Jump to content


anyweb

how can I Pre-Provision BitLocker in WinPE for Windows 8 deployments using Configuration Manager 2012 SP1 ?

Recommended Posts

Are you joined to the domain before you provision?

i have added the registry key for the transfering to AD, but it do not seems that the key is transfering the key to AD.

i have not added anythin else but the TPM (not any keys to the user)

Share this post


Link to post
Share on other sites

Hello.

 

sorry for the long delay..

i have it this way in my environment,.

 

partition disk

hp bios settings

restart computer

pre-provision BitLocker

Apply Operating System

Apply Network Settings

drivers for multiple HP computers

Setup Windows and Config...........

Enable Bitlocker

AD backup (key to AD) - do not know if i need this

Take TPM Ownership - do not know if i need this

software

and so on--

 

will reckon this will do or maybe the order should be changed?

this is an Windows 7 deplyment.

Share this post


Link to post
Share on other sites

Hello.

 

sorry for the long delay..

i have it this way in my environment,.

 

partition disk

hp bios settings

restart computer

pre-provision BitLocker

Apply Operating System

Apply Network Settings

drivers for multiple HP computers

Setup Windows and Config...........

Enable Bitlocker

--> Join domain (restart)

If you are going to backup your policies is AD

--> Set TPM AD Backup Policy (REG ADD "HKLM\Software\Policies\Microsoft\TPM" /v "ActiveDirectoryBackup" /t REG_DWORD /d 1 /f)

--> Set TPM Require AD Backup Policy (REG ADD "HKLM\Software\Policies\Microsoft\TPM" /v "RequireActiveDirectoryBackup" /t REG_DWORD /d 1 /f)

 

Add the TPM Ownership information

--> (manage-bde -tpm -o <C0mpL3Xpa55word>)

AD backup (key to AD) - do not know if i need this

Take TPM Ownership - do not know if i need this

Once you enable Bitlocker you take ownership over it (assuming you use the built in command)

 

You can also setup a default TPM PIN if you wish with complex password if you wish, but it requires 3 reg keys

 

REG ADD "HKLM\Software\Policies\Microsoft\FVE" /v "UseEnhancedPin" /t REG_DWORD /d 1 /f

REG ADD "HKLM\Software\Policies\Microsoft\FVE" /v "UseAdvancedStartup" /t REG_DWORD /d 1 /f

REG ADD "HKLM\Software\Policies\Microsoft\FVE" /v "UseTPMPIN" /t REG_DWORD /d 1 /f (change "usetpmpin" to a mode that matches your ownership step)

 

Set the PIN password

manage-bde.exe -protectors -add <driveletter:> -TPMAndPIN C0mpL3xp@55w0rD (tpmandpin will match your PIN mode)

 

software

Be aware that if you do set a TPM PIN, you will want to suspend Bitlocker before any reboots that might be required by software installations

Command line (manage-bde.exe -protectors c: -disable)

and so on--

 

will reckon this will do or maybe the order should be changed?

this is an Windows 7 deplyment.

Share this post


Link to post
Share on other sites

I am getting the same on Dell Latitude 10 (UEFI) hardware i.e. it will not save the recovery password to AD. The TS does not fail and "manage-bde -status c:" shows it as encrypted but with a warning against the disk as there is no recovery key.

The Samsung Slate 7 / ATIV will correctly store the key in AD on the same Windows 8 task sequence.

 

Is it the pre-provisioning task which is at fault here and are people treating this as a bug in SCCM which should be logged with Microsoft? Are there any useful logs for BitLocker other than event viewer?

 

The Dell only has a 64Gb SSD so encrypting it the old fashioned way is probably no big deal if I have to go that way.

Share this post


Link to post
Share on other sites

Thanks. Log attached. It runs the command about 11:38.

 

Also the output from bde status is:

 

Volume C: [Windows]
[OS Volume]

Size: 57.29 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: AES 128
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors: None Found

 

I can manually activate Bitlocker after this it prompts to save a recovery key and protection status changes to ON. So the TPM side of things is ok.

 

 

 

smsts.log

Share this post


Link to post
Share on other sites

I didn't see these two registry keys in your log - is this occurring earlier?

 

--> Set TPM AD Backup Policy (REG ADD "HKLM\Software\Policies\Microsoft\TPM" /v "ActiveDirectoryBackup" /t REG_DWORD /d 1 /f)

--> Set TPM Require AD Backup Policy (REG ADD "HKLM\Software\Policies\Microsoft\TPM" /v "RequireActiveDirectoryBackup" /t REG_DWORD /d 1 /f)

Share this post


Link to post
Share on other sites

Surely that it what the Enable BitLocker part of the TS does and you shouldn't have to configure that yourself. Are you manually setting those keys as well?

 

I will check the log for those entries on a working machine which does store the key in AD and I'll try adding those keys before "Enable BittLocker" in the TS.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.