BitLocker & BIOS Boot Order
One of the “gotchas” of BitLocker security is that by not having the hard drive first in the boot order within BIOS, can cause BitLocker security to become enacted and thus needing manual entry of the 48-character key upon the next system restart. This can be a frustration for users who have this happen to them, especially while travelling and unable to reach the help desk. So, during an OS deployment, make efforts to change the boot order in BIOS.
To do this with HP
- Obtain the BIOSConfigUtility in the Systems Software Manager
- Create a text file named “BootOrder.REPSET”. The text file contains the below content. Note that I found it is necessary to define two devices to modify the boot order.
English Boot Order Hard Drive(C:) Notebook Upgrade Bay
- Run command
BiosConfigUtility.EXE /SetConfig:BootOrder.REPSET
To do this with Dell
- Obtain the Client Configuration Toolkit
- Run command
cctk.exe bootorder --sequence=hdd
If you find yourself in a position that you did not do this during the initial deployment of the OS, never fear, SCCM is here! Using task sequences, you can automate the process as to set the hard drive to be first in the boot order and re-seal the TPM by performing the following steps:
- Suspends BitLocker protection
- Reconfigure the boot order (for HP or Dell)
- Restarts Windows
- Resumes BitLocker protection
August 14, 2012 at 2:44 am
How about a Lenovo way of doing this?
August 14, 2012 at 6:49 am
Unfortunately I’ve not worked with Lenovo in this capacity, so I do not know for certain. Otherwise I would certainly post the info! :-)