none
MDT 2013 - Bitlocker keys to network (Non-Domain) RRS feed

  • Question

  • Hi there,

    I am in the process of rolling out Bitlocker to my company via a tool which helps me run powershell with administrative privileges, Bitlocker key is sent to a network share that i've given access restrictions. Having some problems when i try to add my custom bitlocker script in MDT. TL:DR The script seem to run, but encryption does not happen...


    Dumped it into script root and tried to add it as a application with the below command

    powershell.exe -NoProfile -ExecutionPolicy unrestricted "%ScriptRoot%\TS_Enable-Bitlocker.ps1"

    Tried to add it to Task sequence as a powershell script.

    Script location: -%ScriptRoot%\TS_Enable-Bitlocker.ps1

    Parameters: -NoProfile -ExecutionPolicy unrestricted

    I understand MDT has it built in but i have not been able to get it to send it to my bitlocker key store.

    Here's the part for BDE inside customsettings.ini

    ; BDE settings
    BDEInstallSuppress=NO
    BDEDriveLetter=S:
    BDEDrivesize=2000
    BDEInstall=TPMKey
    BDEWaitForEncryption=TRUE
    BDERecoveryKey=AD
    BDEKeyLocation=\\SHARE\bitlocker
    UserDomain=SERVERNAME
    UserID=bitlocker
    UserPassword=Test1234

    Thursday, June 1, 2017 4:10 AM

All replies

  • For BitLocker to be able to start encrypt TPM must first be enabled.

    My cs.ini looks pretty much the same. And I use HP's biosconfigutility as a step in my task sequence to enable tpm.

    Thursday, June 1, 2017 5:39 AM
  • Yup, TPM is enabled.

    The thing that bugs me is my powershell does this flawlessly and it does not work when i placed it inside MDT. I didn't take ownership of TPM.

    Is it a mandatory to add BIOS utility to enable TPM if using the build in bitlocker scripts? When i used the built in one the generated file in one of my best attempts did have a file which only contained the key and it didn't auto unlock.

    Here's part of my powershell script.. 

    # Enabling Bitlocker on "C:" only
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe manage-bde -on C: -s -RecoveryPassword
    
    # Drop a text with protector details to bitlocker key repo.
    $b = hostname
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe manage-bde -protectors C: -get > "\\share\bitlocker\$b-Recoverykey.txt"


    • Edited by Felix_fx2 Thursday, June 1, 2017 7:42 AM update more info
    Thursday, June 1, 2017 7:22 AM
  • Well yea, you must the vendor tools if you want TPM to be enabled automatically during deploy. Otherwise you will have to enable it manually in the bios prior to deploy. Without TPM enabled there will be no encryption done.

    There are more info about it here: https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker

    My cs.ini looks like this:

    BDEInstallSuppress=NO
    BDEWaitForEncryption=FALSE
    BDEInstall=TPMPin
    BDEPin=XXXX
    BDERecoveryKey=AD
    BDEKeyLocation=\\servername\folder
    BDEDriveLetter=S:
    BDEDriveSize=2000

    And the recovery key is stored in that folder. The two BitLocker steps in the Task Sequence is untouched.


    • Edited by Balterz Friday, June 2, 2017 11:21 AM
    Thursday, June 1, 2017 12:12 PM
  • I'll try add the dell (my test machine is Dell, but i've got other brands as well) and give it a try again and post results.

    Friday, June 2, 2017 9:33 AM
  • Have you placed the username and password in your bootstrap.ini file?

    This is mine below

    [Settings]
    Priority=Default

    [Default]
    SkipBDDWelcome=YES 
    KeyboardLocale=en-US
    UserID=***
    UserDomain=****
    UserPassword=*****

    Tuesday, June 6, 2017 4:21 PM
  • Besides having TPM enabled, you should only need this in an AD environment:

    OSDBitLockerMode=TPM
    OSBBitLockerCreateRecoveryPassword=AD
    OSDBitLockerWaitForEncryption=FALSE
    BDEInstall=TPM
    BDEInstallSuppress=NO
    BDEWaitForEncryption=False
    BDERecoveryKey=AD
    BDEKeyLocation=\\SERVER\SHARE$
    TPMOwnerPassword=Pa$$w0rD

    FYI if TPM is not enable before pre-provisioning, then be sure to disable that task so you won't see an error. You do not need to specify a drive letter or the size, that will be done correctly on its own.

    ** Will also work just fine saving the bitlocker key if the machine doesn't join a domain. **


    If this post is helpful please vote it as Helpful or click Mark for answer.


    • Edited by Dan_Vega Tuesday, June 6, 2017 9:31 PM
    Tuesday, June 6, 2017 9:28 PM
  • Nope, the local account that's used to copy the recovery key is already in cs.ini
    Wednesday, June 7, 2017 2:19 AM
  • ; BDE settings
    BDEInstallSuppress=NO
    BDEDriveLetter=S:
    BDEDrivesize=2000
    BDEInstall=TPMKey
    BDEWaitForEncryption=FALSE
    BDERecoveryKey=AD
    BDEKeyLocation=\\SHARE\bitlocker
    UserDomain=Server
    UserID=bitlocker
    UserPassword=Test1234

    Dan, here's my current BDE section. So i can safely remove drive letter and drive size without causing any problems?

    I am working in a workgroup environment, my goal here is to have bitlocker enabled during deployment (we are doing it via MDT media) without my techs having to do more after MDT is complete. When i enabled bitlocker with the above in cs.ini bitlocker is enabled with the bitlocker key copied to a network share, but it does not auto unlock and prompts the recovery key on every reboot until auto unlock is initiated from the bitlocker menu inside windows.

    Wednesday, June 7, 2017 2:32 AM
  • The only thing extra I did in my task sequence was create a safety net, so in case the tech didn't enable and activate TPM before imaging it would still get done. Unfortunately, our Dell computers require a reboot after enabling and activating TPM so it won't work for pre-provisioning but the machine will still end up encrypted.

    In my case I added the Dell CCTK tools to the boot image and use that to enable TPM

    MDT will partition everything correctly for BitLocker, you do not need to specify drive letter or size. Just make sure that the account used for MDT has permissions to write to the folder where you're saving the key. Just like you would for the Log folder.


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Wednesday, June 7, 2017 1:28 PM
  • I fixed the encryption problem by not calling powershell from sysnative (my script agent runs x86 powershell by default and i've been adding `C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe` to force a x64 instance.

    # Starting Bitlocker encryption process
    # Requires TPM to be present but not taking ownership
    # Outfile format hostname-Recoverykey.txt will be deposited in keystorage
    # This powershell is to be only used with MDT or manually invoked
    
    # Creating connection to bitlocker key storage
    net use \\share\bitlocker /PERSISTENT:YES /User:bitlocker Test1234
    
    # Test connection
    if (test-path \\share\bitlocker)
    {
       Write-Host "Bitlocker Share found"
    }
    else
    {
        Write-Host "Bitlocker Share NOT FOUND exiting script..."
        Exit
    }
    
    # Enabling Bitlocker on "C:" only
    manage-bde -on C: -s -RecoveryPassword
    
    # Drop a text with protector details to bitlocker key repo.
    $b = hostname
    manage-bde -protectors C: -get > "\\share\bitlocker\$b-Recoverykey.txt"
    
    # Bitlocker will start to encrypt the machine with AES-CBC 128 bit


    hope someone else benefits from this

    1. Dump the script to %scripts%

    2. Add as a application with command powershell.exe -NoProfile -ExecutionPolicy unrestricted "%ScriptRoot%\TS_Enable-Bitlocker.ps1"

    3. Insert as application

    going to work on adding CCTK and other BIOS tools to enable TPM since this is complete.

    • Edited by Felix_fx2 Friday, June 9, 2017 8:57 AM
    Friday, June 9, 2017 8:56 AM