Jump to content


  • 0
anyweb

The CM12 UEFI BitLocker Frontend HTA - Part 1. The features.

Question

This is version 4.0 of the original windows-noob FrontEnd HTA, and this time it has evolved to support System Center 2012 R2 Configuration Manager using UEFI (or legacy capable) hardware running Windows 8.1 Enterprise with Update.

 

The CM12 UEFI BitLocker HTA.png

 

For the purpose of documenting the history of this HTA I'll list the previous versions below and which version of Configuration Manager with MDT Integration they were designed to work with:

 

Ver 1. - windows-noob FrontEnd HTA (Configuration Manager 2007 R2 & MDT 2010 update 1)

Ver 2. - The BitLocker FrontEnd HTA (Configuration Manager 2007 R2 & MDT 2010 update 1)

Ver 3. - The CM12 BitLocker FrontEnd HTA (Configuration Manager 2012 R2 & MDT 2012 update 1)

 

The key point of this FrontEnd that makes it stand out from others is that it allows you to Backup, Reinstall or do New Computer scenarios on BitLocker encrypted UEFI computers while still in WinPE.

 

Update: June 25th, 2015. I've added the ability to BitLocker Hyper-V Virtual Machines (Generation 2) during a New Computer scenario, see this post for details.

 

Let's take a look at the main features. The FrontEnd has tabs to allow you to easily navigate through the options. In each tab are further options which can be enabled via checkboxes or via drop down menus or other clickable buttons.

 

The About tab

 

In the About tab (default view) you get to see some information about the frontend itself, and if the computer name (detected by the webservice) is already in AD, if it is it will be highlighted in blue as shown below.

 

computername detected in AD.png

 

If the computer is not in AD then you'll be informed of the fact with a nice red colour and a message as shown below.

 

computername NOT detected in AD.png

 

In addition you can optionally enter a username which will also be checked against AD membership via a web service. The username entered must be entered as simply the username, do not specify a domain name or \ infront of the username as this will generate an error.

 

Below you can see what happens when the user name provided is not detected in AD.

 

username NOT in AD.png

 

and below you can see when the user is detected in AD

 

username is in AD.png

 

The username entered here will become the Primary user of the computer and if enabled in the task sequence, they will become the local administrator of that computer.

 

The Backup tab

 

The backup tab allows you to perform quick or extensive disc checking on the disc in cases where you feel there may be problems with the disc that you'd like to be fixed before backing it up.

 

quick checkdisc.png

 

You have the ability to do a Full WIM backup of the computer which can either be stored locally on that computer or on a network share, the network share (and sub folder) are defined in the task sequence in the following steps:

 

set backup server.png

 

Finally, you can backup the User state to a network share called USMTStores by choosing the last option, xcopy to network.

 

xcopy to network.png

 

Once this user state is backed up to the network you'll be informed of the progress and then the task sequence will shutdown the computer. This captured state can be restored later on another computer using the New Computer tab via the State Restore Options drop down menu.

 

The Reinstall tab

 

The Reinstall tab allows you to reinstall the computer with Windows 8.1 with update while retaining the users data using hard linking. In addition, you can choose to change the regional and language options via the two drop down menus.

 

drop down menus with regional and language options.png

 

In addition to the above, you can select to install the System Center Endpoint Protection antivirus client agent and enable BitLocker.

 

The New Computer tab

 

The New Computer tab is where you'll want to do your New Computer installations, and it offers you the same options as the Reinstall scenario, but in addition, you can specify the encryption level (algorithm) that BitLocker uses.

 

encryption options.png

 

In addition, you can use the State Restore Options drop down menu to select the type of restore you want to achieve, if you select SMP (State Migration Point) then you should have backed up (captured) user data to the SMP from a source computer beforehand.

 

state restore options.png

 

In addition to restoring from the SMP, you can choose to restore previously backed up User state (via the xcopy to network backup option) by selecting the profile name listed.

 

The tools tab

 

This tab provides some tools to help the operator view useful information about the computer they are working on, or to for example open up SMSTS.LOG via the CMTrace tool, or to open a cmd prompt for troubleshooting.

 

the tools tab.png

 

In addition you can click on the Deployment Info icon to see detailed information about the computer, including whether it is in an encrypted state or not.

 

deployment info.png

 

Finally, you can use the top three boxes to search for computer names, which if found will be shown in the drop down menu, and from there you can select one, and then click on Make Association button, this will make an association with the computer you are currently using and the target you selected.

 

successfully associated computers.png

 

Tip: you can verify this association via the User State Migration node in Assets and Compliance in the System Center 2012 R2 Configuration Manager console as shown below.

 

verify computer association.png

 

Note: If you like to experiment, then after making an association above, go back to the Backup tab, and without selecting anything in Backup options, click on Proceed. This is an experimental feature still in development so your results may vary.

 

What about the rest of the features

 

The task sequence and associated scripts do more than the above, and below I've listed the main features.

  • detects if there is no power cord plugged in to your laptop and alerts you of the fact.
  • detects if the hardware is Surface Pro 3 and installs the driver package
  • if no TPM is found it disables the BitLocker capability in the HTA
  • allows you to do Reinstall computer scenarios on Hyperv enabled Gen 2 virtual machines with BitLocker.
  • allows you to Notify the end user if the task sequence was successful or unsuccessful
  • creates a REG key upon successful task sequence completion and adds it to the registry
  • creates a text file in c:\ with the DATE and TIME to demonstrate successful task sequence
  • copies CMTrace.exe to the Windows\ of the OS drive.

 

Download the HTA

 

Ok now that you've seen the above you'll no-doubt want to try it, trust me it's worth it, but it's not for the faint hearted. For that reason I'll produce a Part 2 of this guide which will help you with installation of the bits and pieces.

 

The CM12 UEFI BitLocker HTA.zip

 

Unzip the contents, you'll find a ZIP file within, you should import that as a Task Sequence in System Center 2012 R2 Configuration Manager. Once done you cannot save the task sequence until you satisfy all the missing packages it references and they are listed in the rough guide.

 

You will need the following in place before trying to use the HTA to it's full potential.

 

* Configuration Manager 2012 R2

* MDT 2013 integrated with Configuration Manager 2012

* Language packs for the Appropriate Operating System

* Maik Kosters Web Services (version 7.3)

* MBAM Server 2.0 (or greater) to store and manage the BitLocker encryption recovery keys

 

 

 

The other two folders should be used as packages that are referenced in the task sequence.

 

Please review Part 2 for installation and setup instructions or if you cant wait, review the Rough Guide (it's rough, trust me) text file included in the download zip.

 

Related Reading

 

Thanks !

 

I want to say thanks to my beta testers Eswar Koneti, Peter van Der Woude and Paul Winstanley for their support during this development.

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

Although I have a task sequence (non-hta) that accomplishes this, but would this be able to handle a legacy to uefi conversion?

 

Currently doing this utilizing tsenv2, creating a 4gb Partition, copying the boot media to that Partition, and rebooting to that Partition after changing the dell bios to uefi. Found that solution with 1e tsenv2 and another blog.

Share this post


Link to post
Share on other sites

  • 0

Thanks anyWeb!

 

Question, do I need to add to add video drivers to display the HTA correctly?

 

I am copying the boot image to a partition (part of converting bios to uefi in a single TS), rebooting to that partition, and when the HTA loads not all of the components/optioms are visible. Outside of this scenario, straight uefi pxe, everything displays correctly.

Share this post


Link to post
Share on other sites

  • 0

I have a question based on the Windows 10 version of this script (MMS-2016-Windows-10-UEFI-BitLocker-HTA), there is a group called "If UEFI and BitLockered", with the step "Connect to Network Share". In the description, you say "if you don't want to connect to a network share, copy the script to you boot win file instead". How do I do this?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.