Information
BitLocker Drive Encryption provides protection for operating system drives, fixed data drives, and removable data drives that are lost or stolen. BitLocker does this by encrypting the contents of drives and requiring users to authenticate their credentials to be able to access the information. Encrypting the entire Windows operating system drive on the hard disk encrypts all user files and system files on the OS drive, including the swap (page) files and hibernation files.
Applies to
| Requirement | Description |
|---|---|
| Operating system | Windows 10 |
| Hardware TPM | TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication |
| BIOS firmware | BitLocker requires at least two NTFS disk partitions, one for the system drive and one for the operating system drive |
| UEFI firmware | BitLocker requires at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive |
| Desktop Management Solution | ZENworks Configuration Management |
In this example the base image has been created with a System and OS Partition using the Project Settings in Build Console.
Scenario
This TID details a scenario where a company would like the option to enable BitLocker during the build process using TPM+PIN.
To do this you will need to ensure that you have a Group Policy Object to allow a PIN to be set at startup. More information on configuring the GPO can be found here: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings
The feature to encrypt used space only is used and the output is written directly to the ztoolkit.log.
By using this TID as a guideline it should be possible to modify the scenario to meet your own specific requirements.
Procedure
| Done | Task | ||
|---|---|---|---|
| |||
| |||
| |||
|
|
Update
zim.cfgUpdate your
zim.cfgby adding the lines shown in green.- Update information read in from ZISD.
; Read ZISD:VendorDataENGL ZISD:Get,VendorDataENGL,VendorDataENGLSTRING ; Read stored information in from VendorDataENGL Set:Zisd_Project,GetKeyPairStringValue("%VendorDataENGLSTRING%", "Project") Set:Zisd_bit_OS,GetKeyPairStringValue("%VendorDataENGLSTRING%", "bit_OS") Set:Zisd_bit_PIN,GetKeyPairStringValue("%VendorDataENGLSTRING%", "bit_PIN") ; ------------------------------------------------------ ; Menu Definitions ; ------------------------------------------------------ - Update the 'Detected Hardware' Zim form to allow you to choose whether or not to enable BitLocker
Label:Ztoolkit_ComputerName_Form ; Launch a Form to display detected hardware and select machine type Form:Start,"Info","Hardware Detected","_OkCancel^_Ok",Blue Form:Item,"Item1",Label,"Manufacturer" Form:Item,"Item2",EditBox,"%Lookup_Section%",ReadOnly Form:Item,"Item3",Label,"Model" Form:Item,"Item4",EditBox,"%Lookup_Value%",ReadOnly Form:Item,"Item5",Label,"Hardware Image" Form:Item,"Item6",EditBox,"%Drivers_Image%",ReadOnly Form:Item,"Item7",Label,"Hardware Type" Form:Item,"Item8",EditBox,"%Machine_Type%",ReadOnly Form:Item,"Item9",Label,"OS" Form:Item,"Item10",EditBox,"%Project_OS%",ReadOnly Form:Item,"Item11",Label,"Computer Name" Form:Item,"Item12",EditBox,"%Ask_COMPUTERNAME%" Form:Item,"Encrypt1",Label,"Encrypt OS Partition:" Form:Item,"Encrypt2",Radiobuttons,"%Zisd_bit_OS%","No,Yes" Form:Item,"Encrypt3",Label,"Enter PIN:" Form:Item,"Encrypt4",EditBox,"%Zisd_bit_PIN%" Form:Item,"Item14",Label,"Auto Restart after imaging" Form:Item,"Item15",RadioButtons,"Yes","Yes,No" Form:Display,"Info" If:Var,_Form,EQ,"_Cancel" Menu:Return End: Set:Ask_COMPUTERNAME,"%_Info_Item12%" ; Validate bitlocker information Set:BitLocker_OS,%_Info_Encrypt2% Set:BitLocker_PIN,%_Info_Encrypt4% ; Configure the following variables to match Group Policy details Set:BitLocker_PIN_MinLength,"6" Set:BitLocker_PIN_MaxLength,"20" Set:BitLocker_PIN_Enhanced,"False" If:Var,BitLocker_OS,EQ,"Yes" ; We need to check the bitlocker pin is valid Set:PinLength,Len(%BitLocker_PIN%) If:Var,PinLength,lt,"%BitLocker_PIN_MinLength%" Dialog:ask,"Error","You must specify a Bitlocker Pin between %BitLocker_PIN_MinLength% and %BitLocker_PIN_MaxLength% characters","_ok",Red Goto:Ztoolkit_ComputerName_Form End: If:Var,PinLength,GT,"%BitLocker_PIN_MaxLength%" Dialog:ask,"Error","You must specify a Bitlocker Pin between %BitLocker_PIN_MinLength% and %BitLocker_PIN_MaxLength% characters","_ok",Red Goto:Ztoolkit_ComputerName_Form End: if:var,BitLocker_PIN_Enhanced,EQ,"False" ; The pin entered must be a number Set:PINCheck,%BitLocker_PIN% Set:PINCheck,Math("*", 1) Set:PINCheckLength,Len(%PINCheck%) If:Var,PINCheck,EQ,"0" Dialog:ask,"Error","You must specify a Numeric PIN","_ok",Red Goto:Ztoolkit_ComputerName_Form End: If:Var,PINCheckLength,NE,"%PinLength%" Dialog:ask,"Error","You must specify a Numeric PIN","_ok",Red Goto:Ztoolkit_ComputerName_Form End: End: End: - Update BitLocker information to ZISD
;Dialog:Popupclose Dialog:Popup,"Restoring ENGL Smart Windows build process, please wait...",Green Pause:3 ; Update VendorDataENGL (sample) Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","Machine_Type","%Machine_Type%") Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","OS","%Project_OS%") Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","Project","%Lookup_Project%") Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","bit_OS","%BitLocker_OS%") Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","bit_PIN","%BitLocker_PIN%") - Save changes to
zim.cfg
- Update information read in from ZISD.
Update Project files
- Open the project in Build Console
- Select
Expert View - Select Customisation > Custom Files
- Open the project in Build Console
- Update phase2-after.vbs
- Right click on phase2-after.vbs and select Edit
- Add the lines shown in green
' ' Custom script template (phase2-after.vbs) ' Attach to ENGL Ztoolkit ActiveX Control Set LDAP = CreateObject("ENGL.Ztoolkit.LDAP") Set Utils = CreateObject("ENGL.Ztoolkit.Utils") Set ZENworks = CreateObject("ENGL.Ztoolkit.ZENworks") ' Set ZISD Version ZENworks.ZISDVersion = 12 ' Add custom script here... ' Read in ZISD:VendorDataENGL VendorDataENGLSTRING = ZENworks.GetZisdAttributeValue("VendorDataENGL") ' Separate strings zisd_bit_OS = Utils.GetKeyPairStringValue(VendorDataENGLSTRING, "bit_OS") ' Check if zisd_bit_OS is set If (zisd_bit_OS = "Yes") then ' BitLocker needs to be enabled on this machine utils.appendlog "Enabling BitLocker Pre-Provisioning" utils.appendlog "Enabling BitLocker Pre-Provisioning on OS Partition" utils.run "%comspec% /c manage-bde -protectors -add C: -rp >> c:\ztoolkit\ztoolkit.log",0,true utils.appendlog "Starting Encryption of used space..." utils.run "%comspec% /c manage-bde -on C: -used -skiphardwaretest >> c:\ztoolkit\ztoolkit.log",0,true utils.run "%comspec% /c manage-bde -status >> c:\ztoolkit\ztoolkit.log",0,true else utils.appendlog "BitLocker Pre-Provisioning disabled!" end if
- Right click on phase2-after.vbs and select Edit
- Update phase4-before.vbs
- Right click on phase4-before.vbs and select Edit
- Add the lines shown in green
' ' Custom script template (phase4-before.vbs) ' Attach to ENGL Ztoolkit ActiveX Control Set LDAP = CreateObject("ENGL.Ztoolkit.LDAP") Set Utils = CreateObject("ENGL.Ztoolkit.Utils") Set ZENworks = CreateObject("ENGL.Ztoolkit.ZENworks") ' Set ZISD Version ZENworks.ZISDVersion = 12 ' Add custom script here... ' Read in ZISD:VendorDataENGL VendorDataENGLSTRING = ZENworks.GetZisdAttributeValue("VendorDataENGL") ' Separate strings zisd_bit_OS = Utils.GetKeyPairStringValue(VendorDataENGLSTRING, "bit_OS") zisd_bit_PIN = Utils.GetKeyPairStringValue(VendorDataENGLSTRING, "bit_PIN") If (zisd_bit_OS = "Yes") then ' Bitlocker activation for normal image utils.appendlog "Activating BitLocker (ENGL Image)" utils.run "%comspec% /c manage-bde -protectors -add C: -tpmandpin " & zisd_Bit_PIN & " >> c:\ztoolkit\ztoolkit.log",0,true else utils.appendlog "BitLocker Activation not needed!" end if 'Remove Environment variable ENGL_bit_PIN Utils.SetSystemEnvironmentVariable "ENGL_bit_PIN", "" 'Remove from ZISD VendorDataENGLSTRING = Utils.PutKeyPairStringValue(VendorDataENGLSTRING, "bit_PIN", "") ZENworks.PutZisdAttributeValue "VendorDataENGL", VendorDataENGLSTRING ZENworks.WriteZisd - Save the changes to
phase4-before.vbs
- Right click on phase4-before.vbs and select Edit
- Update phase2-after.vbs
Create and deploy new Ztoolkit image
- Launch Build Console
- Open the project
- Run the Deployment Wizard
- Select the option to create Build Process images
- Select the option to create the Build Process (ztoolkit) image
- Once complete, copy the new Ztoolkit image to the server
- Launch Build Console
Test
To test everything is working do the following:
- PXE boot a machine into Zim
- Select the Restore menu
- Select the project
- Select Enable BitLocker
- Continue to restore all images and allow the machine to build
- Once the machine has built successfully check the following;
- Ztoolkit.log file - this should contain Bitlocker information
- Launch a command prompt and run
manage-bde -status, this will give information on current status of the local partitions - Open Control Panel - launch BitLocker Drive Encryption will show similar information
- Ztoolkit.log file - this should contain Bitlocker information
- PXE boot a machine into Zim
If there are issues with the process review both the zim.log and ztoolkit.log to troubleshoot the problem.
For more information about the log files review ENGL TID-2013016
If you have any problems or questions about the steps in this TID please contact the ENGL support team