MDT tips: enabling Bilocker and saving the recovery key in a file

Today is practically mandatory that the mobile devices we deploy have data-at-rest encryption. Microsoft’s Bitlocker is particularly useful for this purpose, assuming your endpoint has a TPM and Windows Professional. In a previous post, I have already posted a set of scripts (available here) to reset the TPM and now I’ll present a simple script that complements these.

 

Although it’s easy to enable the TPM manually in a post deployment stage, it’s also useful to collect and store the unlock key that Windows generates during Bitlocker activation. Typically, your deployment script (MDT or SCCM) would save this key in your Active Directory. However, if you are using MDT to deploy Windows in an environment without Active Directory, you still need to save this key if you decide to activate Bitlocker in your deployment script. This script, when executed, will activate Bitlocker and save it’s recovery key in a file. This file will be saved in your server, if you’re deploying with PXE. If you are deploying Windows using a USB drive, the script will store the file in your USB drive, in the same way as with the server option.

 

:: Enable BDE

setlocal enableextensions enabledelayedexpansion
cd /d "%~dp0"

if "%ResourceDrive%"=="" goto FIND_DEPLOY
set BACKVOL=%ResourceDrive%
goto BDE_ENABLE

:FIND_DEPLOY
if exist %TEMP%\vol_str.txt del %TEMP%\vol_str.txt
wmic logicaldisk get deviceid,volumename | findstr DEPLOY >%TEMP%\vol_str.txt
set /p DEPLOY_VOL=<"%TEMP%\vol_str.txt"
if not "%DEPLOY_VOL%"=="" set DEPLOY_VOL=%DEPLOY_VOL:~0,2%
if "%DEPLOY_VOL%"=="" (
    echo Could not locate DEPLOY volume! >>%SystemDrive%\tpm.log
    exit /b 1
)
set BACKVOL=%DEPLOY_VOL%

:BDE_ENABLE
if not exist %BACKVOL%\BDE\%COMPUTERNAME% md %BACKVOL%\BDE\%COMPUTERNAME%
manage-bde -on %SystemDrive% -s -rp -rk %BACKVOL%\BDE\%COMPUTERNAME% > %BACKVOL%\BDE\%COMPUTERNAME%\RecoveryKey.txt
attrib -s -h -r %BACKVOL%\BDE\%COMPUTERNAME%\*.bek

if exist %SystemDrive%\tpm.log (
    copy %SystemDrive%\tpm.log %BACKVOL%\BDE\%COMPUTERNAME%\
    del %SystemDrive%\tpm.log /Q
)

:END
exit /b 0

 

One little caveat, from the source you’ll notice that in the case of a USB drive, the script will search for a “DEPLOY” volume as described in my previous article on MDT. Once the script finds the volume where the files should be stored, it creates a folder inside the root BDE folder with the given hostname and saves the relevant files. There’s also a command to save a “tpm.log”, which is a log generated during the TPM clear and TPM init stages, as I already mentioned.

Any question, feel free to contact.