Jump to content




anyweb

how can I Pre-Provision BitLocker in WinPE for Windows 8 deployments using Configuration Manager 2012 SP1 ?



Recommended Posts

Now that we have Configuration Manager 2012 SP1 beta to test, there is a new BitLocker step in the default task sequences that allows us to enable BitLocker during the deployment and it is called pre-provision BitLocker. Pre-provision BitLocker gives us the ability to Encrypt the data on the disc (not the free space, just the used space) on the fly and that means you end up with an encrypted disc much faster than we are currently used to.

Before you undertake this task though you'll need a few things in place, namely you need Configuration Manager 2012 Service Pack 1 installed and you'll need to be familiar with Deploying Windows 8 and BitLocker itself. WinPE 4 is a key part of pre-provisioning BitLocker, so if you don't have that version of WinPE you can forget about trying this. Installation of the ADK will upgrade your default WinPE boot images to the correct version.

In this guide I'm assuming that you have already upgraded to Configuration Manager 2012 Service Pack 1 and that you have imported a Windows 8 install.wim image as described here.

Step 1. Verify that Active Directory is ready for BitLocker
perform the following on your Active Directory domain controller as a domain administrator.

As part of our task sequence we will use the built-in Enable BitLocker which is configured by default to store the recovery key in Active Directory.

Note: You can save BitLocker recovery information in AD DS if your domain controllers are running Windows Server 2003 with Service Pack 1 (SP1) or Service Pack 2 (SP2), Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2. You cannot save recovery information in AD DS if the domain controller is running a version of Windows Server earlier than Windows Server 2003 with SP1. In this guide I'm using a domain controller running Windows Server 2008 R2 Service Pack 1.

On your active directory domain controller start up AdsiEdit, right click on Default naming context and select settings

settings.png

The Connection Settings window appears, in the Select a well known naming context section click on the drop down menu and select Schema.

Connection Settings.png

you should see a bunch of values starting with ms-FVE (scroll down to see them, it's a long list). The common name (CN) for the BitLocker recovery object is ms-FVE-RecoveryInformation. You have now verified that the Active directory Schema has the nescessary objects to store the keys.

  • CN=ms-FVE-KeyPackage – attributeSchema object
  • CN=ms-FVE-RecoveryGuid – attributeSchema object
  • CN=ms-FVE-RecoveryInformation – classSchema object
  • CN=ms-FVE-RecoveryPassword – attributeSchema object
  • CN=ms-FVE-VolumeGuid – attributeSchema object
  • CN=ms-TPM-OwnerInformation – attributeSchema object

ms-FVE options.png

If the above objects are not present and you are running an earlier version of Windows Server then you may need to extend the Active Directory Schema to support Bitlocker, please review this page on Technet for information on that.

If you want to easily check BitLocker recovery keys from within Active Directory then add the Windows Server BitLocker features below and reboot the server if prompted

BitLocker Features in Server 2008r2.png


Step 2. Create a BitLocker Policies Group Policy Object
perform the following on your Active Directory domain controller as a domain administrator.

Start up Group Policy Management and right click on your domain name, choose Create a GPO in this Domain and link it here.

group policy management.png

give the new GPO a name, call it BitLocker Policies as per the screenshot below.

New GPO.png

Right click on the newly created GPO and choose Edit

edit gpo.png

navigate to Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives and select the following policy, Choose how BitLocker-protected operating system drives can be recovered.

bitlocker policies.png

Right click on the policy, choose edit, then Enable the setting and apply your changes.

enabled.png

At this point our Group Policy is complete.

policy is complete.png

 

Note: You can use a GPO Policy setting for encryption type. You can use Group Policy settings to enforce that either Used Disk Space Only or Full Encryption is used when BitLocker is enabled on a drive. Group Policy settings for BitLocker Drive Encryption are located under the \Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption path of Group Policy Editor

 


Step 3. Create a new deploy task sequence with Bitlocker enabled
perform the following on your Configuration Manager Server as SMSadmin

BitLocker options get dynamically added to your task sequence during the create task sequence wizard based on the choices you make during the wizard. In the operating system deployment workspace of ConfigMgr right click on task sequences and select Create Task Sequence.

create task sequence.png

The Create Task Sequence wizard appears, choose the first option Install an existing image package.

Install an existing image package.png

fill in the Task Sequence Information, be specific, and select a boot image, we are deploying Windows 8 X64 in this example with BitLocker, however we select an X86 boot image.

Note: If you are deploying Windows 8 X64 in UEFI mode in combination with BitLocker then you need to select a X64 boot image in this step otherwise it will not boot.

Task Sequence Information.png

The Install the Windows Operating System step decides whether or not we'll get the BitLocker steps added to our task sequence. By default the Bitlocker options are greyed out until we add an image that is BitLocker capable. (Windows Vista, Windows 7, Windows 8, however pre-provisioning with Vista is not supported).

Install the windows operating system.png

so select a Windows 8 image that you've added earlier and enter the product key and set an administrative password. Now you can see the BitLocker option is available, make sure that Configure Task sequence for use with BitLocker is selected.

Configure task sequence for use with BitLocker.png

enter your domain join user credentials in the Configure Network step

configure network.png

we can click through the next few screens (with the default settings) as we are only interested in BitLocker operations for the purpose of this guide

comleted task sequence.png

Step 4. Add support for TPM operations in WinPE
perform the following on your Configuration Manager Server as SMSadmin

For the purposes of this guide we need to edit the task sequence to remove some un-needed functionality and add required functionality. We will disable all Capture and Restore User State Groups in the task sequence, we don't need those steps for verifying Pre-Provisioning of BitLocker, so right click on our newly created task sequence, choose Edit and disable the Capture and Restore User state sections as per the screenshot below. You can always re-enable these sections later to complete your deployment solution but for now, disable them.

disable groups.png

Next we need to add support for the hardware in question in terms of enabling the TPM in WinPE, I've covered this in great detail in the following post and in this task sequence we will use the exact same steps and software (I've tested and verified this on Dell Latitude E4200, E5510, E6320, should newer models require a newer version of CCTK for WinPE or a different method of doing this in Windows PE then i'll update this post with that information).

Update: I've confirmed the above works even on brand new Dell Hardware (Dell Latitude E6430 bios version A03) using the latest CCTK available from here.


Below is the same task sequence with the Enable TPM for BitLocker in WinPE section added from the post referenced above. Failure to add this section to your task sequence will mean you cannot do any TPM operations in WinPE.

Enable TPM for BitLocker in WinPE.png

The Pre-Provision Bitlocker step looks like so in the task sequence

pre-provision bitlocker step.png

and the Enable BitLocker step is already set to store the recovery key in active directory domain services as you can see here

in active directory domain services.png

Tip: If you have no access to your AD environment and really want to test pre-provisioning BitLocker you can select the second option (do not create a recovery key) which will allow your Task sequence to complete but it of course won't store the recovery key anywhere and data could get lost if you don't know what you are doing. Be warned.

Note: If you want to download the task sequence I created above then import the following ZIP file.

Deploy Windows 8 X64 - with BitLocker Provisioning.zip


Step 5. Deploy the task sequence
perform the following on your Configuration Manager Server as SMSadmin


Right click your new task sequence and choose Deploy, deploy it to a suitable collection as an Available deployment.

deploy task sequence.png

for Deployment Settings choose Configuration Manager Clients, media and PXE

deployment settings.png

click your way through to the end of that wizard.

Step 6. PXE boot and monitor the deployment
perform the following on your client computer

PXE boot the computer and select our newly deployed Available (optional) task sequence (Deploy Windows 8 X64 - with BitLocker Provisioning)

Deploy Windows 8 X64 - with BitLocker Provisioning.png

and off it goes....if you have a chance press F8 and type the following line

manage-bde -status

this should reveal something similar to the following saying that it's fully decrypted

fully decrypted.png

in order to set TPM options in Windows PE we use CCTK on Dell hardware, and these actions will reboot the computer, after the reboot it'll fly through the Pre-Provision BitLocker step so the thing to remember here is the Pre-Provision BitLocker is FAST, really FAST, so in order to see it you have to be fast, press F8 after that reboot and keep cycling through the manage-bde -status command while it gets to the Pre-Provision Bitlocker step and just after, you'll see something like this (sorry for the screenshots, it's on real hardware so difficult to take photos)

here directly after the Pre-Provision BitLocker step we see encryption in progress

encryption in progress.png

seconds later it's up to 7.5%, yes that was seconds later !! you'll also note it's applying the operating system and it's referring to Enfo Workplace day, so if you are in the South of Sweden on September 28th drop by and say hi and i'll demo this in action. Let me know you are coming ok ?

a few seconds later and it's done, yup 100% used space only encrypted !

used space only encrypted.png

while you are waiting for Windows 8 to deploy you can review SMSTS.log in X:\windows\temp\smstslog\smsts.log

here's what mine looks like during the apply operating system step right after it has successfully Pre-Provisioned BitLocker, the screenshot below shows the step from the log on another computer just to highlight the step for you and what the TPM actions above it should look like.

smsts.log

enabling bitlicker.png

after the Setup Windows and ConfigMgr step is complete the Enable Bitlocker step will take place and if you configured Active Directory correctly it will store the recovery key in AD, look for the line creating recovery password and escrowing to active directory.

creating recovery password and escrowing to active directory.png

Below is the SMSTS.log file after the task sequence has completed...

smsts.log

At this point you can check Active Directory, in Active Directory Users and Computers right click n the computername in question and choose the BitLocker Recovery tab

BitLocker Recovery tab.png

and that's it, you can verify it on the computer in question by opening a command prompt in Windows 8 and typing the following line

manage-bde -protectors -get c:

bitlocker done.png

and finally, even though we already saw that Encryption was at 100% while in WinPE you'll notice that your hard disc is NOT busy encrypting because it's already DONE.

encryption done.png


Recommended Reading

What's New in BitLocker - http://technet.micro...y/hh831412.aspx

Bitlocker Changes in Windows 8 - http://www.windowsit...indows-8-142661

Backing Up BitLocker and TPM Recovery Information to AD DS - http://technet.micro...529(WS.10).aspx

Verify BitLocker and TPM Schema Objects - http://technet.micro...3(v=ws.10).aspx

Requirements to save Bitlocker Recovery Key to AD using MDT - http://blogs.technet...-using-mdt.aspx

Understand and Troubleshoot BitLocker in Windows Server "8" Beta - http://www.microsoft...n.aspx?id=29032

 

BitLocker Enhancements in Windows Server 2012 and Windows 8 (Part 2) - Cluster Share Volume Support - http://www.windowsecurity.com/articles-tutorials/Windows_Server_2012_Security/BitLocker-Enhancements-Windows-Server-2012-Windows-8-Part2.html


So there you have it, Pre-Provisioning BitLocker in WinPE during a Windows 8 deployment (Update: or Windows 7) is possible right now using Configuration Manager 2012 SP1.

 

And doesn't it just rock ? oh yeah :-)

Enjoy !

cheers
niall

Share this post


Link to post
Share on other sites


update: to save you time i've exported the Task Sequence used above and uploaded the ZIP file, it's available for download now at the end of Step 4 above.

Share this post


Link to post
Share on other sites

Niall do you know if the pre-provisioning feature works on Windows 7?

 

Im afraid it does not! only win8! :)

Share this post


Link to post
Share on other sites

actually it's a WinPE4 feature and as such you should be able to pre-provision BitLocker for windows 7 deployments also,

I just have not tested it yet,

 

cheers

niall

Share this post


Link to post
Share on other sites

actually it's a WinPE4 feature and as such you should be able to pre-provision BitLocker for windows 7 deployments also,

I just have not tested it yet,

 

cheers

niall

 

I did not know that! because one of the new "features" for windows 8 is the ability to encrypt the disk before you install the OS. Good to hear it may work for Win 7 also!

Share this post


Link to post
Share on other sites

just tested it and it works in Windows 7 deployments also

 

see screenshot :-)

win7 pre provision.jpg

Share this post


Link to post
Share on other sites

With MDT integration enabled, the task sequence looks a bit different. The enable bitlocker step, in particular, doesn't offer the same options. If I create an MDT task sequence, does the pre-provisioning still work the same? Do I just need to pre-set variables for the bitlocker settings, such as BDEInstall, BDEPin, BDERecoveryKey, BDEKeyLocation, etc?

Share this post


Link to post
Share on other sites

which version of MDT are you testing with ?

Share this post


Link to post
Share on other sites

I figured it out...

 

You need to add one additional step before Pre-Provision Bitlocker step during WinPE session:

 

Run Commandline: reg.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "EncryptionMethod" /t REG_DWORD /d 2 /f

 

After this, the drive is encrypted using AES-256 :)

Share this post


Link to post
Share on other sites

As already noted on myitforum postlist, the diffuser part doesn't come out and play when you do the registry modification, it only show normal AES-256... Any thoughts on this anyweb?

Share this post


Link to post
Share on other sites

i'm seeing the same thing, still investigating....

Share this post


Link to post
Share on other sites

All right, i have successfully integrated that to our Windows 7 deployment sequence. I love it. it's pretty quick.

The only problem i have is that the drive label is set to MININT-XXXXXXX, bacause the computername is not set while the encryption starts. Is there any way to avoid this?

Share this post


Link to post
Share on other sites

Ther recovery key is not the problem. It gets stored in the AD during the "enable bitlocker" step, which is one of the last steps in the sequnce, where the name is already properly set.

The Disk Label name is set when the disk encryption starts and contains the computer name. The only solution would be to change the computer name during the PE phase, which is not possible as far as i know. :mellow:

Share this post


Link to post
Share on other sites

The partition label is neither the problem. Just the bitlocker drive label wich is a combination of computername and partition label. The bitlocker drive label is shown in the PIN dialog after booting the machine. That's where the users read the machine name from if the help desks asks them, in case they forgot their PIN.

Share this post


Link to post
Share on other sites

Got you now. You could try adding a prompt for OSDComputer name in the TS then it might get the correct computer name earlier.

 

It removes the zero touch element though.

 

We use the asset sticker as the computer name so it's not such a big deal in practice. I'll live with it for the benefits.

Share this post


Link to post
Share on other sites

All right,

 

mission impossible to get a proper name for this string since this is hard coded and not configurable by any command line options. :(

Share this post


Link to post
Share on other sites

With MDT integration enabled, the task sequence looks a bit different. The enable bitlocker step, in particular, doesn't offer the same options. If I create an MDT task sequence, does the pre-provisioning still work the same? Do I just need to pre-set variables for the bitlocker settings, such as BDEInstall, BDEPin, BDERecoveryKey, BDEKeyLocation, etc?

 

I ended up disabling the MDT 'enable bitlocker' step and adding a new 'enable bitlocker' step to the task sequence. That gave me the SC version of the step, and seems to be working properly.

 

Well, mostly. I can't get that step to take an enhanced bitlocker pin, but with a numeric pin it works. I wonder if it can't do it because enhanced pin has to be enabled by GPO, and SC doesn't seem to boot into the OS and run the later TS steps like MDT does... One of these days I'll get around to finding a way to set the enhanced pin automatically.

Share this post


Link to post
Share on other sites

I just wanted to say that I have followed the post (which has been a great help thank you), however, I was experiencing great problems with the TPM Activation step on a Dell Latitude E6410 in the task sequence and it failing every time. Obviously without this step succeeding, the whole Pre-Provisioning feature doesn't work! After days of trying to resolve the issue it appears the problem is with the '=' after 'valsetuppwd'. If you remove the '=' the tpmactivation step works! Here's how it should be entered:

 

x:\CCTK\X86\cctk.exe --tpmactivation=activate valsetuppwd [bIOS Password]

 

I just wanted to share it so no one else goes pulls their hair out trying to get this to work. Obviously this may be different for different Dell models and BIOS versions.

Share this post


Link to post
Share on other sites

can you post a screenshot of where you had the issue please and i'll check it against mine

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×