How to manage Bitlocker on a Azure AD Joined Windows 10 Device managed by Intune.

When joining a computer to AAD either manually or by using a provisioning package, Bitlocker will be enabled automatically if your device has the necessary prerequisites. However in the case that Bitlocker is disabled this is how you enable Bitlocker, save the Bitlocker Key Protector to ADD (also known as the recovery key) and recover the key in the case you need it. So this blog post is both for the end-user and IT-pro I guess. In this scenario we have configured a Device Compliance Policy in Intune where we require Encryption of data storage on devices and sent the [...]

Unlock BitLocker Encrypted Drive From WinPE the Secure Way!

I have seen several blog posts on how to unlock a BitLocker encrypted drive from Windows PE, using the recovery password stored in the Microsoft Bitlocker Administration and Monitoring (MBAM) SQL Server database. What's the problem with these solutions? All of these have one thing in common: they query the SQL database directly, requires changing SQL Server configuration and granting access to the database directly. Why is this a problem? Well, in my opinion this is a bad design approach, as the core purpose of implementing BitLocker volume encryption and MBAM is to secure our data from being compromised. By [...]

By | 2016-10-12T08:49:13+00:00 October 12th, 2016|Configuration Manager (SCCM), OS Deployment, Security|7 Comments

Activate local Admin account – or why you need BitLocker!

While this is not a newly discovered hack, I feel that we can not stress the importance of using Bitlocker to encrypt our hard drives. If you like me encounter customers that still runs their computers unencrypted, and don’t see the need for encryption. just use the following guide to show them how easy it is to activate the local administrator account and reset its password. Step 1 Show the customer that the local administrator account is disabled. (or that you don’t know the password). Step 2 Boot from any bootable media, such as the original installation media, Ultimate Boot [...]

By | 2014-09-26T14:32:36+00:00 September 26th, 2014|Operating Systems, OS Deployment, Security|8 Comments

Eject CD script, quarantined by FEP! PowerShell to the rescue!

I guess everyone knows that you can’t enable BitLocker on a machine from a Task Sequence if there is a CD in the CD drive… The workaround is quit simple, just run a script to eject the cd drive before running the “enable BitLocker” step. Well the other day this script, a vbs, I use, was removed by Forefront.. I guess the heuristic scan evaluated the content of the script to be unsafe, and quarantined it.. This is obviously not good, as it’s needed by the task sequence… So I thought, maybe there is a way to eject the CD [...]

By | 2012-03-22T12:25:53+00:00 March 22nd, 2012|General info, OS Deployment, Powershell, Security|3 Comments

Enable LENOVO TPM Security Chip (and other stuff) from a TS

  I have some customers who run strictly Lenovo Computers (laptops and Desktops). On a lot of these computers the security Chip has been disabled or is in Inactive mode, thus not allowing the use of Bitlocker. I just finished messing around with activating the TPM Chip in the BIOS From a Task sequence on those LENOVO computers, and once all the minor obstacles were figured out, it turned out to be quiet easy. The first thing I wanted to do was to check if the TPM chis was already Active, and if not, Activate it. This is actually real [...]

By | 2011-08-25T10:23:00+00:00 August 25th, 2011|General info, OS Deployment|19 Comments

Migrating Bitlocker enabled machines to another domain

In the SCCM Admins guide to preparing your environment for Bitlocker Drive Encryption post series, I walked you through how to prepare your environment for Bitlocker in order to enable the backup of the Bitlocker recovery password and the TPM owner password hash, to Active Directory. But what will happen if: 1. You join a stand-alone machine which already had Bitlocker enabled before the domain-join 2. You unjoin a Bitlocker enabled machine from one domain and join it to another domain, which could be a domain in the same forest or another forest. 3. You migrate the computer account of [...]

By | 2017-08-22T13:12:30+00:00 July 8th, 2011|Security, Windows Client|11 Comments

SCCM Admins guide to preparing your environment for Bitlocker Drive Encryption – part 3

In part 1 and Part 2, I talked about the requirements for Bitlocker and walked you through how to extend your Active Directory Schema if you run Windows Server 2003 SP1/SP2 Windows Server 2003 R2 domain controllers. We then sat the permission so that a Windows 7 machine was able to write its own TPM owner password to Active Directory. Today we are going to put the configuration made in part 1 and 2 to the test and enable bitlocker on a Windows 7 machine. Then we are going to install the Bitlocker Recovery Password Viewer for Active Directory tool [...]

By | 2017-08-22T13:10:32+00:00 June 9th, 2011|Security, Service Manager (SCSM)|6 Comments

SCCM Admins guide to preparing your environment for Bitlocker Drive Encryption – part 2

In part 1, I talked about the requirements for Bitlocker and showed you how to extend your Active Directory Schema if you run Windows Server 2003 SP1/SP2 Windows Server 2003 R2 domain controllers. We then sat the permission so that a Windows 7 machine was able to write its own TPM owner password to Active Directory. Today I am going to walk you through how to configure the Group Policy settings for Bitlocker which is required, in order to enable the backup of the Bitlocker recovery password and the TPM owner password, to Active Directory. You will need either a [...]