Jump to content


anyweb

how can I Pre-Provision BitLocker in WinPE for Windows 8 deployments using Configuration Manager 2012 SP1 ?

Recommended Posts

Hi Niall, please could I have some help. I have used your wonderful guides which have been a lifesaver but I am now attempting to encrypt a Dell Latitude E6500 with BitLocker and I have followed your instructions and it works beautifully. The only problem I have is that Windows is now installed on the D drive. I have added the task sequence variable 'OSDPreserveDriveLetter'=false but this hasn't helped. I have a identical task sequence (minus bitlocker, TPM activation etc) which works fine but the BitLocker stuff seems to cause Windows to install on D. I'm so close to having this working but need some help please. Thanks! :)

Share this post


Link to post
Share on other sites


are you using a previously captured image or installing a new image of windows 7 in this case ?

Share this post


Link to post
Share on other sites

Hi all,

I'm looking to test bitlocker on my lab, only my host PC doesn't have a tpm module.

 

When I use a task sequence to pre provision it fails... After my ts builds the client vm I can't enable blocker either as it says no tpm module present or enabled.

 

I have located a Tpm module to purchase and plug in, this isn't a problem to purchase, or am I missing something elsewhere...

 

Any help or advice appreciated as always,

Regards,wazzie

Share this post


Link to post
Share on other sites

you dont need a tpm in the host pc, but in the client machine you are testing bitlocker on (assuming it's bitlocker capable)

if it's a vm then it's not, you'll need to test bitlocker on real hardware.

Share this post


Link to post
Share on other sites

Thanks any web, yes it's a full appv lab.

This is all currently in a lab based off your wonderful notes, running 2012server, 2012 SQL and sccm 2012 sp1.

Everything works fine OSd patching etc.

 

Can't wait to get all the r2editions and build it again, see what's new.

 

So to confirm, if I buy a tpm module for the app v host the clients won't be able to virtualise that piece of hardware?

Looks like its time I get a small switch, a real tpm PC and get some bitlocker action!!!! On a real box.

 

Thanks so much for you gems of info.

Share this post


Link to post
Share on other sites

Hi,

 

I used your task sequence for enabling bilocker on a Dell laptop (Windows 7x64) and it was working great!
Then I explictely disabled the TPM on the Dell and restarted the task sequence as doublecheck and now the last step (enable bitlocker) failed(!).

So, looking at this forum I wonder what I should do

*when restaging a bitlockered machine, should I remove a recovery key first from AD?

*Should I enable a Windows driver for bitockering (which one then)?

...

 

Thanks for your input.

Regards,
J

Share this post


Link to post
Share on other sites

 

Then I explictely disabled the TPM on the Dell and restarted the task sequence as doublecheck and now the last step (enable bitlocker) failed(!).

 

isn't that expected behaviour ? what were you expecting to happen ?

Share this post


Link to post
Share on other sites

Thanks for your reply.
I just want to test that laptops "out of the box" will be TPM enabled during task sequence.

 

Note: after some adaptations it does not work anymore. I wonder if xcopy.exe ".\Dell\CCTK\X86_64\*.*" "x:\CCTK\X86_64\" /E /C /I /Q /H /R /Y /S is correct whereas the package source points to ... \Bitlocker\Dell\CCTK\X86_64, should the xcopy then not be xcopy.exe *.* (without the path)?

Share this post


Link to post
Share on other sites

Hi,

 

I used your task sequence for enabling bitlocker on a Dell laptop (Windows 7 x86), how would i go about integrating MBAM into the task sequence, assuming the MBAM server is setup and Group policy is enabled.

 

 

Do i just install the MBAM client at the end of the TS ? and would this take ownership of bitlocker ?

 

thank you

Share this post


Link to post
Share on other sites
Do i just install the MBAM client at the end of the TS ? and would this take ownership of bitlocker ?

 

 

you can install the MBAM client and any associated registry keys at the end of the task sequence and once installed MBAM will take control of your bitlocker environment, in the CM12 HTA I do just that here.

 

Share this post


Link to post
Share on other sites

 

 

you can install the MBAM client and any associated registry keys at the end of the task sequence and once installed MBAM will take control of your bitlocker environment, in the CM12 HTA I do just that here.

 

 

 

Hi,

 

Would you mind specifying how you are taking control using MBAM, after installing the client, in this task sequence? I can see that you are installing the client, but you're not adding any regkeys in the TS with MBAM server connection specifics.

 

If I understand it right, your TS will install the MBAM client, wait for the group policy to apply and then pop up the MBAM Wizard to the user. Is that correct?

 

Thanks!

Share this post


Link to post
Share on other sites

you can set registry keys before or after the mbam client is installed to set the FVE settings in the registry this is because group policy cant be processed until after the task sequence is complete,

once it is complete if any bitlocker actions are still required the mbam agent will popup within the 90 minutes period and prompt/inform the user

the registry keys are the values that you set when setting your mbam options (group policy settings)

 

i'll see if I can export them from a computer here and upload them for you

Share this post


Link to post
Share on other sites

you can set registry keys before or after the mbam client is installed to set the FVE settings in the registry this is because group policy cant be processed until after the task sequence is complete,

once it is complete if any bitlocker actions are still required the mbam agent will popup within the 90 minutes period and prompt/inform the user

the registry keys are the values that you set when setting your mbam options (group policy settings)

 

i'll see if I can export them from a computer here and upload them for you

 

Thanks, an export would be great to have.

 

Share this post


Link to post
Share on other sites

here you go\\

 

Regedit /s ".\Policy\MBAM_reg_settings.reg"

 

rename from .txt to .reg

 

mbam_reg_settings.reg.txt

 

 

 

 

 

 

Share this post


Link to post
Share on other sites

Did you ever see the blog post by David Hornbaker?

 

http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

 

I had some success using this solution before the upgrade to 2012 R2. Now SCCM doesn't even download the script to run it. Do you know if something changed with R2 that makes it not download VBScripts ro run locally?

Perhaps I'm missing something else but I feel like I've tried a bunch of different things....

 

Thanks!

Share this post


Link to post
Share on other sites

i'm using R2 and don't have that problem, please post your smsts.log file so we can see the failure

Share this post


Link to post
Share on other sites

The problem wasn't with the script, it was with the version of MBAM. I had missed installing the newest version that supports Windows 8.1, MBAM 2.0 SP1.

 

Thanks

  • Like 1

Share this post


Link to post
Share on other sites

All right, i have successfully integrated that to our Windows 7 deployment sequence. I love it. it's pretty quick.

The only problem i have is that the drive label is set to MININT-XXXXXXX, bacause the computername is not set while the encryption starts. Is there any way to avoid this?

 

I know this is pretty old but I'm having the same issues and unable to find a solution. Does anyone know how to make the BitLocker drive label the same as the Computer Name?

Share this post


Link to post
Share on other sites

All right, i have successfully integrated that to our Windows 7 deployment sequence. I love it. it's pretty quick.

The only problem i have is that the drive label is set to MININT-XXXXXXX, bacause the computername is not set while the encryption starts. Is there any way to avoid this?

 

 

All right,

 

mission impossible to get a proper name for this string since this is hard coded and not configurable by any command line options. :(

 

 

 

I know this is pretty old but I'm having the same issues and unable to find a solution. Does anyone know how to make the BitLocker drive label the same as the Computer Name?

 

Hi

 

We were having the same problem with MININT-xxxxx.

 

We are trying to set the registry TCPIP Hostname to %OSDComputerName% in the Task Sequence

 

This step was added before Pre-Provisioning BitLocker step or rather before Set OSDDiskPart

 

Command line:

reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Hostname /t REG_SZ /d %OSDComputerName% /f

 

It did not help.. hostname is correct now but it still name it MININT...

 

Gonna try and move the reg add higher up in the task sequence.

Share this post


Link to post
Share on other sites

can you clarify exactly what your issue is here ? show me a screenshot of the problem...the drive label is set in the format steps... are you using any variables in there (osdisk)

Share this post


Link to post
Share on other sites

I'm having the same issue with the drive label at the Bitlocker PIN Entry screen reading MININT-XXXXXX.

My steps:

Partition Disk

Pre-Provision Bitlocker

Apply Operating System

Apply Windows Settings

Drivers

Setup Windows and Configuration Manager

Join Domain or Workgroup

Enable Bitlocker

 

I have a collection variable that allows me to enter the computer name at the start of the task sequence. After this TS completes, the Bitlocker PIN Entry screen shows the drive label as MININT-XXXXXX, however once you log into the machine, the computer name is correct. The AD object is also correct and the key is backed up to it properly.

 

It's important to note that without the Pre-Provision Bitlocker step in there, Bitlocker starts encryption at the end, but the drive label on the Bitlocker PIN Entry screen shows the proper computer name entered at the beginning.

 

I've tried quite a few methods of declaring a computer name specifically throughout the task sequence, but in the end, the PIN Entry screen still shows the wrong computer name.

Share this post


Link to post
Share on other sites

My tests show that when the MDT step "Apply Windows Settings" occurs, the MININT-xxxxxx name is assigned. Unfortunately, prior to that step, so long as you are in WinPE it doesn't matter what you set the OSDComputerName or ComputerName variable to, the value will be ignored by the Apply Windows Settings step and each reboot while in WinPE will generate a new MININT-xxxxx name. Additional attempts at modifying the unattend.xml file have not been successful either (technically the file is the WinPEUnattend.xml)

 

(NOTE: This statement is only true regarding Windows 7 and pre-provisioning. Win 8.x behaves differently).

Share this post


Link to post
Share on other sites

Is there some working overview somewhere ?

I need it for: sccm 2012 sp1, windows 7, hp, dell, Lenovo and (if possible) pre-provisioning enabled in task sequence.

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...