Jump to content


  • 0
anyweb

Customising Windows 7 deployments - part 5.

Question

Bitlocker is a nice tool from Microsoft which allows you to Encrypt the hard disc, however enabling it isn't as simple as pressing a switch or simply adding a step to your task sequence, you will really have to spend some time reading about BitLocker before you decide what strategy you take with regards to deploying it in the Enterprise.

 

BitLocker has some requirements and one of those is that the TPM (Trusted Platform Module) is set to ON and that it is Activated prior to Enabling BitLocker, in order to do this on Dell Systems we use the Dell CCTK (Client Configuration Tool Kit).

 

You will need to decide if you are going to handle the TPM specific parts while in Windows or while in WinPE. I'd strongly recommend you test both scenarios in your test environment with real hardware (obviously, you'll want TPM ready Dell hardware).

 

Dell also provides a page here which explains how to enable the TPM using the CCTK while in Windows (in the running OS), however what if you want to enable the TPM in WinPE ? to do that you've got the option of using batch files provided in the CCTK, these batch files require the Windows AIK installed and they create an ISO and new boot WIM for you to import into SCCM.

 

Nice, except maybe you don't want to regenerate your boot.wim as it already has all your Extrafiles added and it's customised with your HTA scripts etc. Also, maybe you don't want the CCTK in your boot.wim images because you are a multi-vendor site with more than just Dell hardware.

 

No problem, simply use the task sequence provided below and I'll guide you through how it all works, this task sequence doesn't care if your boot image is X86 or X64, it will determine that via WMI calls by checking for the presence of the SysWOW64 folder. What I'm providing here is a solution for you to Deploy Windows 7 Enterprise X64 on Dell hardware with Bitlocker Enabled so that when you login to the finished deployment, BitLocker is busy encrypting your drive.

 

 

Note: This task sequence is for enabling BitLocker in Bare Metal (New Computer) scenarios, I will cover enabling BitLocker in a Refresh scenario in a later post.

 

 

Step 1. Download the CCTK.

 

The CCTK is available for download here. Once you've download it, install the MSI. We need the CCTK in order to communicate with the TPM chip in our Dell computers in Windows PE (using the HAPI drivers contained in the CCTK).

 

Step 2. Create The CCTK packages

 

We need to Create two new ConfigMgr Packages for X86 and X64 CCTK.

  • Copy %ProgramFiles%\Dell\CCTK\* to a location that will be used for Configuration Manager. You will have two subfolders, x86, and x86_64
  • Create two ConfigMgr Packages, using the source directory for x86, and x86_64. Send these packages to your Distribution Points

Step 3. Download BitLocker Scripts.

 

 

 

 

In order to Enable Bitlocker in this example task sequence, we use a script, Microsoft has kindly provided us with the scripts we need right here

 

Step 4. Create the BitLockers Scripts package

 

Create a new package containing the bitlocker scripts you downloaded above and distribute it to your DP's.

 

Step 5. Download the windows-noob sample BitLocker task sequence.

 

Import this task sequence:

 

Deploy Windows 7 Ent X64 - BITLOCKER in WinPE.xml

 

into Configmgr and resolve the missing packages by pointing to the following packages where necessary:-

  • Operating System Image (Windows 7 X64)
  • Configuration Manager Client Package
  • CCTK X86 Package
  • CCTK X64 Package
  • Bitlocker Scripts

So how does it all work then ?

 

 

 

The task sequence is broken down into Two main groups for TPM, one to deal with enabling TPM functions when using an X86 boot image, the other for X64 boot images

 

bitlocker in winpe.png

 

As we haven't injected the HAPI drivers into WinPE (remember, we didn't want to have to generate new boot images, we wanted to keep our current process mostly untouched) we must manually inject them before each step (unless theres more than one step before the next Restart)

 

this is done via an xcopy command which copies the CCTK architecture files to x:\

 

xcopy CCTK.png

 

and then we inject the HAPI drivers in the next step

 

Enable HAPI.png

 

Next we set the Bios Password (you can change the password to something else if you wish)

 

set bios password.png

 

and then we Enable the TPM chip

 

enable tpm.png

 

after a restart of the computer (to let the bios make the changes) we have to redo the xcopy/enable HAPI drivers before the next step, Activating the TPM chip

 

activate Tpm.png

 

after another restart and CCTK xcopy/enable HAPI group and we then remove the bios password set earlier

 

remove tpm bios password.png

 

Once the steps above are done Windows will install as normal and then set windows settings etc, before finally getting to the Configure and Enable BitLocker group, this happens within Windows.

 

This group is responsible for preparing the disc partition for BitLocker using bdehdcfg.exe

 

prepare disk for bitlocker.png

 

and finally after another restart, we Enable BitLocker using the Enablebitlocker vbs script from Microsoft.

 

enable bitlocker.png

 

That's it ! Windows will then end up at the familiar login screen but you may notice the HDD LED is very busy, this is because BitLocker is busy Encrypting the drive,

 

How can I verify BitLocker is working ?

 

simply open explorer and you'll see a new icon for C:

 

bitlocker drive.png

 

and you can open a command prompt and type manage-bde -status

 

manage-bde status.png

 

after a few hours when the encryption process is done you'll see as follows (screenshot from another system where BitLocker has finished encrypting the drive)

 

protection on.png

 

you can also verify what is logged in the c:\windows\temp\bitlocker.txt file, here's a sample attached here

 

bitlocker.txt

 

have fun and please let me know how you get on with this,

 

cheers !

 

niall.

 

 

 

Related Reading:-

 

Is the TPM Chip Enabled or Disabled in the Bios on my Dell system ? - http://myitforum.com...ell-system.aspx

 

How can I determine if there's a TPM chip on my Dell system needed for BitLocker ? http://myitforum.com...-bitlocker.aspx

 

BitLocker Hardware Requirements - http://windows.micro...rive-Encryption

 

Microsoft Scripts to Enable Bitlocker - http://go.microsoft..../?LinkID=151997

 

BitLocker Info - a List of Resources - http://myitforum.com...-resources.aspx

 

How can I determine if the drive is Encrypted (Protected) or not during a BitLocker task sequence in WinPE ? - http://www.windows-n...uence-in-winpe/

 

How can I determine if there's a TPM chip on my Lenovo system needed for BitLocker ? - http://www.windows-n...-for-bitlocker/

  • Like 1

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

Thanks for the post and I have tried to follow, but the TS cannot load any package after the Restart Boot Image part. It failed with 0x80070002 error.

 

At first, I split the TPM process into Enable TPM and Activate TPM, then the second one won't run as it failed at "Copy CCTK" part, seems error with load package. Then I have combined both today in one script, and then the TS failed at the "Apply Operating System" part where I can loading an unattended xml file from a package.

 

Any idea, thanks a lot.

 

Share this post


Link to post
Share on other sites

  • 0

Hello,

 

It would be great to have guide how to enable TPM chip and proceed with BitLocker steps inside Task Sequence on HP computers.

 

Requirement is to use HP BiosConfig utility, there are some instructions online but it would be great to have tutorial on windows-noob like on this page for Dell computers.

 

Reference:

 

https://anothermike2.wordpress.com/2010/10/18/enable-tpm-via-task-sequence-on-hp-boxes/

 

http://myitforum.com/myitforumwp/2012/01/26/enable-bitlocker-on-hp-laptops-via-osd/

 

https://gallery.technet.microsoft.com/scriptcenter/SCCM-2012-Automatically-a505f1a7

 

Thanks,

 

Blaf

Share this post


Link to post
Share on other sites

  • 0

Thanks for the post and I have tried to follow, but the TS cannot load any package after the Restart Boot Image part. It failed with 0x80070002 error.

 

At first, I split the TPM process into Enable TPM and Activate TPM, then the second one won't run as it failed at "Copy CCTK" part, seems error with load package. Then I have combined both today in one script, and then the TS failed at the "Apply Operating System" part where I can loading an unattended xml file from a package.

 

Any idea, thanks a lot.

 

 

attach the smsts.log pls

Share this post


Link to post
Share on other sites

  • 0

Hello Nail,

 

Thank you for you effort and your time.

 

I have been following you article to deploy windows 7 x64 with bitlocker on Dell Latitude E5270, I'm using Dell configue which used to be called CCTK. The task sequence start normally and first gorup done successfully, however the task sequence fails when it's come to activate the TPM feature. I have SCCM 2012 R2 and one distribution point.

 

Thank you,

Pete

Edited by Pete Ghaly

Share this post


Link to post
Share on other sites

  • 0

I have another issue and I hope you can help me.

 

Using SCCM 2012 R2 and one distribution point but it doesn't show available task sequence. start with the last advertised task sequence?

 

Pete

 

please post questions that arn't related to the original thread in their own post.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.