PDA

View Full Version : Detect if PC has BitLocker enabled?



LiquidIce
09-02-2014, 06:45 AM
Hey guys,
I would like to know if there's a way to configure SetupBuilder to detect if the user has BitLocker enabled in his computer.

Thank you.

linder
09-02-2014, 07:20 AM
Hello,

The key question to ask yourself is: how would you check this without SetupBuilder? You can then convert this method to SetupBuilder, absolutely no problem.

For example, if the "HKEY_LOCAL_MACHINE\SOFTWARE\BitLocker" registry item can be used ("BitLockerEnabled" value name set to True) to detect an enabled BitLocker environment then you can use the "Get Registry Key Value..." script function in SetupBuilder to retrieve the status of BitLocker.

But you have to check with Microsoft if this is a valid method (on all supported Windows operating systems).

Does this help?

Friedrich

LiquidIce
09-02-2014, 08:06 AM
Hello,

The key question to ask yourself is: how would you check this without SetupBuilder? You can then convert this method to SetupBuilder, absolutely no problem.

For example, if the "HKEY_LOCAL_MACHINE\SOFTWARE\BitLocker" registry item can be used ("BitLockerEnabled" value name set to True) to detect an enabled BitLocker environment then you can use the "Get Registry Key Value..." script function in SetupBuilder to retrieve the status of BitLocker.

But you have to check with Microsoft if this is a valid method (on all supported Windows operating systems).

Does this help?

Friedrich

Hello Friedrich,

I looked over the windows registries and wasn't able to find any bitlocker registries in HKLM\SOFTWARE\BitLocker, but what I did find was a value in: HKLM\Software\Windows\CurrentVersion\WINEVT\Channe ls\Microsoft-Windows-BitLocker/BitLocker-Operational and in there was a registry called Enabled and was set to 0. The problem i'm having now is activate BitLocker because I'm running it on a Parallels VM and the BIOS doesn't have a TPM module, so I can't activate BitLocker.

But yes, it helps, thanks alot.

linder
09-02-2014, 08:30 AM
Same here. We tried to enable BitLocker (never used it before) to test it but can't enable it in VMWare Workstation. VMWare KB 2036142 says that "Microsoft does not support the use of BitLocker within a virtual machine bootable drive." :(

There is a HowTo "Using Bitlocker without TPM support in a Virtual Machine" but it does not work here.

http://blog.jbrown.ca/2010/11/using-bitlocker-without-tpm-support-in.html

Friedrich

LiquidIce
09-09-2014, 10:50 AM
Hello Friedrich,

I figured out how to get BitLocker on a virtual machine. On a different note, is there a way for SetupBuilder to activate the encryption on a drive?

Regards,

Alejandro

linder
09-09-2014, 11:08 AM
Alejandro,

How would you do it programmatically without SetupBuilder. I can then help you switch this method over to your setup.

Friedrich

LiquidIce
09-10-2014, 04:06 AM
Hello Friedrich,

If you look at this post: http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2012/AdminTips/Admin/enabling-bit-locker-command-line.html
You can see how BitLocker can be activated via CMD. I'm guessing that I can do it via a "Run command" on the installer, but I want to make sure with you that it could work.

Regards,

Alejandro

linder
09-10-2014, 04:11 AM
Alejandro,

Yes, if it can be activated via CMD then you can use the "Run Command Line..." or "Run Program..." script functions.

Friedrich

LiquidIce
09-10-2014, 04:25 AM
Hello Friedrich,

I figured out how to do it with the CMD, but it requires Administrator permissions, does the installer run things as administrators?

Regards,

Alejandro

linder
09-10-2014, 04:30 AM
Alejandro,

Yes, by default, the installer runs "elevated". General Information -> Generator Settings -> "UAC Execution Level" set to requireAdministrator.

Friedrich

LiquidIce
09-10-2014, 09:59 AM
Hello Friedrich,

Is there a way to see what the "Run command line" output is? Because I am executing a command on the setup and for some reason it doesn't work, but that same command on CMD works fine. I even added a > to output but it ends up empty. Here is what I tell the program to do:

cmd.exe /C manage-bde -on D: -RecoveryKey C: -RecoveryPassword > "C:\.uzencrypt.txt"

Alejandro

linder
09-10-2014, 10:47 AM
Alejandro,

I think this is an interesting method:

http://www.lindersoft.com/forums/showthread.php?p=78299#post78299

Friedrich

LiquidIce
09-10-2014, 10:52 AM
Hello Friedrich,

I tried that but the file turns out empty. Here is what the line is set to do:
http://cl.ly/image/0s2k3y2P3L3U/Screen%20Shot%202014-09-10%20at%2017.51.59.png

Alejandro

linder
09-10-2014, 10:59 AM
Alejandro,

That simply means that the command line did nothing ;) Windows handles the redirection into the file. So if the file is empty, the command line output was empty ;)

Friedrich

linder
09-10-2014, 11:01 AM
BTW, I think your command line is incorrect. You need a fully qualified path specification to the manage-bde.exe location in Windows.

Friedrich

LiquidIce
09-12-2014, 06:21 AM
BTW, I think your command line is incorrect. You need a fully qualified path specification to the manage-bde.exe location in Windows.

Friedrich

That's weird... If the setup runs in "elevated", in theory manage-bde should start form system32 and I already specify it by adding %SYS32DIR%...


Alejandro.

linder
09-12-2014, 06:45 AM
Alejandro,

Yes, in theory <g>. But all this has nothing to do with your elevated running setup. You need the correct specification for the "CreateProcess" API (you are using this now) or the "ShellExecuteEx" API call.

BTW, I see quite a few references to "cmd.exe /c %WINDIR%\sysnative\manage-bde.exe -status" yada yada on Google. Perhaps you have to use something similar to this. I have never used "manage-bde.exe" so unfortunately, I can't tell you what the correct parameters and switches are.

Friedrich

LiquidIce
09-12-2014, 06:57 AM
Friedrich,

The parameters sent to manage-bde are correct, I tested them on a CMD before putting them on the line of code. Is it possible to make a .bat file and make the installer run it as administrator? If so, I'll just make the .bat and it seems to work when I do so.

Alejandro.

linder
09-12-2014, 07:02 AM
Alejandro,

There is as fundamental difference between CMD and calling from an application!!! Your >output.txt was emty; this means the parameters and/or calling method were incorrect ;)

See my previous post. Perhaps you have to use %WINDIR%\sysnative\manage-bde.exe?

Friedrich

linder
09-12-2014, 07:08 AM
"sysnative" is the important part here. Perhaps "manage-bde.exe" is a 64-bit tool? Sysnative is a virtual folder, a special alias, that can be used to access the 64-bit
System32 folder from a 32-bit application or script. Using the 'Sysnative' folder will help you access 64-bit tools from 32-bit code

Friedrich

linder
09-12-2014, 07:13 AM
Alejandro,

See attached screenshot. The file you are trying to call is located in the 64-bit Windows System folder, not the 32-bit one. That's why it failed in your case. Fix this and you should be done.

Friedrich

LiquidIce
09-12-2014, 08:15 AM
Hello Friedrich,

I fixed it by doing:


Run Command Line cmd.exe /C %WINDIR%/sysnative/manage-bde.exe > C:\status.txt [Wait]

Thanks for the help.

Regards,

linder
09-12-2014, 09:16 AM
Hi Alejandro,

Perfect. You are welcome :)

Friedrich