The CM12 BitLocker FrontEnd HTA

[anyweb 450]

Introduction

 

I guess this could be called version 3.0 of the original windows-noob FrontEnd HTA, and this time it has evolved to support System Center 2012 Configuration Manager. I've been meaning to migrate this to Configuration Manager 2012 for quite a while now but time was not on my side between work and family. This works on both Configuration Manager 2012 RTM and Configuration Manager 2012 SP1 so that you can deploy Windows 7 or Windows 8 depending on the version (of Configuration Manager) you are currently running.

 

Before starting, please make sure you can fulfill the requirements otherwise some or all of the features may not work.

 

The HTA requires the following:

 

* Patience

* Configuration Manager 2012

* MDT 2012 Update 1 integrated with Configuration Manager 2012

* Language packs for the Appropriate Operating System

* Dell CCTK files and Lenovo SMBIOS/SMBUS files

* Maik Kosters Web Services (version 7.3) [optional but recommended]

* MBAM Server to store and manage the BitLocker encryption recovery keys, if you are planning on deploying Windows 8 with BitLocker use the Microsoft BitLocker Administration and Monitoring (MBAM) 2 0 Beta Refresh Release [required for the REFRESH action unless you suspend the disc in Windows first]

* Michael Niehaus' Webservice for RIS like autonaming [optional]

 

What does it do ?

The HTA allows you to PXE boot into WinPE and use an easy interface for migrating your computers to Windows 7 or Windows 8 using Configuration Manager 2012 Service Pack 1 with MDT 2012 Update 1 integrated.

 

Not only does this HTA now work with Configuration Manager 2012 but it has additional functionality added such as being able to choose the BitLocker Encryption Algorithm, install the System Center 2012 Endpoint Protection client and the ability to install Multi Language options.

 

On the left we have Backup, in the middle it's Reinstall and to the right it's New Computer as denoted by the cool unopened box.

 

 

In the lower left corner you'll notice two new lines of information, one is the Task Sequence name (handy when you are changing versions) and the other is the current USMT ruleset version (it points to a text file which you maintain, and you can use it to keep track of your internal changes to any custom XML files contained in your USMT ruleset, the name of the file is usmt_rulesets_version.txt and a sample is included, this helps you keep track of changes you make to your migration ruleset and is useful for troubleshooting failed migrations with helpdesks using USB or Standalone media which may be out of date...).

 

 

clicking on the Info button in the lower left corner brings up even more details about the deployment, the following new items have been added to the Deployment Information window

• Make
• Memory
• Is on Battery
• Is UEFI
• Is VM
• Virtual Platform
• AssetTag

some of the above are new data gathered via the enhanced Gathering ability from MDT 2012 Update 1.

 

 

and clicking on the CMTrace button will open the current SMSTS.log file in CMTrace so that you can monitor the deployment

 

 

A closer look at the functionality

 

There are three main choices in the HTA, and they are detailed below:

Backup old computer

 

 

Backup old computer allows you to backup your data in WinPE either locally or to a network share using a mixture (or combination) of ZTIbackup.wsf (for full WIM backups) or scanstate.exe (for file backups). Lastly, you can choose to run a CHKDSK on the disk to check for file corruption. It's all automated, all you have to do is to decide how you want the backup to take place from the options below:-

 

• full WIM backup locally
• full wim backup to network
• chkdsk
• offline scanstate to Network folder

Once a backup is complete you'll get a popup message notifying you and clicking ok will shutdown the computer.

 

 

Reinstall computer

 

 

This option reinstalls Windows 7 or Windows 8 (and retains the users data using hardlinking) on Windows XP or Windows 7 computers and supports the following BitLocker specific scenarios, in the table below anywhere it mentioned 7 you can do the same with Windows 8 if that is the OS you are deploying:-

 

Note: BL=BitLockered and UBL=Not BitLockered, the reinstallation (keep users data, wipe Windows, reinstall Windows, restore data) of already BitLockered computers requires a MBAM backend in order to provide the needed key.

• XP>7 BL
• XP>7 UBL
• 7 BL>7 UBL
• 7 UBL>7 BL
• 7 BL>7 BL
• 7 UBL>7 UBL

In addition to the above, you can do the following:-

• full WIM backup locally
• full wim backup to network
• chkdsk

• Auto Computername
• Enable (or disable) BitLocker (if the computer has a TPM detected, if not the option is greyed out)
• Enter a Username (get's added to the Local Administrators group)

 

New Computer

 

 

This option allows you to perform a new installation of Windows 7 or Windows 8 with or without BitLocker full disc encryption enabled, in addition you can select the type of Advanced Encryption Standard algorithm you want via a drop down menu.

 

Note: The Diffuser option is no longer available to be added to the Advanced Encryption Standard (AES) encryption algorithm for Windows 8.

 

 

You can also select to Enable SCEP which will install the System Center 2012 Endpoint Protection client during the task sequence so that you are protected and ready to do business.

 

 

In addition to the above, you can do the following:-

 

• specify Regional settings for one or more countries
• specify Language settings for one or more countries
• change the computername, or choose to use Auto Computername
• Enable (or disable) BitLocker (if the computer has a TPM detected, if not the option is greyed out)
• Restore from a previous backup to network, or State Migration Point
• Enter a Username (this user get's defined as the User Device Affinity user and get's added to the Local Administrators group, if you don't want them being a local admin simply disable that group in the task sequence.)

 

What else does it do ?

 

In addition to the above the HTA has the following functionality:-

• detects if the hardware is Lenovo or Dell (you have to add the driver package steps)
• detects and interrogates the TPM/Bios on Dell and Lenovo hardware to prepare it for BitLocker
• if no TPM is found it disables the BitLocker capability in the HTA
• if virtual hardware detected, it disables BitLocker capability (however you can enable this just for testing)
• allows you to Notify the end user if the task sequence was successful or unsuccessful
• creates a REG key upon successful task sequence completion and adds it to the registry
• creates a text file in c:\ with the DATE and TIME to demonstrate successful task sequence
• copies CMTrace.exe to the Windows\ of the OS drive.

The task sequence will check if the computer is connected to power, and if not it will inform the user via a popup, this is done via the new IsOnBattery variable.

 

 

Once you launch Backup, Reinstall or New Computer, the computername is automatically checked and if it matches MININT- then you'll be prompted to change it manually.

 

 

In addition there are some debug steps in the task sequence (they are disabled, simply enable them to see the functionality) to allow for things like pausing the task sequence, this is great for troubleshooting.

 

 

Recommended Reading

 

1. The BitLocker FrontEnd HTA - http://www.windows-noob.com/forums/index.php?/topic/4811-introducing-the-bitlocker-frontend-hta
2. The windows-noob.com FrontEnd HTA - http://www.windows-noob.com/forums/index.php?/topic/3476-introducing-the-windows-noobcom-frontend-hta-ver-10/
3. How can I create a boot image with HTA support using MDT - http://www.windows-noob.com/forums/index.php?/topic/1995-how-can-i-create-a-boot-image-with-hta-support-using-mdt/
4. Introduction to Web Services - http://www.windows-noob.com/forums/index.php?/topic/3247-introduction-to-web-services/
5. How can I install a Web Service - http://www.windows-noob.com/forums/index.php?/topic/3249-how-can-i-install-a-web-service/
6. Deploying Language packs offline using MDT - http://www.windows-noob.com/forums/index.php?/topic/3251-customising-windows-7-deployments-part-4/
7. Deploying Multiple Language Packs offline using MDT - http://www.windows-noob.com/forums/index.php?/topic/5155-customising-windows-7-deployments-part-6-adding-multiple-keyboard-layouts-and-multiple-languages/
8. Advanced Encryption Standard - http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
9. Operating System Deployment and Endpoint Protection - http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/operating-system-deployment-and-endpoint-protection-client-installation.aspx
10. How to change the default BitLocker encryption method and cipher strength when using the Enable BitLocker task - http://blogs.technet.com/b/configurationmgr/archive/2010/08/10/how-to-change-the-default-bitlocker-encryption-method-and-cipher-strength-when-using-the-enable-bitlocker-task-in-configmgr-2007.aspx
11. MBAM Beta 2.0 - http://windowsteamblog.com/windows/b/springboard/archive/2012/06/12/introducing-microsoft-bitlocker-administration-2-0-beta.aspx
12. Configuring UDA during OSD - http://blogs.technet.com/b/inside_osd/archive/2011/06/20/configuration-manager-2012-user-device-affinity-and-os-deployment.aspx
13. MBAM 2 Setup - http://msandbu.wordpress.com/2012/06/13/mbam-microsoft-bit-locker-administration-and-monitoring-beta-2-0/
14. BitLocker Overview in Windows 8 - Removed or deprecated functionality - http://technet.microsoft.com/en-us/library/hh831713.aspx

Coming Soon

• Pre-Provision BitLocker ability, currently disabled
• UEFI ability not added yet

 

Known Issues

 

Stuff that's Fixed:

 

The following issues have been identified and fixed since the last release of the code, if your deployment has any of these problems then download the task sequence and associated files again (files last updated 2013/3/8).

 

• included in the ZIP file below, are three custom XML files used in the scanstate/loadstate actions, unless you modify those actions to point to your own XML's you might get some errors like below

1. 'scanstate failed because the printer is out of paper
   (Error: 0000001C; Source: Windows)' error message. simply copy these XML files to the root of your amd64\x86 USMT directories and redistribute your USMT packages to your dp's.
2. As Above you might get a Loadstate Error 27 which is directly related to not finding the XML files above, make sure to copy them to your USMT folders as specified above.

• Offline scanstate to network (when disc is BitLockered) fails with return code :11, basically there is a typo in the runscanstate-offline_no_hardlinking.bat file, locate the folllowing section and change
  
  

  /offlinewindir:%~2:\windows
   

  to
  
  

  /offlinewindir:%~2\windows
   

 

• State Restore (Network) doesn't restore anything due to an option mis-configuration, change Deploymenttype Equals Refresh to DeploymentType Not Equals Refresh

 

• State Restore (Network) doesn't restore anything due to a missing file and the file it was pointing to had a /hardlink option in, it shouldn't have !

 

 

Stuff that needs to be Fixed:

 

The following Issues have been identified and the resolution is shown below however they have not been fixed in the code downloaded above, which means you have to make the corrections.:-

 

1.

 

in deploymenu.js line 476 change

 arr[arr.length] = "USMTdropdown: " + usmtvalue;

to

  arr[arr.length] = "Uddir: " + usmtvalue;

2. Change the options tab for the State Restore SMP to task sequence variable Uddir (was USMTDropdown) as per the screenshot below

 

 

3. Change the options tab for the State Restore Network to task sequence variable UDDIR not equals SMP as per the screenshot below

 

 

4. The dump variables for debugging has a typo change the command line to:-

cscript.exe "%ScriptRoot%\wnb\DumpVars.wsf"

5. Local admin accounts are not migrated in network state store, add /lac:Password to the command line in runloadstatex64_no_hardlinking.bat like below

"%~2\USMTbits\amd64\loadstate.exe" "%~1" /c /lac:Password /i:%~2\USMTbits\amd64\miguser.xml /i:%~2\USMTbits\amd64\migapp.xml /i:%~2\USMTbits\amd64\wallpaper.xml /i:%~2\USMTbits\amd64\printers.xml /nocompress /v:5 /l:%~2\Windows\CCM\logs\SMSTSLog\loadstate.log

6. Resolution is not set in WinPE

change the Set Screen Resolution step to

cmd /c "%scriptroot%\wnb\SETRES" h1024 v768 b32

The backup to network (full wim and scanstate) need some additional changes

 

Add the Connect to Network step in RED in the below two places

 

 

set the options like so

 

 

and add an MD to the following line

 

 

Download the Files

 

In this ZIP you have an exported copy of the System Center 2012 Configuration Manager SP1 task sequence and associated files.

 

Note: If you downloaded the ZIP before March 8th 2013, please download it again again as I've added some bugfixes in the scripts and task sequences.

 

The CM12 BitLocker FrontEnd HTA.zip

 

well that's it, please try this out and tell me what you think of it, I hope you like my efforts :-).

 

Installation Instructions

 

To use the downloaded files see the below instructions, if you need further clarification then please ask.

[emmo16 0]

Thanks again for the great work Nial this looks really great.

Would this work with an XP to Windows 7 migration with MBAM and SCCM 07 and how easy is it to add software packages. We are also using 1E pxelite and nomad branch. I would not need USMT nor to change regional or Language settings.

 

I am a complete noob to web service's and HTA but have been looking to implement something like this or the MDT UDI.

[anyweb 450]

Thanks again for the great work Nial this looks really great.

Would this work with an XP to Windows 7 migration with MBAM and SCCM 07 and how easy is it to add software packages. We are also using 1E pxelite and nomad branch. I would not need USMT nor to change regional or Language settings.

 

I am a complete noob to web service's and HTA but have been looking to implement something like this or the MDT UDI.

 

if you are using Configuration Manager 2007 then you should use this HTA for BitLocker, this one is purely for Configuration Manager 2012

[Dsbloom 1]

Thanks for putting out such great content, as always. You make our jobs easier!

[keywan 1]

Hi,

 

How to install or set up "The CM12 BitLocker FrontEnd HTA" on SCCM 2012 SP1?

 

Thanks

[anyweb 450]

just follow the instructions, import the task sequence by pointing to the zip.

[keywan 1]

Which instructions please? Where find I that?

[anyweb 450]

the instructions above, in particular this bit...

 

Before starting, please make sure you can fulfill the requirements otherwise some or all of the features may not work.

 

The HTA requires the following:

 

* Patience

* Configuration Manager 2012

* MDT 2012 Update 1 integrated with Configuration Manager 2012

* Language packs for the Appropriate Operating System

* Dell CCTK files and Lenovo SMBIOS/SMBUS files

* Maik Kosters Web Services (version 7.3) [optional but recommended]

* MBAM Server to store and manage the BitLocker encryption recovery keys, if you are planning on deploying Windows 8 with BitLocker use the Microsoft BitLocker Administration and Monitoring (MBAM) 2 0 Beta Refresh Release [required for the REFRESH action unless you suspend the disc in Windows first]

* Michael Niehaus' Webservice for RIS like autonaming [optional]

 

have you imported the task sequence ? have you copied the files where they are supposed to go ?

this task sequence is not for the faint hearted, it's advanced and requires a lot of work (and understanding) to get working.

[MarcusCA 0]

• The instructions are quite confusing. When you say import the task sequence by pointing to the zip, where is zip? There is the zip file that is downloaded and there is a zip file within the zip file.

Also there are folders called "unattend.xml files" and "USMT XML Files" and "RTM". Where do these folders go?

[anyweb 450]

ok i'll try and make it easier,

 

Installation Instructions

 

1. download the zip above, extract to a temp folder on your computer

 

 

so that they are like so...

 

 

2. copy the the file in tbe folder called "copy this file to the root of the Toolkit package" to the root of your MDT Toolkit package (you must have installed MDT and Integrated it with Configuration Manager prior to this and created your MDT Toolkit and MDT Settings packages.

 

 

3. next copy all the files/folders in the folder called "Files to be copied to the root of the Toolkit Package Scripts folder" to the scripts folder in your MDT Toolkit package

 

 

4. Then in configuration Manager update the MDT Toolkit package to your distribution points. In the configuration manager console, import the Task Sequence zip file located in the SP1 or R2 folder in the Task Sequences section of OSD.

 

 

the unattend xml samples need to be stored in a standard package without any program

 

 

which are in turn referenced in the task sequence Apply Operating System step

 

 

and USMT xml files are samples for the imported task sequence and can be placed in the root of the respective USMT architecture folders like below

 

 

don't forget to update whatever package contains the USMT binaries and xml files to your distribution points after this...

[anyweb 450]

due to popular demand with the following download i'm including all the bugfixes mentioned above in the downloadable code below, note that this task sequence was also exported from System Center 2012 R2 Configuration Manager so it works just fine with R2.

 

The CM12 BitLocker FrontEnd HTA.zip

 

 

 

[hfdave 0]

Hello,

First off, I would like to thank you for creating this excellent resource. I have been following the installation instructions and have run into a slight problem. My Microsoft Configuration Manager folder is located on the D: drive and not the C: drive, so when I go to use the imported MDT tools or your Task Sequence, I get this error:

 

I tried copying the files to that path, but that didn't work. Do you think this is something that can be fixed, or did I overlook something stupid? Any help you could provide would be greatly appreciated.

[anyweb 450]

that looks like you have not integrated MDT properly with CM12, did you right click and choose 'Run As Administrator' when doing so ? see screenshot below

 

 

if you are using SErver 2012 then use the Start screen to do the same thing

 

 

 

 

[hfdave 0]

Thanks for replying. I made a dumb oversight and didn't install the MDT files on my computer, only on the SCCM server. Sorry about that.

[keeop 1]

First off, a massive thank you to anyweb for these fantastic guides - they are the best I have found.

 

Now, on to topic...

 

I'm having trouble importing the Task Sequence because of all the package references etc. - these all relate to your P01 packages which, of course, I don't have. Could you maybe create a list of reference IDs versus package names so I can manually replace your packages references with my own, or is there another way to look at this? I'd love to be able to use this HTA as it looks excellent and covers off a lot of the tasks I'm currently looking at.

 

Cheers.

Keeop

[anyweb 450]

First off, a massive thank you to anyweb for these fantastic guides - they are the best I have found.

 

 

thanks !

 

don't worry about the import errors they are normal as you don't have those packages (or you do and you just need to change the steps to point to them)

 

here's a list of references in my task sequence

 

[keeop 1]

Thanks anyweb, I'll try and fudge it. It won't actually let me import the TS, that's the thing. Complains about 'cannot validate a dependency to Boot Image Package'. Hence, I assumed I need to go and edit the .xml files etc. However, from your answer above, it sounds like I shouldn't be getting this error?

 

Cheers.

Keeop

[keeop 1]

Hi again.

 

I tried unzipping, making some changes to the package ID's and replacing the Site Code etc., zipping back up but the import routine says 'the specified file is not valid' so I guess that's not the way to do it. I'm stumped then!

 

Cheers.

Keeop

[anyweb 450]

which of the files are you trying to import exactly ? and what version of Configuration Manager are you using ?

[keeop 1]

Hi,

 

The CM 12 BitLocker FrontEnd HTA.zip file from the \SP1 folder. I am using SCCM 2012 SP1.

 

Cheers.

Keeop

[anyweb 450]

ok and you have integrated MDT 2012 with Configuration Manager ? please post a screenshot of the exact error you see when you try to import

[keeop 1]

Hi,

 

Yep, integrated:

 

Ah, I noticed the drop-down this time to 'Ignore Dependency'. Got it!

 

Thanks.

Keeop

[keeop 1]

Hi anyweb - epic TS!!

 

Can you confirm that the the 'outstanding fixes' still need to be implemented? For example it says to change the line:

 

arr[arr.length] = "USMTdropdown: " + usmtvalue;

 

.. but I don't have that line, I have:

 

arr[arr.length] = "USMTvalue: " + usmtvalue

 

..as the nearest match.

 

Plus, this line was slightly different:

 

"%~2\USMTbits\amd64\loadstate.exe" "%~1" /c /lac:Password /i:%

 

The bottom line, my Windows 8 install is bombing out so I'm wondering if it's anything to do with the edits I've made that may not have had to have been made. I'm about to trawl through the logs to see if I can find anything. It seems to have problems after initiating a reboot. Windows then continues to configure 'devices', seems to complete it but then the TS error branch kicks in and displays a failure message. After that, Windows complains about an 'unscheduled reboot' and says the install can't continue. Anyway, off to the logs.........

 

Cheers.

Keeop

[anyweb 450]

well you'll need to change USMTvalue to UDdir, the correct values should be in the R2 download I included (it has all the fixes in it), which reminds me, why haven't you upgraded to R2 ?

[keeop 1]

Stuck with 2012 SP1.