Community
 
 
 

Radia - General Discussions

1323 followers
 
Avatar
Brian Jakubowsky

BitLocker PIN disable on Radia Reboot

There was some discussion at the Radia Summit about getting Radia to not prompt for a BitLocker PIN upon reboot. I thought I would share what we do.. We basically configure a "Post Connection Script" (EXBEXIT) in COP. As part of that we run this code. It is partial and written in Winbatch but I think you will get the point. Basically, it is determining if Radia will reboot. If so, it uses the Microsoft utilities to read if PIN and TPM are enabled. If so, it runs the code to disable the PIN entry for one reboot. The only drawback that we live with is if the user cancels reboot, the PIN will not be promoted for on the next reboot (which could be a while). However, our security team was fine with the risk as the device is still encrypted, there is just no PIN for one boot.

FileWrite(hLogFile,StrCat(DateTime(),@tab,"Reboot (RADSETUP.BOOTTYPE) is ",BootType))
if BootType <> "N"
 FileWrite(hLogFile,StrCat(DateTime(),@tab,"A reboot is required. Running command to determine if PIN should be disabled on next reboot"))

 ManageBDE =  StrCat(WinDir,"\system32\manage-bde.exe") ; Default Location for 32-bit via Radia
 if FileExist(StrCat(WinDir,"\sysnative\manage-bde.exe"))
  ManageBDE =  StrCat(WinDir,"\sysnative\manage-bde.exe") ; if 64-bit, this is the location
 endif

 if FileExist(ManageBDE)
  output = GetStdOut(StrCat(ManageBDE," -protectors -get c:"))
  if StrIndexNc(output,"TPM AND PIN",1,@FWDSCAN)
   FileWrite(hLogFile,StrCat(DateTime(),@tab,"TPM AND PIN Found"))
   RunShell(ManageBDE, "-protectors -disable c:", "", @HIDDEN, @WAIT)
   FileWrite(hLogFile,StrCat(DateTime(),@tab,"Disabled PIN entry for next boot"))
  else
   FileWrite(hLogFile,StrCat(DateTime(),@tab,"TPM AND PIN NOT Found, not running command to disable PIN"))
  endif
 else
  FileWrite(hLogFile,StrCat(DateTime(),@tab,"Can not find manage-bde (key bitlocker file)"))   
 endif
endif

 

4 comments
2

Please sign in to leave a comment.

 
 

Previous 4 comments

Avatar
Craig Tonner

Similar process, written in TCL to determine if a REBOOT is required.

Called from EXBSETUP in a CLIENT.SETTINGS instance.

############################################################################
# logmsg: Log messages to file routine
############################################################################
proc logmsg { msg } {
 global logfile
 set fd [ open $logfile a ]
 puts $fd "[clock format [ clock seconds ] -format {%d%m%Y %X}] :: $msg"
 close $fd
}

############################################################################
# MAIN SECTION
############################################################################

nvd::init
global logfile
set logfile_start "${::NVDLOG}pinswitch"
set logfile "${logfile_start}.log"
set logfile_backup "${logfile_start}.bak"

if { [ file exist $logfile ] } { catch { file rename -force $logfile $logfile_backup } }

#CHECK 1 - Is Agent doing an immediate reboot?
logmsg "CHECKING for a flagged reboot via RADSETUP.EDM"
if { [ catch { set radsetup [nvdobj #auto -file ${::NVDLIB}RADSETUP.EDM] } err ] } {
 logmsg "----Error opening RADSETUP.EDM"
 exit
}
set BOOTIMMD [string trim [string toupper [$radsetup get 0 BOOTIMMD] ]]
$radsetup close

logmsg "----BOOTIMMD : $BOOTIMMD"

if { $BOOTIMMD == "Y" } {
 logmsg "* Agent requires an immediate reboot, disabling BitLocker PIN *"
 #INSERT PIN SWITCH CALL HERE# 


 exit
} else {
 logmsg "* Agent does not require an immediate reboot *"
}

 

Comment actions Permalink
Avatar
Craig Tonner

Correction: code called from EXBEXIT

Comment actions Permalink
Avatar
David Smith

It's important to verify that the protectors are set to "TPM and PIN" before disabling the protectors. If BitLocker is set to TPM only, the protectors will remain disabled indefinitely. When the TPM and PIN protectors or set, BitLocker will automatically re-enable after a reboot.

Comment actions Permalink
Avatar
Jamshed Qureshi

That's great Brian.  I have an ER on this as well.

Comment actions Permalink

Top Contributors