Using bitlocker with HP Easy Shell on thin client

Misterfountain · ‎01-07-2019

We are using HP t630 thin clients with Windows 10 IoT and HP Easy Shell.

The organisation requires that al portable storage devices need te be bitlocker encrypted.

Storage devices are forwarded to Citrix just fine, also encrytping new devices works, user is getting the bitlocker options from Windows 10 IoT.

What not works is when a user is pluging in his bitlocker encrypted device, he does not get the Window for entering the password, the device is mapped in Citrix but is not accessable.

The problem is that HP Easy Shell is replacing explorer.exe and I think the bitlocker password Window needs Explorer.exe to work.

I tryed a workarround using a powershell script for unlocking devices but it needs administrator rights and that's not an option.

Are there other solutions?

Misterfountain · ‎01-08-2019

After some further investigation I found a workable solution, it's not perfect but it gives the user the possibility to unlock a bitlocked storage device.

I made a new program in Easy Shell that launches bdeunlock.exe with argument 😧 (every storage device you plug in will be drive D)

The user has to plug in his storage device and run the program to get the password window before he starts his Citrix workspace.

The possible cons of this solution:

- it's not possible to automatically start the Citrix workspace full screen

- The user must plug in and unlock his storage device beforce he starts his Citrix workspace

you can overcome these cons by giving the user the option to minimize his workspace and go back to the HP Easy Shell.

Misterfountain · ‎08-26-2019

OK forget the last workarround, I have the perfect working solution.

I made a PowerShell script that runs when WIndows 10 starts bij placing it in the startup dir.

The script is constantly listening in the background if USB storage devices are connecting to a USB port. When that happens it captures this and it will trigger bdunlock.exe witch will give the user a Bitlocker unlock screen to enter password.

Save this to a .ps1 file en make shure is starts when Windows starts.

Register-WmiEvent -Class win32_VolumeChangeEvent -SourceIdentifier volumeChange
Write-Host (Get-Date -Format s) " Beginning script..."
do{
$newEvent = Wait-Event -SourceIdentifier volumeChange
$eventType = $newEvent.SourceEventArgs.NewEvent.EventType
$eventTypeName = switch($eventType)
{
1 {"Configuration Changed"}
2 {"Device Arrival"}
3 {"Device Removal"}
4 {"Docking"}
}
Write-Host (Get-Date -Format s) " Event detected = " $eventTypeName
if ($eventType -eq 2)
{
$driveLetter = $newEvent.SourceEventArgs.NewEvent.DriveName
Write-Host (Get-Date -Format s) " Drive name = " $driveLetter
# Execute process if drive matches specified condition(s)
if ($driveLetter -eq 'D:')
{
Write-Host (Get-Date -Format s) " Starting task in 3 seconds..."
Start-Sleep -Seconds 3
Start-Process bdeunlock.exe 😧
}
elseif ($driveLetter -eq 'E:')
{
Write-Host (Get-Date -Format s) " Starting task in 3 seconds..."
Start-Sleep -Seconds 3
Start-Process bdeunlock.exe E:
}
elseif ($driveLetter -eq 'F:')
{
Write-Host (Get-Date -Format s) " Starting task in 3 seconds..."
Start-Sleep -Seconds 3
Start-Process bdeunlock.exe F:
}
elseif ($driveLetter -eq 'G:')
{
Write-Host (Get-Date -Format s) " Starting task in 3 seconds..."
Start-Sleep -Seconds 3
Start-Process bdeunlock.exe G:
}
}
Remove-Event -SourceIdentifier volumeChange
} while (1-eq1) #Loop until next event
Unregister-Event -SourceIdentifier volumeChange

Create an account on the HP Community to personalize your profile and ask a question