Jump to content


anyweb

Full disk encryption (in ConfigMgr 1910) – a closer look on real hardware

Recommended Posts

Introduction

In an earlier post I showed you how you can enable Full Disk Encryption via a task sequence in Microsoft Endpoint Manager Configuration Manager version 1910. The screenshots in that blog post were taken from virtual machines and won’t run correctly on virtual machines, as for some reason, Full Disk Encryption (FDE) in the Pre-Provision Bitlocker step requires real hardware.

In this blog post I want to show you how those steps work on real hardware, in this case a HP Prodesk 600 G3 SFF fitted with an old 256GB hdd.

I’ve placed pause steps before and after each of the BitLocker related steps and will issue various commands to ‘see’ the effect of those steps on real hardware.

In this post we’ll look in detail at how Full Disk Encryption functions within the two BitLocker specific steps, namely:

  • Pre-Provision BitLocker
  • Enable BitLocker

Note that the TPM has already been enabled in the UEFI firmware on this hardware.

Pre-Provision Bitlocker

The Pre-Provision Bitlocker step allows you to save time by encrypting only used space (normally) so how does this step work when Use full disk encryption is selected. The first thing you need to keep in mind is that enabling FDE will significantly increase OSD build times.

pre-provision-bitlocker.png

So, now that we’ve paused the task sequence at this point, it’s good to note that the HDD has been formatted in the previous Partition Disk 0 – UEFI step and due to that, it is not encrypted in any way as the following command reveals.

manage-bde -status

Conversion Status: Fully Decrypted

After running the Pre-Provision BitLocker step we can see the following in smsts.log

pre-prov-step-done.pngthe interesting bits in relation to the TPM are shown below:

  • Tpm is enabled
    Tpm is activated
    Tpm is owned
    Tpm ownership is allowed
    Tpm has compatible SRK
    Tpm has EK pair
    Initial TPM state: 63

For comparison’s sake, here’s a view of smsts.log on the same hardware after the TPM has been cleared in Windows using TPM.MSC as administrator.

  • Tpm is enabled
    Tpm is activated
    Tpm is not owned
    Tpm ownership is allowed
    Tpm has compatible SRK
    Tpm has EK pair
    Initial TPM state: 55

As you can see in that example, the TPM is not owned so ownership is instigated by the Pre-Provision BitLocker step:

  • Taking ownership of TPM

Note: You can perform hardware actions such as clearing the TPM, via hardware vendor specific custom steps in your task sequence, or do them manually in the UEFI firmware, or via tpm.msc in Windows (as Administrator).

and further down in smsts.log it lists that it is Encrypting full disk.

and, if we look at manage-bde -status it reveals the following, the drive is being encrypted !

You can see the rest of this blog post here https://www.niallbrady.com/2020/02/25/full-disk-encryption-a-closer-look-on-real-hardware/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.