Thursday, August 7, 2014

Managing BitLocker Computers in your Organization the easy way...

A couple of days ago my manager came to me asking for a more unified way to manage our TPM enabled computers and to bring up our compliant rate for BitLocker encryption. Now for those of you dealing with multiple vendors as I am this raises large issues as there is very little standardization in the market regarding Bios settings access from within the Operating System. 

Challenges to face...

First and foremost what we need to consider is the inconsistency between different Operating Systems and how they control the Trusted Module Platform. As well their are differences in commands and in the BitLocker architecture that we need to account for. In this script I have accounted for Microsoft Windows 7 and up.

Operating System
Language
Microsoft Windows 7
Batch
Microsoft Windows 8
PowerShell
Microsoft Windows 8.1
PowerShell
Secondly we need to account for various manufacturers and how they interact with the Bios and their individual WMI structure. This script accounts for the bellow Manufacturers and enables the TPM in the Bios without and user interaction.

Manufacturer
Solution
Toshiba
TPM.vbs
Lenovo
TPM.vbs
Dell
Dell Client Configuration Toolkit
Hewlett Packard
TPM.vbs

Stages

In order to activate the TPM and Encrypt your machines we have the four stages...

Stage
Purpose
Enable TPM in Bios
Assuming the TPM is disabled in the bios it is required to enable it.
Initialize the TPM
Windows requires us to initialize the TPM making it’s features available to Windows
Take Ownership
Provide Ownership or permissions on the TPM to the user currently running the script or in this case all Administrators on the machine
Encrypt the Hard Disk
Encryption of the Hard Disk

Due to these various stages there are also three required reboots, but we will let the Task Sequence manage these reboots and the rerunning of the script.

Add the Package 

  1. Copy the Files to a temporary location
  2. Open the Deployment Workbench 
  3. Navigate to the Applications Node 
  4. Create an appropriate folder if you do not have one already 
  5. Right click on your folder and choose new application 
  6. Choose Application with Source Files and click Next 
  7. Specify the Details for this Application
  8. Enter a Source Directory (Your Temp Location) and click Next 
  9. Click Next 
  10. Enter the Name of the Batch 
  11. Click Next 
  12. Click Finish 
  13. Right clikfc on your application and choose properties 
  14. Check the hide this application and click apply 


Changes to the Task Sequence

  1. Navigate to the Task Sequences Node 
  2. Right click on the relevant Task Sequence and choose properties 
  3. Choose the Task Sequence Tab 
  4. Scroll Down toward the end of your Task Sequence after the Install Applications Task and click Add and choose Create a New Group if you do not already possess a an appropriate one
     
  5. Click on your group and return to the Add button and choose General-> Install Application 
  6. Choose Install a single Application 
  7. Click Browse and Navigate to the TPM Universal Application and click OK 
  8. Copy and paste from Application to Install to Name 
  9. Click on the Options Tab 
  10. Click on Add and Choose If Statement 
  11. Choose Any Conditions 
  12. Click on Add Choose Query WMI 
  13. Change WMI namespace to root\WMI
  14. WQL Query: SELECT * FROM BiosSetting WHERE TPM = "Enable" 
  15. Click on Add Choose Query WMI 
  16. Change WMI namespace to root\WMI
  17. WQL Query: SELECT * FROM BiosSetting WHERE TPM  = "Disable"
  18. Click on Add WMI Query
  19. Change WMI namespace to root\WMI 
  20. WQL Query: SELECT * FROM SELECT * FROM Lenovo_SetBiosSetting WHERE SecurityChip = "Active" 
  21. Click on Add WMI Query 
  22. Change WMI namespace to root\WMI 
  23. WQL Query: SELECT * FROM SELECT * FROM Lenovo_SetBiosSetting WHERE SecurityChip = "Inactive" 
  24. Click on Add WMI Query 
  25. Change WMI namespace to root\WMI 
  26. WQL Query: SELECT * FROM SELECT * FROM Lenovo_SetBiosSetting WHERE SecurityChip = "Disable" 
  27. Click on Add WMI Query Change WMI namespace to
    Root\HP\InstrumentedBios 
  28. WQL Query: SELECT * FROM SELECT * FROM HP_BIOSSettingInterface WHERE "TPM Device" Like "%%" 
  29. Click on Add WMI Query 
  30. WQL Query: SELECT * FROM SELECT * FROM Win32_ComputerSystem WHERE "Manufacturer" = "Dell" 
  31. Check the Check Box Continue on Error and Click Apply 
  32. Click on Add -> General -> Restart the Computer 
  33. Repeat Steps 7-11 to account for all scenarios in the script and click Apply when finished
  34. Repeat Steps 11-30 for all six steps in your Task Sequence
  35. When you are finished your Task Sequence should appear like this 

That's it standardization in TPM and BitLocker management the easy way!

Of course as usual all Script and otherwise free content is available from my Google Drive at the following address Script Location 

I hope you enjoyed this Blog entry and usual I fully encourage you too share your comments, questions and or thoughts.