A TPM is a microchip designed to provide basic security-related functions,
primarily involving encryption keys. BitLocker Drive Encryption (BDE)
is a full disk encryption feature which is designed to protect data
by providing encryption for entire volumes. By default, it uses the
AES encryption algorithm in CBC mode with a 128 bit key, combined
with the Elephant diffuser for additional disk encryption-specific
security not provided by AES.
Windows 10 IoT Enterprise
does not support sysprep on a BitLocker encrypted device. Due to this
limitation, you cannot encrypt the device, perform a sysprep, and
pull the image. To overcome this issue, you must add or modify the
TPM related script that handles TPM. The device must not be encrypted
before sysprep (pull). The device encryption is handled by the post
push script that uses the TPM_enable.ps1 script located
at C:\Windows\setup\tools\. This script must
be included before enabling the UWF and after sysprep scripts. The
PIN used to encrypt the client must be passed to the script as an
argument.
To use TPM
and BitLocker, do the following:
Enable TPM from the BIOS menu.
Modify the TPM related part of the script,
based on the imaging solution.
Uncomment the below lines and update the pin
for TPM encryption in the Custom FICore imaging method in C:\Windows\Setup\CustomSysprep\Modules\Post_CustomSysprep.psm1
#cd C:\windows\setup\Tools\TPM\
#.\TPM_enable.ps1 -pin 1234
Uncomment the below lines and update the pin
for TPM encryption for SCCM push in C:\Windows\Setup\ConfigMgrSysprep\Modules\Admin_ConfigMgrSysprep.psm1
#cd C:\windows\setup\Tools\TPM\
#.\TPM_enable.ps1 -pin 1234
Uncomment the below lines and update the pin
for TPM encryption in Non-Factory environment (WDM,WSI, USB Imaging
solution) in Post_CustomSysprep.psm1
#cd C:\windows\setup\Tools\TPM\
#.\TPM_enable.ps1 -pin 1234
If the client is encrypted previously, then do the following to clear
the TPM:
Enter the BIOS mode.
In the TPM configuration, set Change
TPM Status to Clear, and then apply the settings.
Reboot the device, and enter the
BIOS mode again.
Set Change TPM Status to Enable and Activate.
Los datos no están disponibles para el tema
Proporcione calificaciones (1 a 5 estrellas).
Proporcione calificaciones (1 a 5 estrellas).
Proporcione calificaciones (1 a 5 estrellas).
Seleccione si el artículo fue útil o no.
Los comentarios no pueden contener estos caracteres especiales: <>"(", ")", "\"