anyweb

Customising Windows 7 deployments - part 5.



42 posts in this topic

Bitlocker is a nice tool from Microsoft which allows you to Encrypt the hard disc, however enabling it isn't as simple as pressing a switch or simply adding a step to your task sequence, you will really have to spend some time reading about BitLocker before you decide what strategy you take with regards to deploying it in the Enterprise.

 

BitLocker has some requirements and one of those is that the TPM (Trusted Platform Module) is set to ON and that it is Activated prior to Enabling BitLocker, in order to do this on Dell Systems we use the Dell CCTK (Client Configuration Tool Kit).

 

You will need to decide if you are going to handle the TPM specific parts while in Windows or while in WinPE. I'd strongly recommend you test both scenarios in your test environment with real hardware (obviously, you'll want TPM ready Dell hardware).

 

Dell also provides a page here which explains how to enable the TPM using the CCTK while in Windows (in the running OS), however what if you want to enable the TPM in WinPE ? to do that you've got the option of using batch files provided in the CCTK, these batch files require the Windows AIK installed and they create an ISO and new boot WIM for you to import into SCCM.

 

Nice, except maybe you don't want to regenerate your boot.wim as it already has all your Extrafiles added and it's customised with your HTA scripts etc. Also, maybe you don't want the CCTK in your boot.wim images because you are a multi-vendor site with more than just Dell hardware.

 

No problem, simply use the task sequence provided below and I'll guide you through how it all works, this task sequence doesn't care if your boot image is X86 or X64, it will determine that via WMI calls by checking for the presence of the SysWOW64 folder. What I'm providing here is a solution for you to Deploy Windows 7 Enterprise X64 on Dell hardware with Bitlocker Enabled so that when you login to the finished deployment, BitLocker is busy encrypting your drive.

 

 

Note: This task sequence is for enabling BitLocker in Bare Metal (New Computer) scenarios, I will cover enabling BitLocker in a Refresh scenario in a later post.

 

 

Step 1. Download the CCTK.

 

The CCTK is available for download here. Once you've download it, install the MSI. We need the CCTK in order to communicate with the TPM chip in our Dell computers in Windows PE (using the HAPI drivers contained in the CCTK).

 

Step 2. Create The CCTK packages

 

We need to Create two new ConfigMgr Packages for X86 and X64 CCTK.

  • Copy %ProgramFiles%\Dell\CCTK\* to a location that will be used for Configuration Manager. You will have two subfolders, x86, and x86_64
  • Create two ConfigMgr Packages, using the source directory for x86, and x86_64. Send these packages to your Distribution Points

Step 3. Download BitLocker Scripts.

 

 

 

 

In order to Enable Bitlocker in this example task sequence, we use a script, Microsoft has kindly provided us with the scripts we need right here

 

Step 4. Create the BitLockers Scripts package

 

Create a new package containing the bitlocker scripts you downloaded above and distribute it to your DP's.

 

Step 5. Download the windows-noob sample BitLocker task sequence.

 

Import this task sequence:

 

Deploy Windows 7 Ent X64 - BITLOCKER in WinPE.xml

 

into Configmgr and resolve the missing packages by pointing to the following packages where necessary:-

  • Operating System Image (Windows 7 X64)
  • Configuration Manager Client Package
  • CCTK X86 Package
  • CCTK X64 Package
  • Bitlocker Scripts

So how does it all work then ?

 

 

 

The task sequence is broken down into Two main groups for TPM, one to deal with enabling TPM functions when using an X86 boot image, the other for X64 boot images

 

bitlocker in winpe.png

 

As we haven't injected the HAPI drivers into WinPE (remember, we didn't want to have to generate new boot images, we wanted to keep our current process mostly untouched) we must manually inject them before each step (unless theres more than one step before the next Restart)

 

this is done via an xcopy command which copies the CCTK architecture files to x:\

 

xcopy CCTK.png

 

and then we inject the HAPI drivers in the next step

 

Enable HAPI.png

 

Next we set the Bios Password (you can change the password to something else if you wish)

 

set bios password.png

 

and then we Enable the TPM chip

 

enable tpm.png

 

after a restart of the computer (to let the bios make the changes) we have to redo the xcopy/enable HAPI drivers before the next step, Activating the TPM chip

 

activate Tpm.png

 

after another restart and CCTK xcopy/enable HAPI group and we then remove the bios password set earlier

 

remove tpm bios password.png

 

Once the steps above are done Windows will install as normal and then set windows settings etc, before finally getting to the Configure and Enable BitLocker group, this happens within Windows.

 

This group is responsible for preparing the disc partition for BitLocker using bdehdcfg.exe

 

prepare disk for bitlocker.png

 

and finally after another restart, we Enable BitLocker using the Enablebitlocker vbs script from Microsoft.

 

enable bitlocker.png

 

That's it ! Windows will then end up at the familiar login screen but you may notice the HDD LED is very busy, this is because BitLocker is busy Encrypting the drive,

 

How can I verify BitLocker is working ?

 

simply open explorer and you'll see a new icon for C:

 

bitlocker drive.png

 

and you can open a command prompt and type manage-bde -status

 

manage-bde status.png

 

after a few hours when the encryption process is done you'll see as follows (screenshot from another system where BitLocker has finished encrypting the drive)

 

protection on.png

 

you can also verify what is logged in the c:\windows\temp\bitlocker.txt file, here's a sample attached here

 

bitlocker.txt

 

have fun and please let me know how you get on with this,

 

cheers !

 

niall.

 

 

 

Related Reading:-

 

Is the TPM Chip Enabled or Disabled in the Bios on my Dell system ? - http://myitforum.com...ell-system.aspx

 

How can I determine if there's a TPM chip on my Dell system needed for BitLocker ? http://myitforum.com...-bitlocker.aspx

 

BitLocker Hardware Requirements - http://windows.micro...rive-Encryption

 

Microsoft Scripts to Enable Bitlocker - http://go.microsoft..../?LinkID=151997

 

BitLocker Info - a List of Resources - http://myitforum.com...-resources.aspx

 

How can I determine if the drive is Encrypted (Protected) or not during a BitLocker task sequence in WinPE ? - http://www.windows-n...uence-in-winpe/

 

How can I determine if there's a TPM chip on my Lenovo system needed for BitLocker ? - http://www.windows-n...-for-bitlocker/

1 person likes this

Share this post


Link to post
Share on other sites


What if I update my boot.wim images with CCTK ?

 

for those of you wanting a task sequence to enable bitlocker on Dell's in a bare metal (new computer scenario) after updating your boot.wim images using the CCTK then use the following,

 

bitlocker when using CCTK enabled boot wims.xml

Share this post


Link to post
Share on other sites

Personally, I did the TPM part in the Full OS part of the build and found that it worked well. I didn't have to worry about copying over the HAPI drivers although I did make sure they were in a subdirectory of the CCTK folder. CCTK seems to find them OK.

 

I also did this for a couple of Lenovo machines which unfortnately require different methods of enabling the TPM dependant on the machine type. Again though, this works fine in the Full OS part.

 

What was your rationale for using a script to call the Enable Bitlocker action? Logging? I used the standard Bitlocker task and that seems OK.

 

Also, did you do anything with WinRE, namely moving it to the unencrypted partition?

 

Cheers

Simon

Share this post


Link to post
Share on other sites

we are using a script to enable bitlocker as we do not have a backend for it in AD yet, we are planning on managing our bitlocker clients via MBAM when it's finally released, no WinRE on these boxes as they are bare metal/new computer only

 

did you update your boot.wim images with the cctk ?

 

if I leave out the Enable HAPI step in the task sequence then an error is generated (Not enough resources are available to process this command (Error: 00000093; Source: Windows))

Share this post


Link to post
Share on other sites

I'd prepped for Bitlocker before reading your article and was just waiting for the AD team to extend the schema. Once they'd done that, it all pretty much fell into place :) The AD team can see the recovery key in AD (I can't but that's a permissions issue) so I'm pretty happy with that.

 

I didn't update the WinPE wim with the CCTK, I'm doing it all in Windows.

 

We were going to copy WinRE to the hidden partition, but I haven't really had too much time to look at that yet (lower priority). It seems that most of the documentation on the subject is geared towards Vista.

 

Now, online patching during the task sequence..... I must be missing something!

Share this post


Link to post
Share on other sites

right, well for us the criteria means we must do it in WinPE and that was the reason for my post :)

 

online patching is working fine, are you having issues ?

Share this post


Link to post
Share on other sites

right, well for us the criteria means we must do it in WinPE and that was the reason for my post :)

 

online patching is working fine, are you having issues ?

 

I've had online patching working on my dev environment at home, but in the 'real world' I'm having a right pain with it. I'll update my post on the technet forums either later today or tomorrow, so if you get a chance to take a look ;-)

Share this post


Link to post
Share on other sites

I tried to import the task sequence but nothing happens. I did a export and import of a current task sequence and it worked fine. Has this happened to anyone else.

Share this post


Link to post
Share on other sites

what version of sccm are you using and is mdt integrated or not, what version os mdt if so ?

Share this post


Link to post
Share on other sites

should be fine, are you sure it's not importing fine and you just havn't refreshed ?

Share this post


Link to post
Share on other sites

I couldn't import the XML file either. I could export and re-import one of my existing Task Sequences without a problem though.

1 person likes this

Share this post


Link to post
Share on other sites

i've just tested importing the Task Sequence on a console with SCCM 2007 SP2 R3 and MDT 2010 integrated, worked no problem. I don't have a SCCM console without MDT integration to test with so maybe that's it...

Share this post


Link to post
Share on other sites

"Note: This task sequence is for enabling Bitlocker in Bare Metal (New Computer) scenarios, I will cover enabling Bitlocker in a Refresh scenario in a later post."

 

Noticed this reference to "Refresh scenario" that is currently causing a client of mines some consternation and wondered if you could share any findings of issues with the TPM/Bitlocker interaction in this setting.

 

Thanks in advance for your consideration of this post.

Share this post


Link to post
Share on other sites

well what issues are you having specifically ? if you think in terms of refresh the only barrier is the encrypted drive, if you unlock the drive and suspend encryption on it then the rest of the refresh is as per normal (hardlinking and so on),

 

the challenge is do you

 

1. disable the encryption in Windows (most people do this prior to rebooting into WinPE and doing the remaining tasks)

2. disable it if found in WinPE - this is where you have to get creative as the task sequence wants to write to the largest available NTFS drive at boot time...

 

we did solve is though with some clever diskpart commands to reassign the drives followed by a reboot.

Share this post


Link to post
Share on other sites

Hmm. So everything seems to have worked (no errors at all in the log) however the drive icon in explorer has no lock and key and control panel says bitlocker is turned off.

 

manage-bde -status

 

post-10749-0-82118900-1336505441_thumb.jpg

 

I lied...error in the bitlocker.txt file

 

Attempting to enable BitLocker TPM

ERROR - the ProtectKeyWithTPM Method failed with the exit code: 80310030

Script ended 5/8/2012 11:20:24 PM

 

Would leaving the bios password in place cause this?

 

Nevermind, searched a different way and found the error code. Makes sense I still had the sccm bootable media in the drive.

 

FVE_E_BOOTABLE_CDDVD 0x80310030

BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer. Remove the media and restart the computer before configuring BitLocker.

1 person likes this

Share this post


Link to post
Share on other sites

I want to use this method, to enable Bitlocker with TPM and PIN.

The script looks like this:

enablebitlocker.vbs /on:tp /promptuser /l:%temp%\log.log

 

But, offcourse I want to pass the Pin code with a variable, to the script. I'm not able to prompt a user during the task sequence.

 

Is there a workaround for this?

 

Tanks in advance!

Share this post


Link to post
Share on other sites

SCCM2012 requires the Exported Task Sequence zipped. I've wasn't able to zip the file successfully to import it!

Share this post


Link to post
Share on other sites

Hi there,

 

Thank you so much for your guides. It has been a very interesting a helpful site.

 

I have a problem Preparing the disk for BitLocker. I am using HP 8440p and have followed other guides on how to enable the TPM modules on the laptops. This task works fine and TPM gets enabled. The part which fails is after when the TS runs the command line "bdehdcfg.exe –target default –quiet", in the logs I get a source unknown error after the command runs. Google has turned up with no results.

 

At the start of the TS, after the Restart in Windows PE, we have a Partition Disk command which creates 2 partitions, one 350MB for System reserve which is bootable and the other for Windows which is not bootable.

 

Here is the rough process which my TS runs

 

Restart in Windows PE

Partition Disk (2 paritiions, system reserve and rest for Windows)

Apply operating System

Apply windows Settings

Apply Network Settings

Setup Windows and Config

Enable TPM Chip (runs a package created in SCCM to use HP BIOs config tool to enable TPM)

Restart (Restarts in the currently installed default operating system)

Prepare Drive for Bitlocker (Runs the command line "bdehdcfg.exe –target default –quiet") check box for Disable 64-bit file system redirection is ticked as we are deploying x64 Win 7

Restart (Restarts in the currently installed default operating system)

Enable Bitlocker

 

Everything is ok except for the one highlighted in red. Just bombs out. I check in TPM Management after it fails and reboots and logs into windows. TPM Status is on and ownership has been taken. So I assume it is all ready to go.

 

What am I missing, why is the command not running successfully. Is it because we already have 2 partitions created earlier in the TS?

 

Hope you can help. Been scratching my head for 3 days :(

 

Cheers!

 

 

 

 

 

Share this post


Link to post
Share on other sites

ok so I figured it out. I removed the step to partition the drive again and it is now all working. Made sense since the partition has already been created at the start of the TS! doH!

Share this post


Link to post
Share on other sites

Niall,

 

When I configure my existing TS with enabling the TPM chip, the computer restart doesn't recover and continue with the next task in the TS. What should be the experience with the restart?

 

Thanks,

 

Brady

Share this post


Link to post
Share on other sites

place a pause before and after that step, what do the logs tell you.

Share this post


Link to post
Share on other sites

Hi,

I want to automate deployment of BitLocker in Windows 7.

So your article is very useful to me.

However I use MDT2012 to deploy my images and not SSCM.

So can you tell me how to import the file "Deploy Windows 7 Ent X64 - BitLocker in WinPE.xml" in a Task Sequence to Mdt?

Thank you in advance for your help.

 

:)

Share this post


Link to post
Share on other sites

you can't, you'll need to import it into a test lab Configuration Manager environment and then copy the steps manually one by one into a new MDT task sequence.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now