how can I Pre-Provision BitLocker in WinPE for Windows 8 deployments using Configuration Manager 2012 SP1 ?

[BB24]

The package is just a normal legacy package including the BiosConfigUtility.exe and the TPMEnable.REPSET files and then distributed to a DP.

 

Are you running the biosconfigutility twice? Once to set the password and once to enable the tpm. I'm just putting everything together, something like:

 

BiosConfigUtility.exe /SetConfig:TPMEnable.REPSET /nspwd:"password" /cspwd:"password"

I had problems with the utility working if I didn't set the password and then clear it. Didn't try it as a single line.

The cspwd is necessary if the bios already has a password. I'm not sure if the format of the config-file makes a difference (.txt or .REPSET), but most guides mention the config-file as TPMEnable.REPSET so you could try that as well.

File extension doesn't matter. .repset or .txt will work.

 

It might also be that you have to enter the entire path to the TPMEnable.REPSET file, I'll check that tomorrow and get back to you.

[NIGHTCD]

 

 

Hello.

 

Thanks for the reply.

Will the disk be encrypted while the rest of the package is installing or will it be decrypted after os is installed and ready?

 

With the pre-provision bitlocker action it is basically doing the following command manage-bde -on -usedspaceonly c: However, you cannot run this command directly under the Win 7 context because the argument "-usedspaceonly" only exists in Windows 8 (MDT 2012). To answer your question, once the manage-bde.exe is running it encrypts the bits as it lays them onto the hardrive and will encrypt any bits that are already on the drive.

 

You are writing

 

Be sure to suspend your bitlocker in the remaining parts of your TS before any additional reboots. (manage-bde.exe -protectors -disable c:)

 

What do you mean, can you explain a little further?

 

I mean add a run command line that says: manage-bde.exe -protectors -disable c: prior to any reboot steps you may have in your task sequence.otherwise when the system reboots it will prompt for your Bitlocker PIN that you set in step D. This no longer makes it a ZTI or LTI build.

 

 

Do you have a sceenshot of the task sequence?

 

Sorry for my bad english

 

Kind regards

The package is just a normal legacy package including the BiosConfigUtility.exe and the TPMEnable.REPSET files and then distributed to a DP.

 

Are you running the biosconfigutility twice? Once to set the password and once to enable the tpm. I'm just putting everything together, something like:

 

BiosConfigUtility.exe /SetConfig:TPMEnable.REPSET /nspwd:"password" /cspwd:"password"

 

The cspwd is necessary if the bios already has a password. I'm not sure if the format of the config-file makes a difference (.txt or .REPSET), but most guides mention the config-file as TPMEnable.REPSET so you could try that as well.

 

It might also be that you have to enter the entire path to the TPMEnable.REPSET file, I'll check that tomorrow and get back to you.

Thanks,

 

Will wait for your answer.

Have it in two lines.

Do i not need to set password before config of bios?

Fine if you could tell where in the task sequence you got the script. (Before or after os deployment)

[CalleW]

I am flashing the BIOS on HP laptops and desktops if necessary as well as enabling and taking ownership of the TPM chips right after partitioning the drive, before OS is being applied.

 

If you're installing a OS Image and not a OS Installer Package you could also try the 32-bit boot image and see if that works.

[CalleW]

BB24, have you found a solution to the TPM backup to AD issue when Pre-provisioning BitLocker?

[BB24]

BB24, have you found a solution to the TPM backup to AD issue when Pre-provisioning BitLocker?

 

CalleW,

 

It hasn't been confirmed fully, but I think so.

 

The key is not to use the built in Pre-Provision command (in the MDT menu) and to ensure that the following tpm states are set:

 

IsOwned_Initial.Value = False

IsActivated_InitialValue = True

IsEnabled_Initial.Value = True

 

(you can see these states from the F8/Debug prompt by running the wmic command)

wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * /format:list

 

I was able to build a .vbs to check and change the IsActivated and IsEnabled values by using the SetPhysicalPresenceRequest method of the Win32_TPM class as described: http://msdn.microsoft.com/en-us/library/windows/desktop/aa376478(v=vs.85).aspx (It then requires a reboot on Dell, HP and Lenovos to accept the change (hence the SetPhysicalPresenceRequest....) but you can stage the image with a simple Restart TS step.

 

I was not able to change the IsOwned value however without manually clearing the PIN in the BIOS first.

 

After the states are set properly, I then run the command:

 

manage-bde.exe -on -usedspaceonly %OS% (where %OS% is the volume where the OS is going to be applied) and then apply the Operating System.

 

After joining the domain and setting my regkeys for the backup policies, I run the

 

manage-bde.exe -tpm -o password command which then populates the msTPM-OwnerInformation field.

 

Later on you can set the Bitlocker PIN as I wrote about earlier.

 

Hope that makes sense.

[CalleW]

Ok, thanks for the update.

I'm actually not using MDT integration at all, so I'm using SCCM:s own Pre-provision BitLocker step. I'll look into your findings next week.

 

When you run the command to populate the msTPM-OwnerInformation do you define a password? I assumed the ownership was taken in WinPE phase and a random password generated.

[BB24]

Ok, thanks for the update.

I'm actually not using MDT integration at all, so I'm using SCCM:s own Pre-provision BitLocker step. I'll look into your findings next week.

 

When you run the command to populate the msTPM-OwnerInformation do you define a password? I assumed the ownership was taken in WinPE phase and a random password generated.

We use a partial static and combine it with a randomly generated. Not sure that combination necessarily improves support/security though - using complete random is probably best.

[NIGHTCD]

Did manange to add the BIOS settings task right after the partition disk

(had to run it as "Run Command Line" and had to mark the "Disable 64-bit file system redirection")

 

i have also set the "Pre-Provision Bitlocker" right after (running SCCM 2012 SP1, maybe this is not suitable to Windows 7 deployment)

if not,, should i have to set it manualy? (and not use the built in commands)

 

Kind Regards

[CalleW]

I am Pre-provisioning BitLocker on win7 and it's working well. Only issue at the moment is backup of the TPM ownership password to AD and that on Lenovo Laptops the Bitlocker partition is visible after installation.

 

Btw, I checked my biosconfigutility.exe command and I have NOT defined the full path, so that is not necessary.

 

 

Carl

[NIGHTCD]

i have added the registry key for the transfering to AD, but it do not seems that the key is transfering the key to AD.

i have not added anythin else but the TPM (not any keys to the user)