Jump to content


anyweb

how can I Pre-Provision BitLocker in WinPE for Windows 8 deployments using Configuration Manager 2012 SP1 ?

Recommended Posts

Hello.

 

Hope there is someone that can help with bitlocker in task sequence (sccm 2012 sp1)

We are about to implement bitlocker in our task sequence for laptops.

 

We have HP laptops that we want to get bitlocker on.

 

We are settings 2 packages/script to set bios password and enabeling TPM.

but the scipts/package are failing.

 

We have this right after disk partition, but are always failing.

We are running

biosconfigutility64.exe /nspwd:"password" for setting password

And biosconfigutility64.exe /setconfig:config.txt for setting the TPM in bios

Pre-config bitlocker

Install os

Install packages

Install problem drivers

And as the last in task sequence we are enabling bitlocker

 

But it is failing bigtime.

 

Does anyone know how we can get this to work?

 

Kind Regards

Share this post


Link to post
Share on other sites

I haven't used the biosconfigutility64.exe but the previous version would not work in the Windows PE environment - has to be used after the OS was laid down.

 

Partition

Pre-provision

OS

Config Mgr

BiosConfig - set BIOS (BiosConfigUtility.exe /setConfig:TPMEnableV2.REPSET /cspwd:"" /nspwd:"password" /verbose)

BiosConfig - set BIOS (BiosConfigUtility.exe /cspwd:"password" /nspwd:"" /verbose)

Restart

Set 2 regkeys (backing up recovery key to AD)

a) AD Backup (REG ADD "HKLM\Software\Policies\Microsoft\TPM" /v "ActiveDirectoryBackup" /t REG_DWORD /d 1 /f)

B) Require AD Backup (REG ADD "HKLM\Software\Policies\Microsoft\TPM" /v "RequireActiveDirectoryBackup" /t REG_DWORD /d 1 /f)

Take TPM Ownership (manage-bde.exe -tpm -o password)

Set 4 regkeys (setting up a complex default PIN)

a) Set Enhanced PIN if you want to use something other than a numeric PIN (REG ADD "HKLM\Software\Policies\Microsoft\FVE" /v "UseEnhancedPin" /t REG_DWORD /d 1 /f)

B) Set Advanced Startup Policy (REG ADD "HKLM\Software\Policies\Microsoft\FVE" /v "UseAdvancedStartup" /t REG_DWORD /d 1 /f)

c) Set TPM and PIN policy (REG ADD "HKLM\Software\Policies\Microsoft\FVE" /v "UseTPMPIN" /t REG_DWORD /d 1 /f)

d) Set the default PIN (manage-bde.exe -protectors -add %OS% -TPMAndPIN c0mP!3Xpwd )

 

Be sure to suspend your bitlocker in the remaining parts of your TS before any additional reboots. (manage-bde.exe -protectors -disable c:)

Share this post


Link to post
Share on other sites

Hello.

 

Thanks for the reply.

Will the disk be encrypted while the rest of the package is installing or will it be decrypted after os is installed and ready?

 

You are writing

 

Be sure to suspend your bitlocker in the remaining parts of your TS before any additional reboots. (manage-bde.exe -protectors -disable c:)

 

What do you mean, can you explain a little further?

 

Do you have a sceenshot of the task sequence?

 

Sorry for my bad english

 

Kind regards

Share this post


Link to post
Share on other sites

I am running the biosconfigutility in WinPE4 (x86) without any issues. How are you running the biosconfigutility? I mean have you created a package with a program and using a "Install Package" step or are you running it as a commandline in the TS?

Share this post


Link to post
Share on other sites

Hello.

 

Have tryed both ways, but no luck.

Maybe i am boing somethin wrong in the package. (Do you have some hints for me)

 

I am trying to get it before adding the os to the disk.

Maybe this is to early?

 

Using it on 64 bit os, but the basic are the same.

 

Kind regards

Share this post


Link to post
Share on other sites

Using the Install Package step won't work, so go with the run command line version. I have a package with the necessary files, but no programs are necessary.

 

I have had several HP models where I had to upgrade the BIOS in order to get control over the TPM chip, so that could be one thing to check. On the other hand I don't think running the biosconfigutility would fail in this case.


Are you using 64-bit boot image as well? If you have created a OS-image you can just as well use the 32-bit boot-image. The 32-bit is more versatile than the 64-bit and can deploy everything except for a 64-bit OS Installer Package. This is why I'm using the 32-bit boot image. I only use the 64-bit version when building a new 64-bit image.

Share this post


Link to post
Share on other sites

Hello.

 

Thanks for the reply.

Will the disk be encrypted while the rest of the package is installing or will it be decrypted after os is installed and ready?

 

With the pre-provision bitlocker action it is basically doing the following command manage-bde -on -usedspaceonly c: However, you cannot run this command directly under the Win 7 context because the argument "-usedspaceonly" only exists in Windows 8 (MDT 2012). To answer your question, once the manage-bde.exe is running it encrypts the bits as it lays them onto the hardrive and will encrypt any bits that are already on the drive.

 

You are writing

 

Be sure to suspend your bitlocker in the remaining parts of your TS before any additional reboots. (manage-bde.exe -protectors -disable c:)

 

What do you mean, can you explain a little further?

 

I mean add a run command line that says: manage-bde.exe -protectors -disable c: prior to any reboot steps you may have in your task sequence.otherwise when the system reboots it will prompt for your Bitlocker PIN that you set in step D. This no longer makes it a ZTI or LTI build.

 

 

Do you have a sceenshot of the task sequence?

 

Sorry for my bad english

 

Kind regards

Share this post


Link to post
Share on other sites

Using the Install Package step won't work, so go with the run command line version. I have a package with the necessary files, but no programs are necessary.

 

I have had several HP models where I had to upgrade the BIOS in order to get control over the TPM chip, so that could be one thing to check. On the other hand I don't think running the biosconfigutility would fail in this case.

 

Are you using 64-bit boot image as well? If you have created a OS-image you can just as well use the 32-bit boot-image. The 32-bit is more versatile than the 64-bit and can deploy everything except for a 64-bit OS Installer Package. This is why I'm using the 32-bit boot image. I only use the 64-bit version when building a new 64-bit image.

I am using 64 bit all the way.

Do you have a tutorial for how to make the package?

 

Do you run the sequence after partition of the disk or do you have it a bittle later.

 

Will have to investigate the deployment of bios to the HP machines.

Share this post


Link to post
Share on other sites

 

Hello.

Thanks for the reply.

Will the disk be encrypted while the rest of the package is installing or will it be decrypted after os is installed and ready?

 

With the pre-provision bitlocker action it is basically doing the following command manage-bde -on -usedspaceonly c: However, you cannot run this command directly under the Win 7 context because the argument "-usedspaceonly" only exists in Windows 8 (MDT 2012). To answer your question, once the manage-bde.exe is running it encrypts the bits as it lays them onto the hardrive and will encrypt any bits that are already on the drive.

 

You are writing

Be sure to suspend your bitlocker in the remaining parts of your TS before any additional reboots. (manage-bde.exe -protectors -disable c:)

What do you mean, can you explain a little further?

 

I mean add a run command line that says: manage-bde.exe -protectors -disable c: prior to any reboot steps you may have in your task sequence.otherwise when the system reboots it will prompt for your Bitlocker PIN that you set in step D. This no longer makes it a ZTI or LTI build.

Do you have a sceenshot of the task sequence?

Sorry for my bad english

Kind regards

Thanks.

Will try it tomorrow

Share this post


Link to post
Share on other sites

The package is just a normal legacy package including the BiosConfigUtility.exe and the TPMEnable.REPSET files and then distributed to a DP.

 

Are you running the biosconfigutility twice? Once to set the password and once to enable the tpm. I'm just putting everything together, something like:

 

BiosConfigUtility.exe /SetConfig:TPMEnable.REPSET /nspwd:"password" /cspwd:"password"

 

The cspwd is necessary if the bios already has a password. I'm not sure if the format of the config-file makes a difference (.txt or .REPSET), but most guides mention the config-file as TPMEnable.REPSET so you could try that as well.

 

It might also be that you have to enter the entire path to the TPMEnable.REPSET file, I'll check that tomorrow and get back to you.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.