Second post of my “Security Week” series…
Most of you out there who are security conscious should be aware of BitLocker, it’s the disk encryption feature built into Windows Vista and above, and a must-have for any one with a laptop that contains private information. Or for desktops for that matter.
For the past couple of years, I have only purchased business class machines that have TPM chips so I can run BitLocker in a secure fashion, and it’s nice to see more Windows 8 machines with TPM built in.
One of the difficult aspects of BitLocker with Windows Vista and Windows 7 is the time it takes to actually encrypt the drive. We could launch the encryption process during the installation, and even tell our Task Sequence to wait until the encryption process is done.
With Windows 8, Microsoft introduced the concept of BitLocker Pre-Provisioning, which is the merging of two new features:
- Disabled Protectors (Suspended)
- Used Space only
If you have ever had to upgrade a BIOS on a machine that is BitLocker protected, then you know that you have to disable the BitLocker protectors. BitLocker protects a drive with two sets of keys. The first set encrypts the data on the drive itself. The second set encrypts the first set of keys. IF we need to disable the encryption on a drive temporarily, we don’t want to decrypt the *entire* drive, we put the first set of keys in the clear for anyone to read, then, when ready, we lock it back down with the second set, which can use a variety of methods like TPM, TPM+Pin, Smart Card, etc…
With BitLocker pre provisioning, we encrypt the contents of the drive, but put it into a suspended state. Later when the full OS is installed, we can set the protectors we want, and the drive will be fully encrypted.
With the Used Space Only switch, we can encrypt the drive with the content that has actually been written to the drive (in use). If we perform this step immediately after the “Format and Partition” step in the Task Sequence, then it should be super quick.
MDT has built-in options for enabling BitLocker, however if you have the correct licenses for the MDOP (Microsoft Desktop Optimization Pack), you might be interested in MBAM (Microsoft BitLocker Administration and Monitoring).
You can integrate MBAM with your existing Domain and/or SCCM infrastructure to push out BitLocker Policies. MBAM also does a great job of collecting recovery keys and storing them in it’s own private database for self-service retrieval if and when things go wrong.
Integrating MDT with MBAM
If you want to use MBAM with your MDT deployment process for new computers, a recommended solution is to let MDT handle BitLocker Pre-Provisioning, and let MBAM handle the process of enabling the protectors. That way you can enforce the correct BitLocker Policies with MBAM, and speed up the process by having the machines already encrypted.
The MDT LiteTouch task sequence already has the necessary steps to support BitLocker Pre-Provisioning, all we need to do is enable the Pre-Provisioning part, without letting ZTIBDE.wsf continue with the full encryption.
Do do this, we can simply Disable the second “Bitlocker” step during the “state restore Phase” set the CustomSettings.ini file with the following entries:
BdeInstallSuppress=PreInstall SkipBitlocker=YES isBDE=True
Setting BDEInstallSuppress to PreInstall will allow ZTIBDE.wsf to execute the Pre-Provisioning parts, but not to provision the machine.