The CM12 UEFI BitLocker Frontend HTA - Part 1. The features.

[anyweb]

This is version 4.0 of the original windows-noob FrontEnd HTA, and this time it has evolved to support System Center 2012 R2 Configuration Manager using UEFI (or legacy capable) hardware running Windows 8.1 Enterprise with Update.

 

 

For the purpose of documenting the history of this HTA I'll list the previous versions below and which version of Configuration Manager with MDT Integration they were designed to work with:

 

Ver 1. - windows-noob FrontEnd HTA (Configuration Manager 2007 R2 & MDT 2010 update 1)

Ver 2. - The BitLocker FrontEnd HTA (Configuration Manager 2007 R2 & MDT 2010 update 1)

Ver 3. - The CM12 BitLocker FrontEnd HTA (Configuration Manager 2012 R2 & MDT 2012 update 1)

 

The key point of this FrontEnd that makes it stand out from others is that it allows you to Backup, Reinstall or do New Computer scenarios on BitLocker encrypted UEFI computers while still in WinPE.

 

Update: June 25th, 2015. I've added the ability to BitLocker Hyper-V Virtual Machines (Generation 2) during a New Computer scenario, see this post for details.

 

Let's take a look at the main features. The FrontEnd has tabs to allow you to easily navigate through the options. In each tab are further options which can be enabled via checkboxes or via drop down menus or other clickable buttons.

 

The About tab

 

In the About tab (default view) you get to see some information about the frontend itself, and if the computer name (detected by the webservice) is already in AD, if it is it will be highlighted in blue as shown below.

 

 

If the computer is not in AD then you'll be informed of the fact with a nice red colour and a message as shown below.

 

 

In addition you can optionally enter a username which will also be checked against AD membership via a web service. The username entered must be entered as simply the username, do not specify a domain name or \ infront of the username as this will generate an error.

 

Below you can see what happens when the user name provided is not detected in AD.

 

 

and below you can see when the user is detected in AD

 

 

The username entered here will become the Primary user of the computer and if enabled in the task sequence, they will become the local administrator of that computer.

 

The Backup tab

 

The backup tab allows you to perform quick or extensive disc checking on the disc in cases where you feel there may be problems with the disc that you'd like to be fixed before backing it up.

 

 

You have the ability to do a Full WIM backup of the computer which can either be stored locally on that computer or on a network share, the network share (and sub folder) are defined in the task sequence in the following steps:

 

 

Finally, you can backup the User state to a network share called USMTStores by choosing the last option, xcopy to network.

 

 

Once this user state is backed up to the network you'll be informed of the progress and then the task sequence will shutdown the computer. This captured state can be restored later on another computer using the New Computer tab via the State Restore Options drop down menu.

 

The Reinstall tab

 

The Reinstall tab allows you to reinstall the computer with Windows 8.1 with update while retaining the users data using hard linking. In addition, you can choose to change the regional and language options via the two drop down menus.

 

 

In addition to the above, you can select to install the System Center Endpoint Protection antivirus client agent and enable BitLocker.

 

The New Computer tab

 

The New Computer tab is where you'll want to do your New Computer installations, and it offers you the same options as the Reinstall scenario, but in addition, you can specify the encryption level (algorithm) that BitLocker uses.

 

 

In addition, you can use the State Restore Options drop down menu to select the type of restore you want to achieve, if you select SMP (State Migration Point) then you should have backed up (captured) user data to the SMP from a source computer beforehand.

 

 

In addition to restoring from the SMP, you can choose to restore previously backed up User state (via the xcopy to network backup option) by selecting the profile name listed.

 

The tools tab

 

This tab provides some tools to help the operator view useful information about the computer they are working on, or to for example open up SMSTS.LOG via the CMTrace tool, or to open a cmd prompt for troubleshooting.

 

 

In addition you can click on the Deployment Info icon to see detailed information about the computer, including whether it is in an encrypted state or not.

 

 

Finally, you can use the top three boxes to search for computer names, which if found will be shown in the drop down menu, and from there you can select one, and then click on Make Association button, this will make an association with the computer you are currently using and the target you selected.

 

 

Tip: you can verify this association via the User State Migration node in Assets and Compliance in the System Center 2012 R2 Configuration Manager console as shown below.

 

 

Note: If you like to experiment, then after making an association above, go back to the Backup tab, and without selecting anything in Backup options, click on Proceed. This is an experimental feature still in development so your results may vary.

 

What about the rest of the features

 

The task sequence and associated scripts do more than the above, and below I've listed the main features.

• detects if there is no power cord plugged in to your laptop and alerts you of the fact.
• detects if the hardware is Surface Pro 3 and installs the driver package
• if no TPM is found it disables the BitLocker capability in the HTA
• allows you to do Reinstall computer scenarios on Hyperv enabled Gen 2 virtual machines with BitLocker.
• allows you to Notify the end user if the task sequence was successful or unsuccessful
• creates a REG key upon successful task sequence completion and adds it to the registry
• creates a text file in c:\ with the DATE and TIME to demonstrate successful task sequence
• copies CMTrace.exe to the Windows\ of the OS drive.

 

Download the HTA

 

Ok now that you've seen the above you'll no-doubt want to try it, trust me it's worth it, but it's not for the faint hearted. For that reason I'll produce a Part 2 of this guide which will help you with installation of the bits and pieces.

 

The CM12 UEFI BitLocker HTA.zip

 

Unzip the contents, you'll find a ZIP file within, you should import that as a Task Sequence in System Center 2012 R2 Configuration Manager. Once done you cannot save the task sequence until you satisfy all the missing packages it references and they are listed in the rough guide.

 

You will need the following in place before trying to use the HTA to it's full potential.

 

* Configuration Manager 2012 R2

* MDT 2013 integrated with Configuration Manager 2012

* Language packs for the Appropriate Operating System

* Maik Kosters Web Services (version 7.3)

* MBAM Server 2.0 (or greater) to store and manage the BitLocker encryption recovery keys

 

 

 

The other two folders should be used as packages that are referenced in the task sequence.

 

Please review Part 2 for installation and setup instructions or if you cant wait, review the Rough Guide (it's rough, trust me) text file included in the download zip.

 

Related Reading

• The CM12 UEFI BitLocker Frontend HTA - Part 2. Installation - https://www.windows-noob.com/forums/topic/11900-the-cm12-uefi-bitlocker-frontend-hta-part-2-installation/
• CM12 in a Lab - How can I Enable BitLocker on Hyper-v Gen 2 virtual machines during OSD using System Center 2012 R2 Configuration Manager ?
• CM12 in a Lab - How can I reinstall BitLockered UEFI computers using network boot and System Center 2012 R2 Configuration Manager ?

 

Thanks !

 

I want to say thanks to my beta testers Eswar Koneti, Peter van Der Woude and Paul Winstanley for their support during this development.

[Kevin79]

How do I make the usable space in the HTA bigger? I want to add a couple items and I am in no way an expert in HTML/CSS.

[Kevin79]

I figured out how to make the usable space bigger, now I have another question.

 

How do I have the default values for Regional Options and Language Options be blank and force the user to select a value before proceeding?

[Kevin79]

Anyone to the above questions?

 

Also, where do I change the partition label? I don't want the partition to be "OSPART" but am unsure of where to change it in the TS.

[anyweb]

you'd need to change the validation.js to check for those values and if null prompt the end user,

check the format and partition disk steps, the variable is used there, however if you change it you will need to look through the other steps where it is also used

[Kevin79]

Any tips on how I would do the validation? I don't know javascript very well.

[anyweb]

here's how I do it in another task sequence i'm working on, basically i force the user to choose a backup, you can modify this to work with the regional drop down variables instead... and change NORESTORE to None which is what those two drop down's are currently set to if no one makes a choice...

   {
                        var oEnvironment = new ActiveXObject("Microsoft.SMS.TSEnvironment");
                        var usmtdrop = document.getElementById('shareDropDown');
                        //alert ('usmtdrop ='+usmtdrop.options[usmtdrop.selectedIndex].value);
                            if (usmtdrop.options[usmtdrop.selectedIndex].value == "NORESTORE")
                                    {
                                        alert ('You need to select a previous backup file before clicking continue.');
                                        return;
                                    }
                                    else
                                    {
                                        //alert ('restore file seems to be selected');
                                    }
                            usmtvalue = usmtdrop.options[usmtdrop.selectedIndex].value;    
                            oEnvironment("RESTORE_FILE") = usmtvalue;        
                        }

[Kevin79]

Can this be set up so that it displays the selected values on a confirmation page?

[thrqureshi]

Is there anyway to get key directly from active directory through this script rather than MBAM Server

 

[Kevin79]

I am about to start testing Windows 10. Will the bitlocker encyption portion of this work with Win10?

[anyweb]

should do, but if you want to be really sure use this one instead

[TheProj]

Although I have a task sequence (non-hta) that accomplishes this, but would this be able to handle a legacy to uefi conversion?

 

Currently doing this utilizing tsenv2, creating a 4gb Partition, copying the boot media to that Partition, and rebooting to that Partition after changing the dell bios to uefi. Found that solution with 1e tsenv2 and another blog.

[anyweb]

this is the latest version of the HTA frontend, and while it doesn't directly handle conversion it should be relatively straightforward to add that functionality

[TheProj]

Thanks anyWeb!

 

Question, do I need to add to add video drivers to display the HTA correctly?

 

I am copying the boot image to a partition (part of converting bios to uefi in a single TS), rebooting to that partition, and when the HTA loads not all of the components/optioms are visible. Outside of this scenario, straight uefi pxe, everything displays correctly.

[anyweb]

no you don't but you might have this problem

 

I've got a new version of this logic now and i might blog it soon as it requires no drivers and just re-renders the HTA

[spgsitsupport]

Did you manage to blog it?

Thanks

Seb

[Kevin79]

I have a question based on the Windows 10 version of this script (MMS-2016-Windows-10-UEFI-BitLocker-HTA), there is a group called "If UEFI and BitLockered", with the step "Connect to Network Share". In the description, you say "if you don't want to connect to a network share, copy the script to you boot win file instead". How do I do this?

[anyweb]

hi, all you have to do is mount the boot wim with DISM, inject the file (copy it) and then unmount the boot wim, i'll post an example if you need

[Kevin79]

Ok, thanks. I should be able to figure it out.