Assume that we want to create a task sequence that will provide to us random and different pin for every single encrypted hard drive – computer. Natively this is not something that is easily supported, since if you’re trying to do this with classic Enable Bitlocker task sequence step, you will have option to enter the PIN once. In mass deployments this can be a nightmare, I have personally seen the model where your colleague knows your PIN, because he has the same one.
Quid pro Quo – Favor for favor 🙂
To overcome this, I have crafted a few steps that solve the limitation. In our situation users got Lenovo laptops, first step will be to activate TPM chip in case that it is not activated. Since we’re deploying Windows 10 it will automagically take ownership of TPM chip – nothing to do related to this. This post will show the steps needed independently of OSD, but you can easily integrate it with OSD, I just wanted to test it on few machines after system is deployed via isolated task sequence.
1. Step – I have picked VBS script provided by Lenovo to activate TPM, created package that will contain source files and provided the path to shared folder with appropriate permissions. This is how it looks like on file system layer.
In the task sequence we’re calling the script with some WMI if statements, to make sure that we will execute script only in case that TPM is not activated and computer vendor is Lenovo. Syntax is case sensitive, so make sure you typed everything properly, complete reference can be found on this LINK. We will add two conditions, FIRST is – Add Condition, If statement, All Conditions, WMI query. WMI namespace is – root\cim2 , code for query right below – this will check if computer vendor is Lenovo.
select Manufacturer from Win32_ComputerSystem where Manufacturer LIKE "LENOVO"
SECOND query will check if TPM is not activated – Add conditions, If statement, None, WMI namespace is – root\WMI, code for query right below.
SELECT * FROM Lenovo_BiosSetting WHERE CurrentSetting = "SecurityChip,Active"
Make sure that you put the NONE child IF statement under the parent.
2. Step – Next we will reboot the computer, to make sure that everything is okay.
3. Step – Now here comes the magic, in order to assign different PIN to every task sequence process, we need some protocol that will insert PIN in OSDBitlockerPIN global variable, when this variable is declared before – Enable Bitlocker step, it will take precedence, since it is global. In order to do this we will create COM object via Powershell script and assign some value to variable, in this case we first generate the PIN and afterwards import it in a OSDBitlockerPIN variable, take a look below.
$PIN = Get-Random ; $TSEnv = New-Object -ComObject Microsoft.SMS.TSEnvironment ; $TSEnv.Value("OSDBitlockerPIN") = $PIN
We will pack this in package that contains source files, deliver it to target computer and invoke via Powershell, code for Task sequence right below.
%windir%\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -NoProfile -ExecutionPolicy bypass -nologo -file Set-PIN.ps1
4. Step – In order to know the PIN that is assigned to variable, we have to export it somehow, since we will have to deliver it to our user and make him happy. In order to do this, we will create special shared hidden folder and configure Share/NTFS permissions to allow only one account to write there – pick one that should be authorized in your environment. This is how it looks like in my case.
We will map the network drive, using the user account that we previously delegate to have proper rights on Bitlocker share, in my case I will map it under H: drive letter.
5. Step – In this step we will create the file on mapped drive labeled as computer name and append to that file PIN that was generated, using the Task Sequence built in variables. Check it in action below.
cmd.exe /c echo %OSDBitlockerPIN% >> H:\%_SMSTSMachineName%.txt
6. Step – We will prepare the drive for bitlocker with command line tool, this task sequence may fail in case that drive is already prepared, so we will pick the option on Options tab to continue on error – I am assuming that you are aware that Bitlocker need one extra partition in order to be activated, by default if you do not modify partition layouts in task sequence, it will be okay, some good reading can be found here.
cmd.exe /c bdehdcfg.exe -target default -size 300 -quiet
7 Step – This step will activate the bitlocker with combination of TPM and PIN, while backing up the recovery information in Active Directory. I assume that you already prepared your environment for this with Group Policy – good reference here. Since I have seen few times that task sequence initiates reboot while doing this step and encryption actually fails, I always check the option – Wait for Bitlocker to complete the drive encryption on all drives before CM continues to run the task sequence.
You will receive fully functional and encrypted drive that will be distinguished from all others in your company with keeping the neutrality with different PIN, you will receive the random PIN that is generated and save the recovery information in Active Directory, seems like a nice implementation.
TPM 1.2 will be able to operate even under legacy -BIOS type of partition, but TPM 2.0 will immediately prompt you for recovery if you enable Bitlocker under legacy mode, so my recommendation is to always use UEFI. In order to do this you will have to configure your infrastructure to achieve this, I will write the separate post on this topic.