none
EMET 5.51 Causing bitlocker recovery key prompts RRS feed

  • Question

  • Hi All,

    I'm currently working for a client who requires a secure build, we are following guidelines which require the use of EMET and Bitlocker.

    We're deploying Win 7 Enterprise Machines via SCCM, we're then installing EMET 5.51 during the TS (Intending on managing EMET via GPO's), Turning TPM on/ Enabling etc, taking ownership then enabling bitlocker with TPM and PIN.

    This all works just fine, up until the point of a GPupdate when the EMET policies are applied (We believe it is DEP that is killing bitlocker) then on next reboot we are prompted for they recovery key...obviously this is not ideal in an enterpise deployment!

    We have tried manually setting DEP via cmdline in the task sequence PRE bitlocker, but any GPO's (Even with DEP as not configured) still seems to overwrite the settings and make changes to the BCD....

    Maybe I'm missing something really obvious, I'm not sure any help would be great!

    Cheers, 
    Tuesday, October 18, 2016 8:04 AM

All replies

  • Before you use emet, use the command line to suspend bitlocker and re-enable it afterwards. If the changes are only applied at next reboot, don't re-enable it, but do a reboot. The suspended protection will be resumed (=re-enabled) after the reboot.

    Command to suspend:

    manage-bde -protectors c: -disable

    Tuesday, October 18, 2016 12:09 PM