Jump to content


JagoWu

Enable Bitlocker with TPMPIN in SCCM 2012 OSD

Recommended Posts

Hi all,

I have a SCCM MDT TS that I have created for laptops. The TPM is on and set to active in the BIOS. This is a Dell E5500. The BIOS has the latest version.

 

If I leave the SCCM MDT template as is the TS installs correctly however Bitlocker does not start and the PIN is not entered. The laptop is not added to the domain and is set to add to Workgroup (which is what I need it to do). The SCCM client installs fine (CU4).

 

I noticed the template default with a few bitlocker options:

 

Pre-provision BitLocker =Logical Drive letter stored in a varible

then

Set Variable for Pre-provision BitLocker = True

then right before installing packages

Enable Bitlocker cscript.exe "%deployroot%\scripts\ZTIBde.wsf" /UDI

 

I am not using UDI in this TS.

 

I have tried disabling the Enbable Bitlocker and add the SCCM Enable Bitlocker and specify a PIN. When I do the TS fails with error code 0x80070002.

 

In the CS.ini I tried having the settings of

OSDBitLockerMode=TPMPIN

BDEInstallSuppress=NO

 

This scenario works great in MDT with the Enable Bitlocker step in the TS and my CS.ini looks like the below. We are not saving the recovery key to AD but a network share.

BDEInstall=TPMPin
BDEPin= some numbers
TPMOwnerPassword=some password
BDEInstallSuppress=NO
BDEWaitForEncryption=FALSE
BDEDriveSize=3000
BDEDriveLetter=S:
BDERecoveryKey=AD
BDEKeyLocation=\\servername\LaptopRecoveryKeys
BDEAllowAlphaNumericPin=Yes

 

Also how can I save the key to a network share like I do in MDT? I understand some of my bitlocker commands above are not supported in SCCM 2012 TS like saving the key to a network share.

 

Thank You all

Share this post


Link to post
Share on other sites

****Update****

I was able to get this to work properly.

 

Here is the solution.

 

1. Created a MDT Task sequence in SCCM 2012.

2. Let it create a default Custom Settings MDT package (I named it MDTWorkgroupLaptop Settings Package because I do not want any other TS to use it). Let it create a default USMT package. Fill out the rest of the questions in the wizard.

3. Upon creation of the TS I went to the custom settings package and edit it to look like this:

 

[settings]
Priority=Default
Properties=MyCustomProperty

[Default]
SkipCapture=YES
BitsPerPel=32
VRefresh=60
XResolution=1
YResolution=1
OSDComputerName=PC_%AssetTag%
SLShare=\\sccmserver\OSD\Logs

BDEInstall=TPMPin
BDEPin=XXXXXXX
TPMOwnerPassword=SomePassword
BDEInstallSuppress=NO
BDEWaitForEncryption=FALSE
BDEDriveSize=2000
BDEDriveLetter=S:
BDERecoveryKey=AD
BDEKeyLocation=\\sccmserver\OSD\LaptopRecoveryKeys
BDEAllowAlphaNumericPin=Yes

 

4. I then told that package to update the DP. Then I made some changes to the default TS.

 

A. Right under the Execute Task Sequence (1st step) step you should add three steps in it.

 

SMSTSDownloadRetryCount = 5 <-- needed for downloading packages requests and such.

SMSTSDownloadRetryDelay= 15 <-- needed for downloading packages requests and such.

SMSTSRebootDelay=2 <-- this is the area where I do not want to wait 30 seconds for a reboot in the TS so I change it to 2 sec.

 

B. In the steps called Format and Partition Disk (UEFI) I deleted the first 3 partitons listed and the last partition i left there. The last partition is OS Disk (Primary)

 

C. In the step called OSDPreserveDriveLetter I set it to TRUE. If set to false then windows might install on some partition named E and when windows is installed in explorer you will have D windows instead of C windows.

 

D. In the Apply Windows Settings step make sure you set an admin password and the timezone should be the same as the sccm server or else it seems to bomb out for me during sysprep.

 

E. In the Setup Windows and ConfigMgr step I added the following code (I previously made a SCCM 2012 CU4 client update package but did not make a program for it). SMSMP=server.server.com FSP=server.server.com PATCH="C:\_SMSTaskSequence\OSD\00100227\Hotfix\x64\configmgr2012ac-r2-kb3026739-x64.msp"

 

F. After Set Status 5 add new step called Request State Store. Condition USMTLOCAL Not Equals TRUE

 

G. After Restore User State step add a step called Release State Store. Condition USMTLOCAL Not Equals TRUE

 

H. The default bitlocker step I moved to the very last step of the task sequence. In the options tab is a condition. I changed the condition to say BDEInstallSuppress = YES. Then editing the command line to only say cscript.exe "%deployroot%\scripts\ZTIBde.wsf"

 

This script took care of all the encryption and read the MDT rules (cs.ini) that I setup. It also saved the recovery password to a text file and the filename is the computername. Life is good.

 

JagoWu

  • Like 2

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.