Ejecting the CD Drive During a Task Sequence

If you are running a task sequence from some local based media such as a CD or USB for that matter then if you are enabling BitLocker in that task sequence you would want to make sure that the device is ejected before you enable BitLocker.

Why do you need to eject the device? When BitLocker is enabled the TBP or trusted boot path contains information about what devices are active at the time including some BIOS configuration, this helps to prevent offline attacks such as boot sector malware etc.

However if you leave your CD in and then eject it after BitLocker is enabled you will be asked to provide your recovery key for Windows. You can tell people to remember to do this but what if they forget? I have a little PowerShell snippet that you can place into a package that will enable you to run the PowerShell script using the MDT integration.

Here is the script, also on SkyDrive: http://sdrv.ms/10XHgCt

Get-WmiObject win32_logicaldisk -filter 'DriveType=5' | ForEach-Object {
    $Eject = New-Object -ComObject Shell.Application 

Tags: , , ,

About Martyn

Martyn is one of the Senior Cloud Architects and DevOps Team Leader at one of the worlds leading Cloud Transformation Specialists Inframon. Martyn is responsible for the architecture of some of the largest Azure deployments in EMEA and is a advisor to a many businesses on their strategies. Martyn is a regular speaker at Microsoft events and community events on Azure and DevOps, giving his insight to a growing number of audiences.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: