Jump to content


anyweb

how can I Pre-Provision BitLocker in WinPE for Windows 8 deployments using Configuration Manager 2012 SP1 ?

Recommended Posts



Even though I have now got my TPM Activation sorted, when it gets to the Enable Bitlocker step it then fails the task sequence altogether. My Enable BitLocker step is currently about half way through my task sequence - do I need to move it towards the end of the sequence like it needed to be in SCCM 2007? When I go in to Windows after it fails, it says BitLocker is suspended and you cannot resume it due to it not having any keys.

Share this post


Link to post
Share on other sites

my step looks like so, and it works just fine, your logs should reveal what your issue really is, have you tried a bios upgrade on the dell ?

 

activate TPM.png

 

 

Share this post


Link to post
Share on other sites

It is strange - I have done a BIOS upgrade to the latest version. It does work without the '=' so I will stick with that. The problem I am having at the moment is it fails on the Enable BitLocker step, however, I believe this may be to do with the fact that we have no Group Policy entry for 'Choose how BitLocker-protected operating system drives can be recovered'. I'm assuming without this Group Policy step configured the computer has no idea what to do with the recover keys?

Share this post


Link to post
Share on other sites

well the logs should reveal why it's failing to enable bitlocker so what does the smsts.log file say ?

also, please re-review the guide here as it explains what you need setup in AD prior to starting the deployment.

Share this post


Link to post
Share on other sites

I have checked the logs but I cannot find anything which says why the Enable BitLocker step failed. All I can find is where it states the step has processed. Is there anything in-particular I should look out for? Or search for?

Share this post


Link to post
Share on other sites

you should pause the task sequence before that step and bring up the command prompt, then open smsts.log in cmtrace

you can download the pause script in this HTA download, the included task sequence also contains the step to pause if you want to see how its done...

Share this post


Link to post
Share on other sites

I think I've realised why my Enable BitLocker step may not be working. I imported your Task Sequence from the HTA download you provided and went through all the steps. I noticed that you have a different Enable BitLocker step for Windows 7 than you do for Windows 8. I am installing Windows 7 and have been trying to use the built in Enable BitLocker step.....I am presuming that this is only for Windows 8? For Windows 7 you have used a script.

Share this post


Link to post
Share on other sites

the built in step should work fine, have you tried doing the pause BEFORE the enable bitlocker step, and directly after ? that way you can see (in the smsts.log) exactly what the cause of your issue is

Share this post


Link to post
Share on other sites

Oh ok that's good news. I haven't implemented the pause action yet - I am still going through your task sequence to see how it works. I will let you know when I have implemented it and report its failure. Thanks for your help so far....

Share this post


Link to post
Share on other sites

Ok I have added the pause step before and after the Enable BitLocker step. At the pause before the Enable BitLocker step there is nothing which states that anything is wrong, however, as soon as the Enable BitLocker step runs it errors and tries dropping out of the task sequence. In the smsts.log located in C:\Windows\CCM\Logs it says

 

"Unable to find instance of 'Win32_Tpm'. Ensure that this device has a Trusted Platform Module which is enabled in the BIOS"

 

Well this can't be the case because TPM is enabled and activated. I know this because if I go into the BIOS it says that TPM is enabled and activated. One step that does fail is where is removes the BIOS password - would this affect this step?

Share this post


Link to post
Share on other sites

I have worked out what my problem is with the Enable BitLocker step - it was not applying the correct TPM driver in windows. We have been using the 'Auto Apply Drivers' step which automatically chooses the best one it thinks from a list. This has not worked in the case of TPM and applied a different driver. I turned Auto Apply Drivers off and told it to use a specific driver package and voila! I read a post where someone had exactly the same issue and they recommended to not use Auto Apply Drivers.


Thanks for all your help with this though - much appreciated :)

Share this post


Link to post
Share on other sites

thanks for posting the solution to your problem and i'm glad it's working for you now, what driver did you end up using ? broadcoms ? or Dells, please include the link (for others with the same issue)

Share this post


Link to post
Share on other sites

Using this method, is anyone able to set the TPM Owner Password and save it to the AD Attribute msTPM-OwnerInformation? So far I haven't been able to do this as it seems that the Pre-Provision Bitlocker step takes ownership, but because it hasn't joined the domain, is unable to upload the TPM Owner password (speculating). I can confirm this by clearing the attribute value (currently hashed) and then running though the Task Sequence steps. The result is a fully encrypted system, TPM is active, TPM is Enabled and the TPM is owned, but I don't know that the TPM owner password is.

 

If I try to run the manage-bde - tpm -o <password> command from a prompt, it reports an error "The TPM already has an owner."

 

I think I am missing something obvious.... TIA

Share this post


Link to post
Share on other sites

I am wondering the exact same thing as BB24. I have everything else working, but the backup of the TPM Ownership to AD is not working. It makes sense that it is unable to backup the key during Pre-Provisioning, but is there a way to force the backup to AD later?

 

I read that Microsoft made some changes in Win8 related to the way the TPM Ownership information is backed up in AD and that if your domain controller is not Server 2012 you have to extend the schema.

 

However, I'm deploying Win7 so I guess it should backup the info to the AD Attribute msTPM-OwnerInformation?

 

Any help would be greatly appreciated.

Share this post


Link to post
Share on other sites

Hello.

 

Hope there is someone that can help with bitlocker in task sequence (sccm 2012 sp1)

We are about to implement bitlocker in our task sequence for laptops.

 

We have HP laptops that we want to get bitlocker on.

 

We are settings 2 packages/script to set bios password and enabeling TPM.

but the scipts/package are failing.

 

We have this right after disk partition, but are always failing.

We are running

biosconfigutility64.exe /nspwd:"password" for setting password

And biosconfigutility64.exe /setconfig:config.txt for setting the TPM in bios

Pre-config bitlocker

Install os

Install packages

Install problem drivers

And as the last in task sequence we are enabling bitlocker

 

But it is failing bigtime.

 

Does anyone know how we can get this to work?

 

Kind Regards

Share this post


Link to post
Share on other sites

I haven't used the biosconfigutility64.exe but the previous version would not work in the Windows PE environment - has to be used after the OS was laid down.

 

Partition

Pre-provision

OS

Config Mgr

BiosConfig - set BIOS (BiosConfigUtility.exe /setConfig:TPMEnableV2.REPSET /cspwd:"" /nspwd:"password" /verbose)

BiosConfig - set BIOS (BiosConfigUtility.exe /cspwd:"password" /nspwd:"" /verbose)

Restart

Set 2 regkeys (backing up recovery key to AD)

a) AD Backup (REG ADD "HKLM\Software\Policies\Microsoft\TPM" /v "ActiveDirectoryBackup" /t REG_DWORD /d 1 /f)

B) Require AD Backup (REG ADD "HKLM\Software\Policies\Microsoft\TPM" /v "RequireActiveDirectoryBackup" /t REG_DWORD /d 1 /f)

Take TPM Ownership (manage-bde.exe -tpm -o password)

Set 4 regkeys (setting up a complex default PIN)

a) Set Enhanced PIN if you want to use something other than a numeric PIN (REG ADD "HKLM\Software\Policies\Microsoft\FVE" /v "UseEnhancedPin" /t REG_DWORD /d 1 /f)

B) Set Advanced Startup Policy (REG ADD "HKLM\Software\Policies\Microsoft\FVE" /v "UseAdvancedStartup" /t REG_DWORD /d 1 /f)

c) Set TPM and PIN policy (REG ADD "HKLM\Software\Policies\Microsoft\FVE" /v "UseTPMPIN" /t REG_DWORD /d 1 /f)

d) Set the default PIN (manage-bde.exe -protectors -add %OS% -TPMAndPIN c0mP!3Xpwd )

 

Be sure to suspend your bitlocker in the remaining parts of your TS before any additional reboots. (manage-bde.exe -protectors -disable c:)

Share this post


Link to post
Share on other sites

Hello.

 

Thanks for the reply.

Will the disk be encrypted while the rest of the package is installing or will it be decrypted after os is installed and ready?

 

You are writing

 

Be sure to suspend your bitlocker in the remaining parts of your TS before any additional reboots. (manage-bde.exe -protectors -disable c:)

 

What do you mean, can you explain a little further?

 

Do you have a sceenshot of the task sequence?

 

Sorry for my bad english

 

Kind regards

Share this post


Link to post
Share on other sites

I am running the biosconfigutility in WinPE4 (x86) without any issues. How are you running the biosconfigutility? I mean have you created a package with a program and using a "Install Package" step or are you running it as a commandline in the TS?

Share this post


Link to post
Share on other sites

Hello.

 

Have tryed both ways, but no luck.

Maybe i am boing somethin wrong in the package. (Do you have some hints for me)

 

I am trying to get it before adding the os to the disk.

Maybe this is to early?

 

Using it on 64 bit os, but the basic are the same.

 

Kind regards

Share this post


Link to post
Share on other sites

Using the Install Package step won't work, so go with the run command line version. I have a package with the necessary files, but no programs are necessary.

 

I have had several HP models where I had to upgrade the BIOS in order to get control over the TPM chip, so that could be one thing to check. On the other hand I don't think running the biosconfigutility would fail in this case.


Are you using 64-bit boot image as well? If you have created a OS-image you can just as well use the 32-bit boot-image. The 32-bit is more versatile than the 64-bit and can deploy everything except for a 64-bit OS Installer Package. This is why I'm using the 32-bit boot image. I only use the 64-bit version when building a new 64-bit image.

Share this post


Link to post
Share on other sites

Hello.

 

Thanks for the reply.

Will the disk be encrypted while the rest of the package is installing or will it be decrypted after os is installed and ready?

 

With the pre-provision bitlocker action it is basically doing the following command manage-bde -on -usedspaceonly c: However, you cannot run this command directly under the Win 7 context because the argument "-usedspaceonly" only exists in Windows 8 (MDT 2012). To answer your question, once the manage-bde.exe is running it encrypts the bits as it lays them onto the hardrive and will encrypt any bits that are already on the drive.

 

You are writing

 

Be sure to suspend your bitlocker in the remaining parts of your TS before any additional reboots. (manage-bde.exe -protectors -disable c:)

 

What do you mean, can you explain a little further?

 

I mean add a run command line that says: manage-bde.exe -protectors -disable c: prior to any reboot steps you may have in your task sequence.otherwise when the system reboots it will prompt for your Bitlocker PIN that you set in step D. This no longer makes it a ZTI or LTI build.

 

 

Do you have a sceenshot of the task sequence?

 

Sorry for my bad english

 

Kind regards

Share this post


Link to post
Share on other sites

Using the Install Package step won't work, so go with the run command line version. I have a package with the necessary files, but no programs are necessary.

 

I have had several HP models where I had to upgrade the BIOS in order to get control over the TPM chip, so that could be one thing to check. On the other hand I don't think running the biosconfigutility would fail in this case.

 

Are you using 64-bit boot image as well? If you have created a OS-image you can just as well use the 32-bit boot-image. The 32-bit is more versatile than the 64-bit and can deploy everything except for a 64-bit OS Installer Package. This is why I'm using the 32-bit boot image. I only use the 64-bit version when building a new 64-bit image.

I am using 64 bit all the way.

Do you have a tutorial for how to make the package?

 

Do you run the sequence after partition of the disk or do you have it a bittle later.

 

Will have to investigate the deployment of bios to the HP machines.

Share this post


Link to post
Share on other sites

 

Hello.

Thanks for the reply.

Will the disk be encrypted while the rest of the package is installing or will it be decrypted after os is installed and ready?

 

With the pre-provision bitlocker action it is basically doing the following command manage-bde -on -usedspaceonly c: However, you cannot run this command directly under the Win 7 context because the argument "-usedspaceonly" only exists in Windows 8 (MDT 2012). To answer your question, once the manage-bde.exe is running it encrypts the bits as it lays them onto the hardrive and will encrypt any bits that are already on the drive.

 

You are writing

Be sure to suspend your bitlocker in the remaining parts of your TS before any additional reboots. (manage-bde.exe -protectors -disable c:)

What do you mean, can you explain a little further?

 

I mean add a run command line that says: manage-bde.exe -protectors -disable c: prior to any reboot steps you may have in your task sequence.otherwise when the system reboots it will prompt for your Bitlocker PIN that you set in step D. This no longer makes it a ZTI or LTI build.

Do you have a sceenshot of the task sequence?

Sorry for my bad english

Kind regards

Thanks.

Will try it tomorrow

Share this post


Link to post
Share on other sites

The package is just a normal legacy package including the BiosConfigUtility.exe and the TPMEnable.REPSET files and then distributed to a DP.

 

Are you running the biosconfigutility twice? Once to set the password and once to enable the tpm. I'm just putting everything together, something like:

 

BiosConfigUtility.exe /SetConfig:TPMEnable.REPSET /nspwd:"password" /cspwd:"password"

 

The cspwd is necessary if the bios already has a password. I'm not sure if the format of the config-file makes a difference (.txt or .REPSET), but most guides mention the config-file as TPMEnable.REPSET so you could try that as well.

 

It might also be that you have to enter the entire path to the TPMEnable.REPSET file, I'll check that tomorrow and get back to you.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...