how can I Pre-Provision BitLocker in WinPE for Windows 8 deployments using Configuration Manager 2012 SP1 ?

[anyweb]

Now that we have Configuration Manager 2012 SP1 beta to test, there is a new BitLocker step in the default task sequences that allows us to enable BitLocker during the deployment and it is called pre-provision BitLocker. Pre-provision BitLocker gives us the ability to Encrypt the data on the disc (not the free space, just the used space) on the fly and that means you end up with an encrypted disc much faster than we are currently used to.

Before you undertake this task though you'll need a few things in place, namely you need Configuration Manager 2012 Service Pack 1 installed and you'll need to be familiar with Deploying Windows 8 and BitLocker itself. WinPE 4 is a key part of pre-provisioning BitLocker, so if you don't have that version of WinPE you can forget about trying this. Installation of the ADK will upgrade your default WinPE boot images to the correct version.

In this guide I'm assuming that you have already upgraded to Configuration Manager 2012 Service Pack 1 and that you have imported a Windows 8 install.wim image as described here.

Step 1. Verify that Active Directory is ready for BitLocker
perform the following on your Active Directory domain controller as a domain administrator.

As part of our task sequence we will use the built-in Enable BitLocker which is configured by default to store the recovery key in Active Directory.

Note: You can save BitLocker recovery information in AD DS if your domain controllers are running Windows Server 2003 with Service Pack 1 (SP1) or Service Pack 2 (SP2), Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2. You cannot save recovery information in AD DS if the domain controller is running a version of Windows Server earlier than Windows Server 2003 with SP1. In this guide I'm using a domain controller running Windows Server 2008 R2 Service Pack 1.

On your active directory domain controller start up AdsiEdit, right click on Default naming context and select settings



The Connection Settings window appears, in the Select a well known naming context section click on the drop down menu and select Schema.



you should see a bunch of values starting with ms-FVE (scroll down to see them, it's a long list). The common name (CN) for the BitLocker recovery object is ms-FVE-RecoveryInformation. You have now verified that the Active directory Schema has the nescessary objects to store the keys.

• CN=ms-FVE-KeyPackage – attributeSchema object
• CN=ms-FVE-RecoveryGuid – attributeSchema object
• CN=ms-FVE-RecoveryInformation – classSchema object
• CN=ms-FVE-RecoveryPassword – attributeSchema object
• CN=ms-FVE-VolumeGuid – attributeSchema object
• CN=ms-TPM-OwnerInformation – attributeSchema object

If the above objects are not present and you are running an earlier version of Windows Server then you may need to extend the Active Directory Schema to support Bitlocker, please review this page on Technet for information on that.

If you want to easily check BitLocker recovery keys from within Active Directory then add the Windows Server BitLocker features below and reboot the server if prompted




Step 2. Create a BitLocker Policies Group Policy Object
perform the following on your Active Directory domain controller as a domain administrator.

Start up Group Policy Management and right click on your domain name, choose Create a GPO in this Domain and link it here.



give the new GPO a name, call it BitLocker Policies as per the screenshot below.



Right click on the newly created GPO and choose Edit



navigate to Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives and select the following policy, Choose how BitLocker-protected operating system drives can be recovered.



Right click on the policy, choose edit, then Enable the setting and apply your changes.



At this point our Group Policy is complete.

 

Note: You can use a GPO Policy setting for encryption type. You can use Group Policy settings to enforce that either Used Disk Space Only or Full Encryption is used when BitLocker is enabled on a drive. Group Policy settings for BitLocker Drive Encryption are located under the \Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption path of Group Policy Editor

 

Step 3. Create a new deploy task sequence with Bitlocker enabled
perform the following on your Configuration Manager Server as SMSadmin

BitLocker options get dynamically added to your task sequence during the create task sequence wizard based on the choices you make during the wizard. In the operating system deployment workspace of ConfigMgr right click on task sequences and select Create Task Sequence.



The Create Task Sequence wizard appears, choose the first option Install an existing image package.



fill in the Task Sequence Information, be specific, and select a boot image, we are deploying Windows 8 X64 in this example with BitLocker, however we select an X86 boot image.

Note: If you are deploying Windows 8 X64 in UEFI mode in combination with BitLocker then you need to select a X64 boot image in this step otherwise it will not boot.



The Install the Windows Operating System step decides whether or not we'll get the BitLocker steps added to our task sequence. By default the Bitlocker options are greyed out until we add an image that is BitLocker capable. (Windows Vista, Windows 7, Windows 8, however pre-provisioning with Vista is not supported).



so select a Windows 8 image that you've added earlier and enter the product key and set an administrative password. Now you can see the BitLocker option is available, make sure that Configure Task sequence for use with BitLocker is selected.



enter your domain join user credentials in the Configure Network step



we can click through the next few screens (with the default settings) as we are only interested in BitLocker operations for the purpose of this guide



Step 4. Add support for TPM operations in WinPE
perform the following on your Configuration Manager Server as SMSadmin

For the purposes of this guide we need to edit the task sequence to remove some un-needed functionality and add required functionality. We will disable all Capture and Restore User State Groups in the task sequence, we don't need those steps for verifying Pre-Provisioning of BitLocker, so right click on our newly created task sequence, choose Edit and disable the Capture and Restore User state sections as per the screenshot below. You can always re-enable these sections later to complete your deployment solution but for now, disable them.



Next we need to add support for the hardware in question in terms of enabling the TPM in WinPE, I've covered this in great detail in the following post and in this task sequence we will use the exact same steps and software (I've tested and verified this on Dell Latitude E4200, E5510, E6320, should newer models require a newer version of CCTK for WinPE or a different method of doing this in Windows PE then i'll update this post with that information).

Update: I've confirmed the above works even on brand new Dell Hardware (Dell Latitude E6430 bios version A03) using the latest CCTK available from here.


Below is the same task sequence with the Enable TPM for BitLocker in WinPE section added from the post referenced above. Failure to add this section to your task sequence will mean you cannot do any TPM operations in WinPE.



The Pre-Provision Bitlocker step looks like so in the task sequence



and the Enable BitLocker step is already set to store the recovery key in active directory domain services as you can see here



Tip: If you have no access to your AD environment and really want to test pre-provisioning BitLocker you can select the second option (do not create a recovery key) which will allow your Task sequence to complete but it of course won't store the recovery key anywhere and data could get lost if you don't know what you are doing. Be warned.

Note: If you want to download the task sequence I created above then import the following ZIP file.

Deploy Windows 8 X64 - with BitLocker Provisioning.zip


Step 5. Deploy the task sequence
perform the following on your Configuration Manager Server as SMSadmin


Right click your new task sequence and choose Deploy, deploy it to a suitable collection as an Available deployment.



for Deployment Settings choose Configuration Manager Clients, media and PXE



click your way through to the end of that wizard.

Step 6. PXE boot and monitor the deployment
perform the following on your client computer

PXE boot the computer and select our newly deployed Available (optional) task sequence (Deploy Windows 8 X64 - with BitLocker Provisioning)



and off it goes....if you have a chance press F8 and type the following line

manage-bde -status

this should reveal something similar to the following saying that it's fully decrypted



in order to set TPM options in Windows PE we use CCTK on Dell hardware, and these actions will reboot the computer, after the reboot it'll fly through the Pre-Provision BitLocker step so the thing to remember here is the Pre-Provision BitLocker is FAST, really FAST, so in order to see it you have to be fast, press F8 after that reboot and keep cycling through the manage-bde -status command while it gets to the Pre-Provision Bitlocker step and just after, you'll see something like this (sorry for the screenshots, it's on real hardware so difficult to take photos)

here directly after the Pre-Provision BitLocker step we see encryption in progress



seconds later it's up to 7.5%, yes that was seconds later !! you'll also note it's applying the operating system and it's referring to Enfo Workplace day, so if you are in the South of Sweden on September 28th drop by and say hi and i'll demo this in action. Let me know you are coming ok ?

a few seconds later and it's done, yup 100% used space only encrypted !



while you are waiting for Windows 8 to deploy you can review SMSTS.log in X:\windows\temp\smstslog\smsts.log

here's what mine looks like during the apply operating system step right after it has successfully Pre-Provisioned BitLocker, the screenshot below shows the step from the log on another computer just to highlight the step for you and what the TPM actions above it should look like.

smsts.log



after the Setup Windows and ConfigMgr step is complete the Enable Bitlocker step will take place and if you configured Active Directory correctly it will store the recovery key in AD, look for the line creating recovery password and escrowing to active directory.



Below is the SMSTS.log file after the task sequence has completed...

smsts.log

At this point you can check Active Directory, in Active Directory Users and Computers right click n the computername in question and choose the BitLocker Recovery tab



and that's it, you can verify it on the computer in question by opening a command prompt in Windows 8 and typing the following line

manage-bde -protectors -get c:

and finally, even though we already saw that Encryption was at 100% while in WinPE you'll notice that your hard disc is NOT busy encrypting because it's already DONE.




Recommended Reading

What's New in BitLocker - http://technet.micro...y/hh831412.aspx

Bitlocker Changes in Windows 8 - http://www.windowsit...indows-8-142661

Backing Up BitLocker and TPM Recovery Information to AD DS - http://technet.micro...529(WS.10).aspx

Verify BitLocker and TPM Schema Objects - http://technet.micro...3(v=ws.10).aspx

Requirements to save Bitlocker Recovery Key to AD using MDT - http://blogs.technet...-using-mdt.aspx

Understand and Troubleshoot BitLocker in Windows Server "8" Beta - http://www.microsoft...n.aspx?id=29032

 

BitLocker Enhancements in Windows Server 2012 and Windows 8 (Part 2) - Cluster Share Volume Support - http://www.windowsecurity.com/articles-tutorials/Windows_Server_2012_Security/BitLocker-Enhancements-Windows-Server-2012-Windows-8-Part2.html

So there you have it, Pre-Provisioning BitLocker in WinPE during a Windows 8 deployment (Update: or Windows 7) is possible right now using Configuration Manager 2012 SP1.

 

And doesn't it just rock ? oh yeah :-)

Enjoy !

cheers
niall

[anyweb]

update: to save you time i've exported the Task Sequence used above and uploaded the ZIP file, it's available for download now at the end of Step 4 above.

[Config Mangler]

Niall do you know if the pre-provisioning feature works on Windows 7?

[Oneone]

Niall do you know if the pre-provisioning feature works on Windows 7?

 

Im afraid it does not! only win8!

[anyweb]

actually it's a WinPE4 feature and as such you should be able to pre-provision BitLocker for windows 7 deployments also,

I just have not tested it yet,

 

cheers

niall

[Oneone]

actually it's a WinPE4 feature and as such you should be able to pre-provision BitLocker for windows 7 deployments also,

I just have not tested it yet,

 

cheers

niall

 

I did not know that! because one of the new "features" for windows 8 is the ability to encrypt the disk before you install the OS. Good to hear it may work for Win 7 also!

[anyweb]

just tested it and it works in Windows 7 deployments also

 

see screenshot :-)

[Aurock]

With MDT integration enabled, the task sequence looks a bit different. The enable bitlocker step, in particular, doesn't offer the same options. If I create an MDT task sequence, does the pre-provisioning still work the same? Do I just need to pre-set variables for the bitlocker settings, such as BDEInstall, BDEPin, BDERecoveryKey, BDEKeyLocation, etc?

[anyweb]

which version of MDT are you testing with ?

[Aurock]

SCCM 2012 SP1 beta, and MDT 2012 update 1, (6.1.2373.0)