Bitlocker, Windows 7 and SCCM Task Sequences

2017-12-01T13:15:15+00:00 July 3rd, 2011|Windows|

I had the following scenario, Windows 7 Enterprise deployment enabling BitLocker with TPM and PIN and Dell Latitude laptop hardware.

 

The companies business requirement was to encrypt laptops, the cost of this could be reduced by implementing Windows 7 Enterprise edition.

 

The following is a high level list of the components that need to be in-place

  • Bitlocker Schema
  • Bitlocker Group Policy
  • TPM hardware
  • TPM Enabled and activated

The schema changes for BitLocker are part of the Windows 2008 R2 schema update so if a company is moving or has moved this can be rolled into a change. A Microsoft article that explains this in depth can be found at http://technet.microsoft.com/en-us/library/dd875533(WS.10).aspx

To verify or query that the schema changes exist in an environment, use ADSIEDIT, connect to the schema and check for the following entries.

image

Group policy needs to be set if you want recovery keys to be stored in Active Directory, this can also configure things such as minimum PIN length.

image

The BitLocker Recovery Password Viewer  can be enabled as a feature in Windows 2008 R2, it has to be installed on a domain controller if you want to enable the feature in Windows 7 with RSAT installed.

image

Once this is in place, I would recommend testing the encryption manually and checking to see if the decryption keys are being written in AD. On the tested machine, export the registry from the following location. (This will be required later as part of the deployment process.)

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftFVE

With TPM ready laptops, the BIOS will show a TPM chip as disabled and its usually a two step process to enable this. First switch TPM on and reboot and secondly, activate. To automate this in the task sequence some manufacturers allow setting the BIOS via a script or executable. Dell are no different and after lots of  trials using different methods (they have a few,) I followed the Dell best practice document listed in the following link.

Best Practices for Remote TPM Enablement for Dell Business Client Systems

Once you have downloaded the Dell Client Configuration Toolkit and created the task sequence using the .xml template supplied, you should  be ready to copy this into an existing deployment task sequence. I had issues with the default task sequence conditions, I’m not sure if its the template but I changed the single quotes to double quotes in the WMI command and removed some of the model types to reduce complexity.

image

After the BIOS is set in either the WinPE or Windows Phase, we need to set the task sequence to create a boot partition. This can either be done prior if you want the boot volume at the beginning of the disk, or after, using the following command.

bdehdcfg.exe -target default –quiet

The preferred method is to set a task sequence to partition the disk in the PreInstall phase. I created two “Format and Partition” tasks. One Operating System partition and one 300mb BDE partition where the boot and system files would reside. Add the same conditioning to the task sequence as you would to the TPM BIOS and Activation parts. This could be a simple laptop query or model specific WMI.

image

imageimage

Then in the Apply Operating System Image task, specify the partition using the variable that the WIM will be installed onto.

image

In the MDTIntegrated task sequence a Bitlocker task is present, however it is limited slightly in that it only has the following options.

image

The defaults are great once enabled, but we need another task to add a default PIN that users enter when the machine boots.

The following tasks were put together in a task sequence

image

The Enable Bitlocker encrypts the current Operating System drive and stores the recovery keys in AD. The BitLocker Config task adds the exported registry information from earlier which allow the pin to be added, the PIN was then added using the manage-bde task below.

%SYSTEMROOT%system32manage-bde.exe -protectors -add %systemdrive% -tp 123456789

John Riseam

System Center Consultant

Risual Ltd