Showing posts with label Bitlocker. Show all posts
Showing posts with label Bitlocker. Show all posts

Thursday, 24 March 2011

MMS 2011

Day 1 of MMS


According to Brad Anderson Wednesday was day 2 of the conference, so I'm guessing this was day 0.

I went to a couple of nice talks-

BA17 Virtualizing Configuration Manager - What you need to know and how to get there

This was a pretty technical talk which went into a lot of detail about the hardware considerations when looking at virtualizing SCCM 2007.
After covering the hardware, the speaker went into detail about the different ways you could virtualize SCCM. Firstly, you could create a new site in a VM and migrate your existing site to the VM instance of SCCM. Or, you could just run a P2V tool (this is what we did). Looking at my notes, the only thing if importance I've written down is 'don't cluster your MP'.

BA37 Buried Inventory Treasure

A Sherry Kissinger talk, this was full of nuggets of information. I believe Sherry is putting a number of the reports from the demos on her blog. Some of the coolest bits involved DCM. It was a revelation to see SCCM 2007 DCM not just read values, but also set them via scripts.

Another cool demo was Mark Cochrane's RegKeytoMof- a nice tool to autogenerate the code to insert into SMS_def.mof for custom inventory. She's blogged about the new version here.

Hands on lab- Microsoft Bitlocker Administration and Monitoring

Nice solution to the Bitlocker key recovery issue if you're licensed for mdop. This tool backs up enterprise bitlocker keys to a SQL database. A web based portal then allows helpdesk agents recover keys without the need for a domain admin to go near active directory users and computers.

I'm about 2 days behind in my MMS updates, but I'll just blame that on the awful in-room wifi at the Mandalay Bay.
Posted by at No comments:
Labels: , , ,

Tuesday, 15 February 2011

A simple check to see if the TPM is enabled

The Deployment Guys have an interesting post on how to check if the TPM chip is enabled and activated as part of a task sequence (see here).

When we deployed Windows 7 we ran into the same problem. Our solution was a bit simpler!

Connecting to root\cimv2\Security\MicrosoftTPM and executing

select * from win32_tpm

will only return a value if the TPM is enabled. This can be added as a condition in your Task Sequence so that your Bitlocker steps only run if the TPM is on.



A note of caution though - this query does not check whether the TPM is activated. It only checks that the TPM is enabled.
Posted by at 1 comment:
Labels: , ,

Thursday, 14 October 2010

Force BitLocker key backup to Active Directory

If a Windows 7 machine is not in a domain when the drive is encrypted with BitLocker, then the key backup will not automatically occur. I've modified some code from this TechNet article to force this backup to occur for the C: drive. The script could be modified to backup keys from all drives pretty easily, but this had to be rolled out very quickly!

The script:


strDriveLetter = "c:"

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate," _
& "authenticationLevel=pktPrivacy}!\\." _
& "\root\cimv2\security\microsoftvolumeencryption")

If Err.Number <> 0 Then
WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
Wscript.Echo "Ensure that you are running with administrative privileges."
WScript.Quit -1
Else
WScript.Echo "Successfully connected to BitLocker interface."
End If

Set colTargetVolumes = objWMIService.ExecQuery _
("Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'")


If colTargetVolumes.Count = 0 Then
WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " & strDriveLetter & " on this computer "
WScript.Quit -1

End If

For Each objFoundVolume in colTargetVolumes
set objVolume = objFoundVolume
strEncDriveLetter = objVolume.DriveLetter
WScript.Echo "Encryptable Volume found :" & strEncDriveLetter
intRC = objVolume.GetProtectionStatus(nPStatus)

If nPStatus = 1 Then
WScript.Echo "Drive is encrypted"
Else
WScript.Echo "Drive Not Encrypted"
End If
Next

nKeyProtectorType = 3 'Numerical Password

insKey = objVolume.GetKeyProtectors(nKeyProtectorType,vProtectors)

For each vFoundKeyProtectorID in vProtectors
vKeyProtectorID = vFoundKeyProtectorID
' WScript.Echo "Key Protector: ", vKeyProtectorID
Next

insKey = objVolume.GetKeyProtectorNumericalPassword(vKeyProtectorID,numPWD)

If insKey <> 0 Then

WScript.Echo "Password Get Failed"

WScript.Quit -1

End If

WScript.Echo "Numerical PW: " & numPWD

WScript.Echo "For key Protector: ", vKeyProtectorID

iBackupSuccessful = objVolume.BackupRecoveryInformationToActiveDirectory(vKeyProtectorID)

If iBackupSuccessful <> 0 Then
WScript.Echo "Password Storage to ADS failed."
WScript.Quit -1
Else
WScript.Echo "Successfully stored password in ADS."
End If
Posted by at 1 comment:
Labels: , , ,
Subscribe to: Comments (Atom)