customer on a Windows 10 image the other day and the TPM 2.0 module on Fujitsu Lifebook was in status "ready", so there was no reason to clear the TPM chip. In fact, clearing the TPM chip resulted in the OS not being able to detect the TPM anymore, so there is that...

    To check TPM status after running BitLocker encryption, simply run tpm.msc - TPM module status will be displayed right in the middle of the console. If it shows up as "ready for use with reduced functionality", then you should consider clearing the TPM. In fact, Windows 10 1709 adds a GPO setting that checks TPM module status and performs TPM clear if TPM is detected to be not in the "ready" state.

    Now, as to performing drive encryption: if you are using BitLocker pre-provisioning (which I would recommend as it saves you tons of time in the end), then MDT will encrypt only used space (unless you modify ZTIBDE.wsf script and comment out the -used parameter):

    oUtility.RunWithHeartbeat """" & oEnv("SystemRoot") & "\system32\Manage-bde.exe"" -on " & oUtility.GetOSTargetDriveLetter & " -used"

    To automate BitLocker encryption, you could add following lines to your CustomSettings.ini:

    IsBDE=TRUE
    BdeInstallSuppress=NO
    BDEDisablePreProvisioning=NO
    BDEInstall=TPM
    BDEWaitForEncryption=YES
    SkipBitlocker=YES


    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Thursday, November 16, 2017 6:39 PM
  • You are mostly on the right track. For new computer installations, where the old OS is not needed any more, I don't see *ANY* reason to decrypt the drive, in fact in most scenarios, that could make is WORSE! Before decrypting the drive, all the data was protected through Bitlocker, but if you decrypt the drive, the old data will now be visible to any disk forensics tools. Best to just leave it encrypted, and when you install the New OS, it will just blindly remove the old partitions (gone forever), and lay down a new partition configuration.

    Keith's right. Since the new install is going over the old OS, you are in effect wiping out the old install. Watch during a task sequence, it's suspending the protection, dropping a new os, and locking it back down. This is what makes MDT+Bitlocker such a winning combo, they play nice together. You can't say that about third party encryption systems, those are a nightmare with MDT.
    Thursday, November 16, 2017 7:45 PM
  • Thanks you guys. My final piece of this was whether or not I really need to clear the TPM. As I stated, we decrypt (I know...), then drop a new image on the same pc but with a completely unique computer name that has no Bitlocker key in AD. We never have and so far never have had an issue. If it's not necessary, I'd like to ask our AD group to configure the GPO so that by default the entire drive and New Encryption Mode are always selected. :)
    Thursday, November 16, 2017 7:52 PM
  • Thanks you guys. My final piece of this was whether or not I really need to clear the TPM. As I stated, we decrypt (I know...), then drop a new image on the same pc but with a completely unique computer name that has no Bitlocker key in AD. We never have and so far never have had an issue. If it's not necessary, I'd like to ask our AD group to configure the GPO so that by default the entire drive and New Encryption Mode are always selected. :)

    Just because you do not see any issues at first, does not mean that your TPM is in the "right" state. :) Check tpm.msc console as outlined above and either configure 1709 GPO to deal with TPM or use a scriipt / manually clear TPM.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Thursday, November 16, 2017 7:56 PM
  • I keep hitting walls. We have one OU, policy-free, which is the only OU that the administrator will auto-logon during MDT. Any other OU, you must type out administrator and enter the p/w.
    Of course, this OU is NOT the Bitlocker OU. I tested this just now. It shows Bitlocker can be suspended or decrypted, but no key in AD. In Win7 we could auto-logon with administrator during MDT. Now in 1703 we cannot, in the same OU. It doesn't seem that AD will give much assistance to finding out why the ONLY OU we can auto-logon to is the policy-free OU. That's fine but you don't get Bitlocker that way.

    Thursday, November 16, 2017 8:04 PM