Information
BitLocker Drive Encryption provides protection for operating system drives, fixed data drives, and removable data drives that are lost or stolen. BitLocker does this by encrypting the contents of drives and requiring users to authenticate their credentials to be able to access the information. Encrypting the entire Windows operating system drive on the hard disk encrypts all user files and system files on the OS drive, including the swap (page) files and hibernation files.
Applies to
| Requirement | Description |
|---|---|
| Operating system | Windows 8/8.1 Pro and Windows 8/8.1 Enterprise editions |
| Hardware TPM | TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication |
| BIOS firmware | BitLocker requires at least two NTFS disk partitions, one for the system drive and one for the operating system drive |
| UEFI firmware | BitLocker requires at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive |
| Recovery keys | Recovery keys to be stored in Active Directory |
| EnableBitLocker.vbs script | Enabling BitLocker by using a WMI Script (EnableBitLocker) is available |
In this example the base image has been created with a System and OS Partition using the Project Settings in Build Console.
Scenario
This TID details a scenario where a company would like the option to enable BitLocker during the build process.
By using this TID as a guideline it should be possible to modify the scenario to meet your own specific requirements.
Procedure
| Done | Task | ||
|---|---|---|---|
|
|||
|
|||
|
|||
|
|||
|
|
-
Download EnableBitLocker.vbs Script
EnableBitLocker.vbs is a fully functional sample deployment script that uses the publicly available BitLocker and Trusted Platform Module (TPM) WMI providers that can be used as is or customized to meet the needs of your organization.
Download script from the Microsft Technet Script Center (https://gallery.technet.microsoft.com/scriptcenter/BitLocker-deployment-2b260d26#content) (Script Center > Repository > Security > BitLocker deployment script - updated)
-
Update
zim.cfgUpdate your
zim.cfgby adding the line(s) shown in green.- Update information read in from ZISD.
; Read ZISD:VendorDataENGL ZISD:Get,VendorDataENGL,VendorDataENGLSTRING ; Read stored information in from VendorDataENGL Set:Zisd_Project,GetKeyPairStringValue("%VendorDataENGLSTRING%", "Project") Set:zisd_bit_OS,GetKeyPairStringValue("%VendorDataENGLSTRING%", "bit_OS") ; ------------------------------------------------------ ; Menu Definitions ; ------------------------------------------------------ - Update the 'Detected Hardware' Zim form to allow you to choose whether or not to enable BitLocker
Label:Ztoolkit_ComputerName_Form ; Launch a Form to display detected hardware and select machine type Form:Start,"Info","Hardware Detected","_OkCancel^_Ok",Blue Form:Item,"Item1",Label,"Manufacturer" Form:Item,"Item2",EditBox,"%Lookup_Section%",ReadOnly Form:Item,"Item3",Label,"Model" Form:Item,"Item4",EditBox,"%Lookup_Value%",ReadOnly Form:Item,"Item5",Label,"Hardware Image" Form:Item,"Item6",EditBox,"%Drivers_Image%",ReadOnly Form:Item,"Item7",Label,"Hardware Type" Form:Item,"Item8",EditBox,"%Machine_Type%",ReadOnly Form:Item,"Item9",Label,"OS" Form:Item,"Item10",EditBox,"%Project_OS%",ReadOnly Form:Item,"Item11",Label,"Computer Name" Form:Item,"Item12",EditBox,"%Ask_COMPUTERNAME%" Form:Item,"Encrypt1",Label,"Encrypt OS Partition:" Form:Item,"Encrypt2",Radiobuttons,"%zisd_bit_OS%","No,Yes" Form:Item,"Item14",Label,"Auto Restart after imaging" Form:Item,"Item15",RadioButtons,"Yes","Yes,No" Form:Display,"Info" If:Var,_Form,EQ,"_Cancel" Menu:Return End: Set:Ask_COMPUTERNAME,"%_Info_Item12%" Set:BitLocker_OS,%_Info_Encrypt2%
- Update BitLocker information to ZISD
;Dialog:Popupclose Dialog:Popup,"Restoring ENGL Smart Windows build process, please wait...",Green Pause:3 ; Update VendorDataENGL (sample) Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","Machine_Type","%Machine_Type%") Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","OS","%Project_OS%") Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","Project","%Lookup_Project%") Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","bit_OS","%BitLocker_OS%") - Save changes to
zim.cfg
- Update information read in from ZISD.
-
Update Project files
- Open the project in Build Console
- Select
Expert View
- Select Customisation > Custom Files
- Add EnableBitLocker.vbs file to the project custom files
- Right click in the Properties box and select Add
- Browse to you EnableBitLocker.vbs file and click OK
- Right click in the Properties box and select Add
- Update phase4-before.vbs
- Right click on phase4-before.vbs and select Edit
- Add the lines shown in green
' ' Custom script template (phase4-before.vbs) ' Attach to ENGL Ztoolkit ActiveX Control Set LDAP = CreateObject("ENGL.Ztoolkit.LDAP") Set Utils = CreateObject("ENGL.Ztoolkit.Utils") Set ZENworks = CreateObject("ENGL.Ztoolkit.ZENworks") ' Set ZISD Version ZENworks.ZISDVersion = 11 ' Add custom script here... ' Read in ZISD:VendorDataENGL VendorDataENGLSTRING = ZENworks.GetZisdAttributeValue("VendorDataENGL") ' Separate strings zisd_bit_OS = Utils.GetKeyPairStringValue(VendorDataENGLSTRING, "bit_OS") ' Check if zisd_bit_OS is set If zisd_bit_OS = "Yes" then ' BitLocker needs to be enabled on this machine utils.appendlog "Enabling BitLocker" utils.appendlog "Enabling BitLocker on OS Partition" utils.run "%comspec% /c BdeHdCfg.exe -target default -quiet >> c:\ztoolkit\ztoolkit.log",0,true bit_status = utils.run ("wscript c:\ztoolkit\EnableBitLocker.vbs /on:tpm /l:c:\ztoolkit\ztoolkit.log",0,true) utils.appendlog "BitLocker script status: " & bit_status utils.run "%comspec% /c manage-bde -status >> c:\ztoolkit\ztoolkit.log",0,true end if - Save the changes to
phase4-before.vbs
- Right click on phase4-before.vbs and select Edit
- Open the project in Build Console
-
Create and deploy new Ztoolkit image
- Launch Build Console
- Open the project
- Run the Deployment Wizard
- Select the option to create Build Process images
- Select the option to create the Build Process (ztoolkit) image
- Once complete, copy the new Ztoolkit image to the server
- Launch Build Console
-
Test
To test everything is working do the following:
- PXE boot a machine into Zim
- Select the Restore menu
- Select the project
- Select Enable BitLocker
- Continue to restore all images and allow the machine to build
- Once the machine has built successfully check the following;
- Ztoolkit.log file - this should contain Bitlocker information
- Launch a command prompt and run
manage-bde -status, this will give information on current status of the local partitions
- Open Control Panel - launch BitLocker Drive Encryption will show similar information
- Ztoolkit.log file - this should contain Bitlocker information
- PXE boot a machine into Zim
If there are issues with the process review both the zim.log and ztoolkit.log to troubleshoot the problem.
For more information about the log files review ENGL TID-2013016
If you have any problems or questions about the steps in this TID please contact the ENGL support team