Skip Bitlocker detection?
-
-
@Sebastian-Roth said in Skip Bitlocker detection?:
@gwhiteia said in Skip Bitlocker detection?:
Yes, we use BL without the TPM
But how?
We disable TPM in the BIOS prior to building our image and modify a few GPO settings to use passwords instead of PINs
-
@Sebastian-Roth said in Skip Bitlocker detection?:
But how?
If you run bitlocker without TPM you have an option to use a usb key with the certificate installed or with a preboot password that is managed by the uefi boot loader. It is surely not as secure at the tpm route, but if you have no option, you have limited choices.
Some countries may mandate to not use tpm protection.
-
@george1421 @gwhiteia Ok, so essentially it means we should not error out when detecting bitlocked partitions. But then we will end up with more people asking why their image is so big.
Printing a warning is of no use because it Just skips past with no one noticing it.
-
@Sebastian-Roth The idea as I understand it, there should be a one time flag (akin to debug flag and location) that will allow the FOG Admin to bypass the check. This is for a one-off situation. 99% of the time its proper to warn the FOG Admin that bitlocker is on and he/she should disable it first. For that remaining 1% of the time of the FOG Admin wants to bypass this stop the FOG should let them (i.e. play with matches and a stick of dynamite. “What could go wrong??”)
-
@george1421 Yeah, you are right. I forgot about this part earlier being discussed here in this topic. We shall look into adding this.
-
I have added this “Feature” to 1.6 branch.
I have not added the code to the fos engine stuff, as I’ll leave that up to whomever is building them right now. I don’t have a build environment and we don’t have automated building setup yet (that I am aware of at least)
https://github.com/FOGProject/fogproject/commit/bff919e655d9a239040133466874b19c82562bf9
Essentially, I added the checkbox to bypass bitlocker detection when a capture task is selected. It uses Scheduled Task other5 field to store if this was set or not, and creates a new column for setting this flag in the task.
When this flag is set, it sets the kernel arg
bitlockerbypass=1
making it easy enought to look for in the bitlocker check function.Let me know if you have any other questions.
-
@Tom-Elliott said in Skip Bitlocker detection?:
FOG already has the capability to do this, but we added a check because that was the “thought” we needed to do.
You can modify the file yourself.
You are, hopefully, familiar with postinit scripts:
The file you’ll want to replace is:
/usr/share/fog/lib/funcs.shThe line you would need to comment:
Line 290 in fsTypeSetting function.You should then have the ability to capture/deploy images using the “imager/raw” method.
I don’t see the directory you’ve listed above?
/usr/share/fog/… doesn’t seem to exist?
-
@gwhiteia That’s not going to exist on your server.
This exists on your client machines when they’re in an imaging task.
-
@gwhiteia What version of FOG are you running? 1.5.9?
-
@Tom-Elliott said in Skip Bitlocker detection?:
I have not added the code to the fos engine stuff, as I’ll leave that up to whomever is building them right now. I don’t have a build environment and we don’t have automated building setup yet (that I am aware of at least)
Cool! I will add this to our
dev-branch
and FOS code in the next days.@gwhiteia You would need to update to the latest
dev-branch
to get this feature. Please let me know if you are keen to go there or if you want to wait for the next release (not before Christmas I am fairly sure)? -
@george1421 said in Skip Bitlocker detection?:
@gwhiteia What version of FOG are you running? 1.5.9?
Yes…1.5.9
-
@gwhiteia Well I can either walk you through updating what you need or you can wait until this feature is available in the dev branch. It should take about 15 minutes of hands on time to setup the patch. You will just have to remember to remove it (one line of code) when 1.5.10 is released later this year.
The decision is yours.