/build/static/layout/Breadcrumb_cap_w.png

Enable Windows Bitlocker remotley using K1000 and HPbiosConfig Utility

I was tasked with a project to enable bitlocker on windows 7 computers we had deployed to remote sites.  I wanted to do this without requiring a user to press F1 for the TPM chip and to automate the bitlocker wizard.  There may be better ways to do this and I welcome any ideas or improvements.  Here is how I accomplished this.

First, we are an HP shop so I use hp bios configuration utility to make the bios changes. I'm sure Dell and others have their own tools. To make changes remotely to the tpm settings you have to apply a bios password. We don't use a bios password so I set it with script 1 and then remove the bios password at the end with script 4. Here are the settings I change in our HP bios:

 

English
Embedded Security Device
    Device hidden
    *Device available
Embedded Security Activation Policy
    F1 to Boot
    Allow user to reject
    *No prompts
OS management of Embedded Security Device
    *Enable
    Disable
Reset of Embedded Security Device through OS
    Disable
    *Enable
Activate Embedded Security On Next Boot
    Disable
    *Enable
Bypass F1 Prompt on Configuration Changes
    Disable
    *Enable
Embedded Security Device Availability
    *Available
    Hidden
Reset of TPM from OS
    Disable
    *Enable
OS Management of TPM
    Disable
    *Enable

Zip up the above as a notepad file, the BiosConfigUtility.exe, and a startup.bat  *The startup.bat is a dependency. I could not get the bitlocker drive tool to run via cmd with Kace, I read many 64vs32bit articles, k-agent issues, and so on. I could not get kace to fire off a simple batch file with the below command.... so I use kace to place a bat file in the startup menu to fire it off when it reboots and then remove the bat with the next script* Here is the drive command in the bat file: c:\windows\system32\bdehdcfg.exe -target C: shrink -size 300 -quiet I'M OPEN TO IDEAS TO FIX THIS. When i pushed with kace the cmd windows popped up with "bdehdcfg.exe is not a valid command"

I have 4 scripts in k1000.

Script 1:

Sets a bios password, enables TPM settings, exports new settings to a txt in c:/enabletpm, sets autologin, and copy bitlocker partition bat to startup. reboot

I've omitted the user name and password I used for autologin.  I used a service account I created in AD.

After it reboots, the bat file that was copied to startup will fire off and create the bitlocker partition.  This takes about a minute.  After its done I run script 2

Script 2: sets second wave of tpm settings, removes startup bat file, reboots

The reason behind the "second wave" was that I noticed sometimes the first time only half the settings would take affect in HP bios and also that after a reboot it resets the F1 prompt setting, so I give it a second coat of bios settings just to be sure and might as well since I need to remove the startup bat file. The bitlocker tool requires a reboot after creating the partition anyway.

Script 3: Takes ownership of TPM, Turns on bitlocker, removes autologin

I used the default VBS that you can find on technet.  It syncs the key with Active Directory so you don't have to worry about saving a key.  It will show up in a bitlocker recovery tab on the computer account.  *If you are not a Server 08 R2 domain function I believe you have to extend the schema to get this feature in Sever 03, Double check bitlocker info on Microsoft’s site for your environment.

Script 4: Removes bios password, run after encryption has started *if you remove the bios password it will prevent the vbs from kicking off the encryption...hence the 'run after it has started' warning.

 

Here is the sample vbs I used in script 3. Straight from Microsoft.  I didn't make a single change.

http://archive.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?ReleaseId=3205

Posted 10 years ago 13987 views

Comments

  • First, great post. This might sound like a dumb question as I don't have experience with bit locker but how can you confirm this is enabled on the stations you have run this on? For us a big part of encryption is not only doing it but also confirming we have done what we said we did from a compliance perspective. I was curious if there was a way to confirm encryption. - Jbr32 10 years ago
    • Agreed, fantastic post. It would be a great follow up to show how this relates to a compliance audit. - jknox 10 years ago
    • Compliance and enforcement can be done through Microsofts Bitlocker Management tool called MBAM. It can do reporting and compliance. Say a user or IT staff suspends the encryption to perform some sort of work, MBAM will see that it is suspended and force it back on. Many other features. It can simplify deployment, but I don't believe it can bypass the F1 security prompt for TPM ownership. That is why we used Kace to deploy and will use Mbam to monitor/report/enforce compliance

      Here is the link for MBAM info:
      http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/mbam.aspx - joe_nismo 10 years ago
  • One solution to the 32bit/64bit discrepancy is to use a 64bit BAT to EXE converter like the one here.
    http://www.f2ko.de/programs.php?pid=b2e

    You can then call whatever you need within that batch on a 64bit OS without worrying about the OS redirecting to %Windir%/syswow64. - adaml 9 years ago
This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ