/build/static/layout/Breadcrumb_cap_w.png

BitLocker automatically being enabled while deploying with TPM ON and Secure Boot

Here again your favorite Random Dude.


Today topic is something that I find pretty interesting and it is Secure Boot and the SDA. As you know KACE can't do PXE Secure Boot due to issues that they have with getting their cert (source), but I figured that if you create a USB KBE (guide on how to do that HERE) you can get the Secure Boot to work with the USB.


I did my deployment as usual, but after doing so I discovered that Bitlocker was enabled on its own. I didn't have a task or anything to enable that. I got a ticket with KACE, and one of their engineers told me that he saw this situation before and provide me the following:


https://docs.microsoft.com/en-us/mem/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker


So from what I understand, if you are on UEFI with TPM on and Secure boot on, Bitlocker is going to kick in on its own.


The engineer also mentioned that one of his customers solved by modifying a registry key on a mid-level task.


Here is how his customer solved it.


--------------------------------------------------------------

[DISK] Apply BIOS/UEFI Partitions (Built in K2000 mid level task)

Run disable Automatic Bitlocker

--------------------------------------------------------------


The "Run disable Automatic Bitlocker" contains the following commands:


REG LOAD HKLM\OFFLINE C:\Windows\System32\Config\System

REG ADD HKLM\OFFLINE\ControlSet001\Control\BitLocker\ /v

PreventDeviceEncryption /t REG_DWORD /d 1

REG UNLOAD HKLM\OFFLINE


And that's it, with this it won't do the encryption on its own and is up to you to encrypt it later with your preferred settings.


I hope this helps someone. If you have any questions or comments put them down there.


See you in my next post!


Comments

  • I add the following to the unattend but I'm not sure how to evaluate success or not yet as the registry key may be deleted after it does its job:

    <component name="microsoft-windows-securestartup-filterdriver-" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
    <PreventDeviceEncryption>true</PreventDeviceEncryption>
    </component>

    Ref: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption

    I see using your mid-level task doesn't result in the key being left behind either. I'm assuming it's just one of those shortlife keys that self-destruct after they've done their job??? - mcnaugha 2 years ago
    • I will try with that in the unattend file, I usually don't modify it as I am not a XML pro and I prefer to leave it as it comes from the KACE Sysprep creator. What I have confirmed is that with my procedure it should just stop the encryption from happening on its own so then later you can turn it on with a different method. - RandomITdude24 2 years ago
  • I used the unattend.xml method. This worked perfectly. We were going crazy trying to figure out why Windows 11 22H2 Enterprise was encrypting itself after joining the domain. It would encrypt used space or files only at 128 bit encryption strength. That is because the bitlocker policy from SCCM didn't even get a change to come down, and the encryption started using the default settings. Anyway thank you posting your reply. - boomer 1 year ago
This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ