JagoWu Posted May 18, 2015 Report post Posted May 18, 2015 Hi all, I have a SCCM MDT TS that I have created for laptops. The TPM is on and set to active in the BIOS. This is a Dell E5500. The BIOS has the latest version. If I leave the SCCM MDT template as is the TS installs correctly however Bitlocker does not start and the PIN is not entered. The laptop is not added to the domain and is set to add to Workgroup (which is what I need it to do). The SCCM client installs fine (CU4). I noticed the template default with a few bitlocker options: Pre-provision BitLocker =Logical Drive letter stored in a varible then Set Variable for Pre-provision BitLocker = True then right before installing packages Enable Bitlocker cscript.exe "%deployroot%\scripts\ZTIBde.wsf" /UDI I am not using UDI in this TS. I have tried disabling the Enbable Bitlocker and add the SCCM Enable Bitlocker and specify a PIN. When I do the TS fails with error code 0x80070002. In the CS.ini I tried having the settings of OSDBitLockerMode=TPMPIN BDEInstallSuppress=NO This scenario works great in MDT with the Enable Bitlocker step in the TS and my CS.ini looks like the below. We are not saving the recovery key to AD but a network share. BDEInstall=TPMPinBDEPin= some numbersTPMOwnerPassword=some passwordBDEInstallSuppress=NOBDEWaitForEncryption=FALSEBDEDriveSize=3000BDEDriveLetter=S:BDERecoveryKey=ADBDEKeyLocation=\\servername\LaptopRecoveryKeysBDEAllowAlphaNumericPin=Yes Also how can I save the key to a network share like I do in MDT? I understand some of my bitlocker commands above are not supported in SCCM 2012 TS like saving the key to a network share. Thank You all Quote Share this post Link to post Share on other sites More sharing options...
JagoWu Posted June 10, 2015 Report post Posted June 10, 2015 ****Update**** I was able to get this to work properly. Here is the solution. 1. Created a MDT Task sequence in SCCM 2012. 2. Let it create a default Custom Settings MDT package (I named it MDTWorkgroupLaptop Settings Package because I do not want any other TS to use it). Let it create a default USMT package. Fill out the rest of the questions in the wizard. 3. Upon creation of the TS I went to the custom settings package and edit it to look like this: [settings]Priority=DefaultProperties=MyCustomProperty[Default]SkipCapture=YESBitsPerPel=32VRefresh=60XResolution=1YResolution=1OSDComputerName=PC_%AssetTag%SLShare=\\sccmserver\OSD\LogsBDEInstall=TPMPinBDEPin=XXXXXXXTPMOwnerPassword=SomePasswordBDEInstallSuppress=NOBDEWaitForEncryption=FALSEBDEDriveSize=2000BDEDriveLetter=S:BDERecoveryKey=ADBDEKeyLocation=\\sccmserver\OSD\LaptopRecoveryKeysBDEAllowAlphaNumericPin=Yes 4. I then told that package to update the DP. Then I made some changes to the default TS. A. Right under the Execute Task Sequence (1st step) step you should add three steps in it. SMSTSDownloadRetryCount = 5 <-- needed for downloading packages requests and such. SMSTSDownloadRetryDelay= 15 <-- needed for downloading packages requests and such. SMSTSRebootDelay=2 <-- this is the area where I do not want to wait 30 seconds for a reboot in the TS so I change it to 2 sec. B. In the steps called Format and Partition Disk (UEFI) I deleted the first 3 partitons listed and the last partition i left there. The last partition is OS Disk (Primary) C. In the step called OSDPreserveDriveLetter I set it to TRUE. If set to false then windows might install on some partition named E and when windows is installed in explorer you will have D windows instead of C windows. D. In the Apply Windows Settings step make sure you set an admin password and the timezone should be the same as the sccm server or else it seems to bomb out for me during sysprep. E. In the Setup Windows and ConfigMgr step I added the following code (I previously made a SCCM 2012 CU4 client update package but did not make a program for it). SMSMP=server.server.com FSP=server.server.com PATCH="C:\_SMSTaskSequence\OSD\00100227\Hotfix\x64\configmgr2012ac-r2-kb3026739-x64.msp" F. After Set Status 5 add new step called Request State Store. Condition USMTLOCAL Not Equals TRUE G. After Restore User State step add a step called Release State Store. Condition USMTLOCAL Not Equals TRUE H. The default bitlocker step I moved to the very last step of the task sequence. In the options tab is a condition. I changed the condition to say BDEInstallSuppress = YES. Then editing the command line to only say cscript.exe "%deployroot%\scripts\ZTIBde.wsf" This script took care of all the encryption and read the MDT rules (cs.ini) that I setup. It also saved the recovery password to a text file and the filename is the computername. Life is good. JagoWu 2 Quote Share this post Link to post Share on other sites More sharing options...
