Jump to content


  • 0
redrockSWE

Deploying bitlocker in Windows 7 using TS

Question

Hi guys. I have been working on deploying bitlocker on running windows 7 machines using a task sequence.

I have only found guides showing how to do this via scripts, or how to do this when deploying a computer. Not how to push this on active running windows 7 machines.

 

Im hoping that this thread could help me with some issues i have, and hopefully assist others.

 

Im using scripts from here: http://archive.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?ReleaseId=3205

 

So there are a couple of Scenarios i have to consider when deploying bitlocker:

* Computers with a bitlocker partition, but not active TPM chip

* Computer with active TPM chip but no partition

* Computers that does not have active TPM chip or a bitlocker partition (would be most common)

 

Im running allot of batch files, this is because it gives me better logging possibilities. I want to store what happens on a network drive so in case of problems we can easy find out what have happened. Plus, i just like batch files.

 

Outline of the current tasksequence (all steps have continue on error)

  1. Connect to network folder (maps a network folder, in my case W: in order to later copy log files to network share).
  2. Create a folder. Command line, that runs a .bat with a service account that´s local admin on machine
    folder.bat :md c:\Bitlockertemp
  3. Create partition (have issues with this step). Command line: Partition.bat >>c:\Bitlockertemp\DOSpartition.txt
    Disable 64-bit file system redirection, running with service account.
    Partition.bat:
    PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1;C:\WINDOWS\system32\en-us;
    bdehdcfg.exe -target default

    This should either create a bitlocker partiotion, or say that you already have one
  4. Enable TPM (and bitlocker if possible), command line: enable.bat >>c:\Bitlockertemp\DOSLogEnable.txt . Running with service account

    This will either enable TPM and require a restart, or enable bitlocker

     

    Enable.bat:


    cscript.exe %~dp0EnableBitLocker.vbs /on:tpm /l:C:\bitlockertemp\BitLocker.log
    echo off
    if EXIST w:\%computername%\bitlocker-backup-key-package1 (echo "Already done") ELSE ( %~dp0keyupload.bat>>c:\Bitlockertemp\DOSLogKeyupload.txt)
    echo on
    Net use w: /delete /y
    rd c:\bitlockertemp /s /q

    Keyupload.bat:
    echo off
    md w:\%computername%
    cscript %~dp0GetBitLockerKeyPackage.vbs C:\Bitlockertemp\bitlocker-backup-key-package >> c:\Bitlockertemp\BitLockerKey.txt
    copy c:\Bitlockertemp\BitLockerKey.txt w:\%computername%
    copy c:\Bitlockertemp\DOSpartition.txt w:\%computername%
    copy c:\Bitlockertemp\DOSLogEnable.txt w:\%computername%
    copy c:\Bitlockertemp\DOSLogKeyupload.txt w:\%computername%
    copy c:\Bitlockertemp\bitlocker-backup-key-package1 w:\%computername%
    copy c:\Bitlockertemp\BitLocker.log w:\%computername%
    copy c:\Bitlockertemp\ADupload.log w:\%computername%
    rd c:\bitlockertemp /s /q

     

    The get GetBitLockerKeyPackage.vbs is for checking if AD have recived the bitlocker key

     

    5. Restart computer, set to " The currently installed defualt operating system"
    Notify the user before restarting "Your computer is being restarted, if prompted to press F1, please do so"

     

    6.Connect to Network Folder again

     

    7. Enable bitlocker, runs enable.bat again, same as step 4

     

    8. Disconnect network drive, simple command: Net use w: /delete /y

     

     

     

My current issue:

It´s with creating a bitlocker partition,

Running just "bdehdcfg.exe -target default" , fails.

I had to add PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1;C:\WINDOWS\system32\en-us;

In order to get it to actually run. But the issue im seeing is that when running this the computer stops at creating partition. Nothing happens, the tasksequence does not stop.

 

Not sure if the whole tasksequence is fubar or if I am on the right track.

 

Running the scrips by double clicking on them works like a charm. And the rest of the steps seems to work fine.

 

Any assistance or input would be appreciated.

 

Edit: Im running SCCM 2007

Edited by redrockSWE

Share this post


Link to post
Share on other sites

4 answers to this question

Recommended Posts

  • 0

I am trying to do something very similar ... my problems are elsewhere though

 

As for your original query, do you have more than one partition already on the HDD?

 

If you do, the bdehdcfg.exe -target default is likely to fail.

 

I would suggest something like ...

 

bdehdcfg.exe -target c: shrink -newdriveletter x: -size 300 -quiet

 

I would avoid a -restart on that, and add a restart step into your task sequence.

Share this post


Link to post
Share on other sites

  • 0

Note, I dont use MDT integration. But this is really easy in regular SCCM, espeically if you format the drive every image. Scrap the batch and run the command line.

 

In the task sequence, the command is 'bdeHdCfg.exe -target default -size 350 -quiet' and it automatically targets the OS drive. Start In should be %windir%\System32\ If the drive is already prepped for bitlocker it skips it. I personally hate running things in batch files when there is no need to. Like in thi scase. The SCCM report and SMSTS.log will show you any errors for this task. Also make sure you check the box to Disable 64 bit redirection still. I also set a 15 minute time out just cuz.

 

If you really want to run the batch file, for 64 bit try \Sysnative\ instead of System32. %windir%\sysnative\bdeHdCfg.exe -target default -size 350 -quiet

 

Note also, the 350 is needed for Win 8, 300 is fine for Win 7.

 

We use MBAM so we dont copy keys anywhere. Sorry I cant help for that.

Share this post


Link to post
Share on other sites

  • 0

works fine, you can either disable bitlocker in Windows and then reboot and migrate your data via hardlinking

or

disable bitlocker in WinPE using some logic like you have here

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.