How Can You Add a Second Partition for Use With Bitlocker With the Least Effort and Expense Possible
Introduction
All businesses want to protect their data to make sure it is safe from unauthorized users. A big part of this is to encrypt the disks of their devices using BitLocker. This can easily be washed during OS installation for all new computers only it might be troublesome to enable BitLocker on existing devices.
BitLocker can use multiple key information methods but in this instance, I will focus on TPM. TPM is a hardware component that is installed by the manufacturer and can be used to ensure that the computers have non been tampered with while the estimator was powered off.
In this case, I volition use SCCM and a Task Sequence to enable BitLocker. Showtime off we need to find out which computers require BitLocker and if they are ready to be enabled. I will employ a Configuration Baseline (CB) to determine this and also to find the computers that are non prepare to encrypt the disks.
During this How-to there might be some changes you lot need to perform in your SCCM environment but they are small-scale and shouldn't be an issue for you.
Delight note that you demand to brand sure that your environment is prepared for BitLocker before taking these steps!
Instructions
These are the steps nosotros need to perform to enable bitlocker on existing devices.
- Permit unsigned scripts to exist run from SCCM
- Create two Configuration Items (CI). 1 to verify that TPM is activated and one to cheque if BitLocker is already enabled.
- Create the Configuration Baseline using our new CIs and deploy it to clients
- Create a collection with compliant devices
- Create a Task Sequence to set encryption level and enable BitLocker
Allow unsigned scripts to be run from SCCM
This is a requirement for one of the Configuration Items that we will create later on. If this is left as default y'all will go an error message that read Script is non signed.You tin can read more near this setting hither.
Go to Administration > Client Settings
Open Properties on Default Client Settings
Go to Computer Agent and find the setting PowerShell execution policy
Select Bypass from the dropdown and click OK
Yous can create a new Customer Settings instead if you lot want to test this on a few clients first. The part you desire is under Hardware Inventory.
Create the Configuration Item that volition evaluate if TPM is activated on the client
The outset pace of enabling BitLocker is to find out which of your clients that has a TPM chip. This is a required part to make utilize of this solution. There are other means to do information technology, such equally USB or TPM and USB, but they add a level of complication and arn't what we are looking for here.
The reason I use a CI to check whether TPM is activated is considering of how SCCM and Hardware Inventory works. Y'all could add the TPM and BitLocker classes to hardware inventory and apply a collection with a query to decide what clients are supported, merely this is not recommended for 2 reasons.
Reason i is that hardware inventory is collected data, which means information technology might be old depending on when the client last ran the Hardware Inventory cycle. The default settings are configured to run every 7 days and during that fourth dimension the status might alter without being represented within SCCM.
Reason two is that yous can't query the condition of TPM to see if information technology is active or non. A WQL query can be used to observe the IsActived_InitialValue, which could be Truthful, simply since this value isn't updated it could exist disabled afterward and not exist represented hither. Because of this I utilize a CI with a powershellscript that executes a method to meet that electric current state in realtime.
Become to Assets and Compliance > Compliance Settings
Click Configuration Items and Create Configuration Particular
Give it a name, such equally BitLocker – TPM Activated, and click Next >
Uncheck all versions and check Windows 10 (64-bit). click Side by side >
In the Settings view click New… and requite it the following settings
Proper name | IsActivated |
Setting type | Script |
Information type | Boolean |
Click Add Script…
Select Windows PowerShell from the Script language dropdown
Copy and paste the following code and click OK
(Get-WmiObject -Grade win32_tpm -Namespace root\cimv2\Security\MicrosoftTpm).IsActivated().IsActivated
In the Create Setting you want to change tab to Compliance Rules
Click New…
Give the rule a name, such as IsActivated -eq Truthful
Bank check the box for Report noncompliance if this setting instance is not establish
Click OK twice
Click Summary and verify the details before y'all click Next > to create the CI
You volition now take a Configuration Detail that verifies if the TPM chips is activated and fix to exist used with BitLocker. It will likewise report noncompliance if the settings cannot be institute on the client, which could be due to the TPM not beingness enabled in the BIOS or if the customer doesn't have TPM.
Create the Configuration Item that will evaluate if BitLocker is active
The 2d step is to bank check whether BitLocker is active or not on the client. This WQL query checks the ProtectionStatus propery of the bulldoze and returns a 1 or 0 depending on the status. In this example we are looking for clients that doesn't have a status of 1, and evaluate them equally compliant to be used afterwards.
Become to Assets and Compliance > Compliance Settings
Click Configuration Items and Create Configuration Particular
Give it a name, such as BitLocker – C: Not Protected, and click Next >
Uncheck all versions and bank check Windows x (64-bit). click Next >
In the Settings view click New… and give information technology the post-obit settings
Name | BitLocker – C: Not Protected |
Setting type | WQL query |
Data type | Integer |
Namespace | ROOT\CIMV2\Security\Microsoftvolumeencryption |
Class | Win32_encryptablevolume |
Property | ProtectionStatus |
Where clauses | driveletter = 'C:' |
In the Create Setting yous want to change tab to Compliance Rules
Click New…
Requite the rule a proper noun, such as ProtectionStatus -ne 1
Select Non equal to from the dropdown and fix the value to 1
Check the box for Study noncompliance if this setting example is not found
Click OK twice
Click Summary and verify the details before y'all click Next > to create the CI
You volition now have a Configuration Particular that checks whether the disk is already encrypted or non. In this case we desire to look for devices that doesn't accept encryption enabled, which is why we chose Not equal to. If you want to apply a similar CI to discover clients that already are protected, just modify the condition to Equals instead.
Create the Configuration Baseline using our new CIs and deploy it
Become to Assets and Compliance > Compliance Settings
Click Configuration Baselines and Create Configuration Baseline
Give information technology a proper name, such equally Windows 10 – Enable BitLocker
Click Add and selectConfiguration Items
Select the two CIs that nosotros created from the listing that appears and click OK.
In my example they are called BitLocker – C: Not Protected and BitLocker – TPM Activated
Verify your settings and click OK if everything looks good.
Create a drove with compliant devices
Now that we take prepared SCCM and created the Configuration Base of operations line with our Configuration Items we are ready to create a collection with computers that are compliant.
Compliance in our case means that the TPM chip is Activated and ready to be used only BitLocker hasn't been enabled in Windows.
This is a very easy step which I have explained in another blog mail. It tin can exist found hither.
When you have created a drove with the compliant computers you can motility on with the side by side steps.
For the purposes of this post I volition telephone call my drove Windows 10 – BitLocker Ready.
Create a Chore Sequence to set encryption level and enable BitLocker
In this footstep we volition create a new Job Sequence that volition be used to configuare and enable BitLocker on the clients. I volition apply the encryption algorithm called XTS_AES_256. In the post-obit image yous can see the available options. The i I desire has the number seven, which is what I will specifiy in the Task Sequence.
Note: Microsoft has issued a argument in the Security Baseline mentioning that XTS_AES_256 is unnecessary and tin can cause older hardware to perform slow.
You lot should instead use the default value of XTS_AES_128.
SOURCE: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1903-and-windows-server/ba-p/701084
Go to Software Library > Operating Systems
Click Task Sequence and Create Task Sequence
Click Create a new custom task sequence
Requite it a name, BitLocker – Enable on existing devices
Click Next > and so Close
Correct-click the new Chore Sequence and click Edit
Click Add and then New Group
Rename the Group to Enable BitLocker
Click Add together so General > Run Control Line
Rename the footstep to Set BitLocker Encryption Method XTS-AES 256
Open the step and paste the following into the Command line box
reg add together HKLMSOFTWAREPoliciesMicrosoftFVE /v EncryptionMethod /t REG_DWORD /d 7 /f
Click Add and then Disk > Enable BitLocker
I suggest using the default settings, unless you desire to encrypt the whole drive immediately or if you lot are using MBAM to store your keys instead of Active Directory.
Deploy the Task Sequence to the ready computers
At present we are ready to deploy the Task Sequence to the drove that we created with the clients that are set to have BitLocker enabled. Every bit I mentioned in a higher place, my collection is chosen Windows 10 – BitLocker Readyand contains my compliant clients.
Right-click the Task Sequence and click Deploy
Click Scan… and select the drove Windows 10 – BitLocker Ready and clickAdjacent
Change the Purpose to Required and click Next
Click New… and select Assign immediately afterward this event: As soon as possible and click Next
Uncheck Bear witness Task Sequence Progress and leave the rest as default. Click Summary, Side by sideand Shut
That was the last step of this procedure. At present all compliance devices should receive this Task Sequence and try to enable BitLocker. You can at present go to Monitoring and Deployments to monitor your process.
Search for the Task Sequence name and you volition meet the progress of BitLocker being rolled out.
Summary
Phew, all washed! There are quite a few steps to be made fifty-fifty though they are quite like shooting fish in a barrel when you know what you are looking for.
This is just one way of doing this, but I feel that it is very dynamic and it's possible to customize it as you wish. Using this method I've been able to enable Bitlocker on existing devices at multiple customers and it has worked almost perfect every time.
The well-nigh common issues I've encounted is that the clients doesn't take TPM or that TPM isn't enabled in the BIOS of the clients. To resolve the second issue is much more complicated than really encrypting them, and deserves a whole post for itself in the time to come.
A few things you might want to do differently could exist to utilize another encryption algorithm, check whether TPM is already owned, add other checks to your Configuration Baseline or use a standard query-based drove instead of the CB. (Just note what I wrote virtually that earlier)
If you have any feedback or desire to know more about preparing your environment for BitLocker then become alee and leave a comment below and I'll get back to you.
Source: https://www.nianit.com/enable-bitlocker-existing-devices/
0 Response to "How Can You Add a Second Partition for Use With Bitlocker With the Least Effort and Expense Possible"
Post a Comment