6 Replies Latest reply on Dec 8, 2016 5:36 AM by sthon

    Looking for tips and tricks on bit locker drive encryption management via DSM...

    rkelsall Rookie

      Hi everyone.

       

      We have a customer asking how to manage bit locker whole disk encryption using DSM. Ideally they are looking for any scripts or packages so they do not need to manage via AD GPO.

       

      Also any tips and tricks in the is area welcomed!

       

      thanks in advance!

      Rob Kelsall

        • 1. Re: Looking for tips and tricks on bit locker drive encryption management via DSM...
          markuszierer Apprentice

          Hi Rob,

           

          currently i do not have some sample scripts or code i can share. But i can give you some tips.

          When you want to manage Bitlocker with DSM, you should utilize a EXE from Microsoft. I think the name is bdemgr.exe or similar.

          Finding out the required GPO settings is quite easy, when you know how to do. Go to Microsoft Download center and search for Group Policy Reference. You should find a couple of hits, where you should select the latest OS best. Once downloaded, extract the stuff and you get an Excel Sheet with all the nice and fancy GPO settings documented. Just filter for Bitlocker and you should see all the interesting stuff. When i remember correctly, configuration is done mainly via RegKeys, so all you have to do is to create a script that modifies all the required values.

          2 of 2 people found this helpful
          • 3. Re: Looking for tips and tricks on bit locker drive encryption management via DSM...
            frank.seidel1 Rookie

            Hi there,

             

            I've worked currently with this issue. On W7 you should use manage-bde.exe to stop bitlocker encryption ("%WINSYSDIR%\manage-bde.exe" -protectors -enable/disable %Systemdrive%). Unfortunately you should reboot after your changes and have to start encryption after again. Here you could use the RunOnce Key in the registry. In W10 there is an PS Command for this issue. If you have further questions do not hesitate to ask!

             

            Cheers Frank

            1 of 1 people found this helpful
            • 4. Re: Looking for tips and tricks on bit locker drive encryption management via DSM...
              frank.seidel1 Rookie

              Hi there,

               

              I've worked currently with this issue. On W7 you should use manage-bde.exe to stop bitlocker encryption ("%WINSYSDIR%\manage-bde.exe" -protectors -enable/disable %Systemdrive%). Unfortunately you should reboot after your changes and have to start encryption after again. Here you could use the RunOnce Key in the registry. In W10 there is an PS Command for this issue. If you have further questions do not hesitate to ask!

               

              Cheers Frank

              1 of 1 people found this helpful
              • 5. Re: Looking for tips and tricks on bit locker drive encryption management via DSM...
                SitzRieSe Expert

                Here is my example how you can handle it. Maybe it will help you

                 

                !Check if TPM is available

                Set('Count','0')

                WMIGetInstanceCount('\\.\root\cimv2\Security\MicrosoftTpm','Win32_Tpm','Count')/TS

                If %Count%='-1'

                MsgBoxEx('Please enable TPM and TPM State in BIOS!','return','',mbOK,'600','0')

                ExitProcEx(Undone,'TPM is not enabled!')

                Else

                If not %Count%='0'

                  WMIGetIndexData('\\.\root\cimv2\Security\MicrosoftTpm','Win32_Tpm','0','WMI_')

                   IsEnabled_InitialValue

                  EndProc/TS

                  goto StartEncryption

                Else

                  MsgBoxEx('Please enable TPM and TPM State in BIOS!<cr><cr>TPM: IsEnabled_InitialValue= %WMI_IsEnabled_InitialValue%','return','',mbOK,'600','0')

                  ExitProcEx(Undone,'TPM is not enabled!')

                !

                : StartEncryption

                !Prepare fileshare

                MakeDir('%InstallationParameters.NetworkPath%\%computername%\%date%\')/TS

                !

                !Start disk encryption

                ExecuteEx('cmd.exe /c "manage-bde.exe -on %systemdrive% -SkipHardwareTest -EncryptionMethod aes256 -recoverykey "%InstallationParameters.NetworkPath%\%computername%\%date%" -RecoveryPassword > "%InstallationParameters.NetworkPath%\%computername%\%date%\RecoveryPassword.txt""','exitcode','')/?/x64/TS

                If not %exitcode%='0'

                If not %exitcode%='3010'

                  ExitProcEx(Failed,'BitLocker failed with %exitcode%')

                !

                !Waiting for finishing the disk encryption?

                If %InstallationParameters.CheckProgress%='Nein'

                ExitProc(Done)

                !

                !Check disk encryption progress

                : cryptstate

                RunAsEx('cmd.exe','/c manage-bde.exe -status %systemdrive% & cmd /c timeout /T 60','','','10','',raUseSisAccount+WaitForExecution+UndoneContinueParentScript)/x64/TW

                RunAsEx('cmd.exe','/c manage-bde.exe -status %systemdrive% -protectionaserrorlevel','','','10','CRYPT',raUseSisAccount+WaitForExecution+UndoneContinueParentScript)/x64/TS

                If not %CRYPT%='0'

                ! encryption still running

                goto cryptstate

                !

                : $BeginUninstallScript

                • 6. Re: Looking for tips and tricks on bit locker drive encryption management via DSM...
                  sthon Apprentice

                  I am dabbling with this at the moment as well, but with LANrev on Windows 10, should work down to 8.

                   

                  It's in Powershell:

                   

                  $Key=ConvertTo-SecureString "123456" -AsPlainText -Force
                  enable-bitlocker $env:SystemDrive -TPMandPinProtector -pin $Key -UsedSpaceOnly -SkipHardwareTest
                  Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector
                  (Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector.recoverypassword > somefolder1\bitlocker_$env:computername.txt
                  (Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector.recoverypassword > somefolder2\bitlocker_$env:computername.txt
                  
                  

                   

                  It encrypts the drive with a pin, adds a recovery-key and exports the key to folder 1 and 2.

                  Additionally, the GPO has to allow for Bitlocker System drive encryption.