Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Sunday, September 24, 2017 1:20 PM
Hi All - Looking for some help with the task sequence regarding bit locker. Here is the scenario:
We have few desktops with multiple hard drives. The OS will go on drive 0 and Data will go on drive 1. How can, I setup Task sequence to encrypt both the drives.
We will be re imaging these desktops. So it will be a OS reload. During OS reload process through task sequence we want both the drives encrypted and keys stored in AD.
Appreciate your help.
Thanks
ram
All replies (10)
Sunday, September 24, 2017 3:41 PM
Couple of questions:
- Which operating system are you deploying?
- Are you using pre-provision feature of BitLocker?
I'd create a PowerShell script that checks for additional driver and enables BitLocker.
Sunday, September 24, 2017 4:34 PM
1. Operating System will be Win 10
2. Yes we are using Pre Provision feature of bitlocker. The current task sequence that we are using for single hard disk laptops (lenovo) are working fine with bit locker.
Any example of PS that can check for additional drives?
Ram
Monday, September 25, 2017 9:01 AM
Hi,
You can also try to add additional "Pre-provision Bitlocker" and "Enable Bitlocker" steps in your TS to encrypt the second HDD.
Please see this blog for reference:
Regards,
Jimmy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, September 25, 2017 3:12 PM
First you'd need to figure out how many disks there are on the target machine and perhaps use a task sequence variable to store that information so that you could use it as a condition later on.
Example:
$NumberOfDrives = (Get-WmiObject –Query "SELECT * from win32_logicaldisk where DriveType = '3'").Count
$TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$TSEnv.Value("NumberOfDrives") = $NumberOfDrives
The example above creates a new task sequence variable NumberOfDrives which you then could use as a condition to your task sequence group which would then be processed:
For enabling the BitLocker for additional drives, you could use the following:
- The Get-WMIObject -command in the first example, to get the drive letter of the additional drive(s) (Get-WmiObject -Query "SELECT * From Win32_LogicalDisk Where DriveType = '3' And DeviceID <> 'C:'" | Select -ExpandProperty DeviceID)
- Enable-BitLocker -cmdlet (/en-us/powershell/module/bitlocker/enable-bitlocker?view=win10-ps)
- Backup-BitLockerKeyProtector -cmdlet (/en-us/powershell/module/bitlocker/backup-bitlockerkeyprotector?view=win10-ps)
Of course this is just one approach.. you could easily put this all in to one big script that checks for additional drives and if it does not find any, it just quits and you wouldn't need to add any complexity through task sequence variables..
Tuesday, September 26, 2017 6:01 PM
This post got my interest, so I started figuring out how to deal with it. First, you should pre-provision the additional drive during the WinPE -phase.. btw. is the additional drive formated and partioned during the OS sequence?
For actually applying the BitLocker for all drives, the script bellow could be used as a starting point:
$Drives = @(Get-WmiObject -Query "SELECT * From Win32_LogicalDisk Where DriveType = '3'" | Select -ExpandProperty DeviceID)
ForEach ($Drive in $Drives)
{
manage-bde -status $Drive | Find "Protection On"
If ($LastExitCode -eq 1)
{
Write-Host "No Protectors for Drive: $Drive"
Add-BitLockerKeyProtector -MountPoint $Drive -RecoveryPasswordProtector
Write-Host "Added recovery password protector for Drive: $Drive"
Enable-BitLocker -EncryptionMethod XtsAes256 -MountPoint $Drive -SkipHardwareTest -TpmProtector
Write-Host "Enabled BitLocker with XTS-AES256 and TPM protector for Drive: $Drive"
}
}
What's missing there is the backing up of the recovery key to AD.. If the pre-provision has done the actual encryption for additional drives then after the enabling the protectors, backup could be done through Backup-BitLockerKeyProtector -cmdlet.
Wednesday, September 27, 2017 3:54 AM
Use MBAM 2.5 SP1 and the June 2017 Servicing Release update on a Standalone or SCCM integrated deployment. You then would use the MBAM group policy to configure your MBAM client settings and deployment the MBAM 2.5 SP1 and June 2017 Servicing Release update 1 on the clients. They MBAM group policy would need to be applied to your in scope PCs.
There is a good write up here for MBAM standalone setup (without SCCM report, compliance integration).
Google: MBAM Standalone Deployment
In your OSD SCCM task sequence you would simply have a step towards to end to install the MSI MBAM client. Use the article here to extract the MBAM 2.5 SP1 client MSI.
Once you have the MSI extracted and downloaded the June 2017 MBAM servicing release update you would add these as app installs in your task sequence.
Hope this helps to give you an idea of the scope of work.
Wednesday, September 27, 2017 3:55 AM
Your MBAM group policy would control the MBAM Bitlocker encryption settings for the OS drive and second (Fixed disk) drive on the PCs after the system is imaged via SCCM and includes the MBAM 2.5 SP1 with June 2017 update task sequence step.
Wednesday, September 27, 2017 4:52 PM
If you're using a current MDT integrated OSD task sequence, you don't have to modify anything in the task sequence steps or scripts except adding the MBAM client app install and command registry settings to force MBAM client frequency check-in after the task sequence deployment completes. The MBAM encryption will start once the OS deployment task sequence is done.
Thursday, September 28, 2017 1:59 PM | 1 vote
Do note that MBAM isn't available for everyone...
Thursday, November 9, 2017 2:41 PM
Thanks to everyone. Unfortunately the project ended and I was not able to complete above task. Did share some of the info from here to I T Admin to take care.
RL