Symantec Management Platform (SMP) Community

 View Only

How to add Bitlocker Support for WinPE 

Dec 12, 2018 07:49 AM

In this Article, I will show you how you can add Bitlocker Support to WinPE 10. After implementing this, you are able to manage Bitlocker using manage-bde command within WinPE.

Usecase:

Sometimes it is quite useful to be able to unlock a Bitlocker encrypted Drive within WinPE. This is necessary if the user is unable to boot the installed OS and has local Data on the encrypted Drive.


There are some other methods to get the local Data on the drive – for example, you can dismount the Harddisk and connect the encrypted Harddisk to another Computer using a USB – Cable. Then you are asked to provide the Bitlocker Recovery Key.

But sometimes this is not possible especially when a User is in a branch office where no IT Admin can help the User to dismount the Harddisk and plug it into another computer. Then this article would be helpful.  

Optional but in most cases not necessary: You could extend this method to run a Script within WinPE to request the Bitlocker Recovery Key from your MBAM (Microsoft Bitlocker Administration and Monitoring) Server and unlock the Harddisk using a Web Service.

I think this is also a very good way, but I unlocking a Harddisk is normally not a daily task - so it is not necessary to automate it that high.

Prerequisites:

  • Deployment Solution 8.5 (should also work with 8.0 and 8.1)
  • Installed Network Boot Service (NBS)
  • WinPE10 as a Preboot Environment (should also work with WinPE 4.0 and WinPE 5.x)

 

  1. On your SMP Server, create a Backup of a file called default.bdc. You can find this file in the folder <Install Drive >Program  Files\Altiris\Deployment\BDC\bootwiz
     
  2. Edit the original default.bdc File using Notepad and add the following to Lines into the [PACKAGES] Section

    YYY=True
    ZZZ=True

    Your file should look like this:


 

3. On your SMP Server, create a Backup of a file called WinPE10x64.ini. You can find this file in the folder:
<Install Drive >Program    Files\Altiris  \Deployment\BDC\bootwiz\Platforms

4. Edit the original WinPE10x64.ini File and scroll down to the Section [PACKAGE MAPPING] and add the following to Lines to the Section

 

Optional: The same steps need to be done for WinPE10x86.ini File if you want to add Bitlocker support for WinPEx86.

This will add the WinPE-Securestartup and the appropriate Languagepack. If you only add WINPE-SECURESTARTUP managing Bitocker with manage-bde.exe command will not work!!!

Curious why we are using YYY and ZZZ? Here is the explanation:

WINPE-SECURESTARTUP requires WINPE-WMI if you are trying to add WINPE-Securestartup before WINPE-WMI it will fail. So to make sure WINPE-WMI is already added to the WINPE Bootfile we have to use the alphabet to accomplish this. So (WINPE-)WMI will be added to the Bootfile before YYY and ZZZ (which are the short names for WINPE-Securestartup and WINPE-Securestartup_EN-US).

Manage-bde.exe command is included in the WINPE-Securestartup.cab File. You can find these Files on the SMP Server in a Folder called:
<Install Drive>\Program Files\Altiris\Deployment\BDC\waik_winpe10\Tools\PETools\amd64\WinPE_FPs

 

Go to the folder en-us and copy the File called: WINPE-Securestatup_EN-US.cab to D:\Program Files\Altiris\Deployment\BDC\waik_winpe10\Tools\PETools\amd64\WinPE_FPs

Take a look at the screenshot above.

After you have finished all the steps in this article, you can recreate your Preboot Environment within the SMP Console or create a new one for example with the name: WinPE10_with_Bitlocker_support. If you want, you can revert all the changes.

Make sure that if you recreate your Preboot Environemnt and you have reverted all the changes your Preboot Environment will not be able to support Bitlocker.

Troubleshooting

To enable logging for Bootwiz follow this link: https://www.symantec.com/docs/HOWTO84000
If something goes wrong, look at the Log (Dism.log)
The Dism Log is also very useful you can find it in: C:\windows\Logs\Dism\dism.log

What I wish from Symantec for the Future of the Product

Please allow a selection of packages when you are creating a new Preboot Environment like this is currently available when you manually run Bootwiz.exe


If you run Bootwiz manually, you will see a list of additional Components to install.

 

When creating new Preboot Environments allow the selection of possible WinPE Add-ons – this is far easier then modifying *.ini Files!!!

 

 

Statistics
0 Favorited
5 Views
1 Files
0 Shares
1 Downloads
Attachment(s)
pdf file
How to add Bitlocker Support to WinPE_EN_US.pdf   862 KB   1 version
Uploaded - Feb 25, 2020

Tags and Keywords

Comments

Jan 03, 2019 09:06 AM

Nice post, thanks for sharing it!

Dec 14, 2018 09:19 AM

Very nice write up! Thanks for posting :)

Related Entries and Links

No Related Resource entered.