Jump to content


Established Members
  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About redrockSWE

  • Rank
  1. Hi guys. I have been working on deploying bitlocker on running windows 7 machines using a task sequence. I have only found guides showing how to do this via scripts, or how to do this when deploying a computer. Not how to push this on active running windows 7 machines. Im hoping that this thread could help me with some issues i have, and hopefully assist others. Im using scripts from here: http://archive.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?ReleaseId=3205 So there are a couple of Scenarios i have to consider when deploying bitlocker: * Computers with a bitlocker partition, but not active TPM chip * Computer with active TPM chip but no partition * Computers that does not have active TPM chip or a bitlocker partition (would be most common) Im running allot of batch files, this is because it gives me better logging possibilities. I want to store what happens on a network drive so in case of problems we can easy find out what have happened. Plus, i just like batch files. Outline of the current tasksequence (all steps have continue on error) Connect to network folder (maps a network folder, in my case W: in order to later copy log files to network share). Create a folder. Command line, that runs a .bat with a service account that´s local admin on machine folder.bat :md c:\Bitlockertemp Create partition (have issues with this step). Command line: Partition.bat >>c:\Bitlockertemp\DOSpartition.txt Disable 64-bit file system redirection, running with service account. Partition.bat: PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1;C:\WINDOWS\system32\en-us; bdehdcfg.exe -target default This should either create a bitlocker partiotion, or say that you already have one Enable TPM (and bitlocker if possible), command line: enable.bat >>c:\Bitlockertemp\DOSLogEnable.txt . Running with service account This will either enable TPM and require a restart, or enable bitlocker Enable.bat: cscript.exe %~dp0EnableBitLocker.vbs /on:tpm /l:C:\bitlockertemp\BitLocker.log echo off if EXIST w:\%computername%\bitlocker-backup-key-package1 (echo "Already done") ELSE ( %~dp0keyupload.bat>>c:\Bitlockertemp\DOSLogKeyupload.txt) echo on Net use w: /delete /y rd c:\bitlockertemp /s /q Keyupload.bat: echo off md w:\%computername% cscript %~dp0GetBitLockerKeyPackage.vbs C:\Bitlockertemp\bitlocker-backup-key-package >> c:\Bitlockertemp\BitLockerKey.txt copy c:\Bitlockertemp\BitLockerKey.txt w:\%computername% copy c:\Bitlockertemp\DOSpartition.txt w:\%computername% copy c:\Bitlockertemp\DOSLogEnable.txt w:\%computername% copy c:\Bitlockertemp\DOSLogKeyupload.txt w:\%computername% copy c:\Bitlockertemp\bitlocker-backup-key-package1 w:\%computername% copy c:\Bitlockertemp\BitLocker.log w:\%computername% copy c:\Bitlockertemp\ADupload.log w:\%computername% rd c:\bitlockertemp /s /q The get GetBitLockerKeyPackage.vbs is for checking if AD have recived the bitlocker key 5. Restart computer, set to " The currently installed defualt operating system" Notify the user before restarting "Your computer is being restarted, if prompted to press F1, please do so" 6.Connect to Network Folder again 7. Enable bitlocker, runs enable.bat again, same as step 4 8. Disconnect network drive, simple command: Net use w: /delete /y My current issue: It´s with creating a bitlocker partition, Running just "bdehdcfg.exe -target default" , fails. I had to add PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1;C:\WINDOWS\system32\en-us; In order to get it to actually run. But the issue im seeing is that when running this the computer stops at creating partition. Nothing happens, the tasksequence does not stop. Not sure if the whole tasksequence is fubar or if I am on the right track. Running the scrips by double clicking on them works like a charm. And the rest of the steps seems to work fine. Any assistance or input would be appreciated. Edit: Im running SCCM 2007
  • Create New...