Customising Windows 7 deployments – part 5. Enabling Bitlocker in WinPE on Dell computers

Bitlocker
is a nice tool from Microsoft which allows you to Encrypt the hard
disc, however enabling it isn’t as simple as pressing a switch or simply
adding a step to your task sequence, you will really have to spend some
time reading about BitLocker before you decide what strategy you take
with regards to deploying it in the Enterprise.

(Full post with screenshots is available here).

BitLocker has some requirements
and one of those is that the TPM (Trusted Platform Module) is set to ON
and that it is Activated prior to Enabling BitLocker, in order to do
this on Dell Systems we use the Dell CCTK (Client Configuration Tool Kit).

You will need to decide if you are going to handle the TPM specific
parts while in Windows or while in WinPE. I’d strongly recommend you
test both scenarios in your test environment with real hardware
(obviously, you’ll want TPM ready Dell hardware).

Dell also provides a page here which explains how to enable the TPM using the CCTK while in Windows (in the running OS), however what if you want to enable the TPM in WinPE
? to do that you’ve got the option of using batch files provided in the
CCTK, these batch files require the Windows AIK installed and they
create an ISO and new boot WIM for you to import into SCCM.

Nice, except maybe you don’t want to regenerate your boot.wim as it already has all your Extrafiles added and it’s customised with your HTA scripts etc.

No problem, simply use the task sequence provided below and I’ll guide
you through how it all works, this task sequence doesn’t care if your
boot image is X86 or X64, it will determine that via WMI calls by
checking for the presence of the SysWOW64
folder. What I’m providing here is a solution for you to Deploy Windows 7
Enterprise X64 on Dell hardware with Bitlocker Enabled so that when you
login to the finished deployment, BitLocker is busy encrypting your
drive.

Note: This task
sequence is for enabling BitLocker in Bare Metal (New Computer)
scenarios, I will cover enabling BitLocker in a Refresh scenario in a
later post.

Step 1. Download the CCTK.

The CCTK is available for download here.
Once you’ve download it, install the MSI. We need the CCTK in order to
communicate with the TPM chip in our Dell computers in Windows PE (using
the HAPI drivers contained in the CCTK).

Step 2. Create The CCTK packages

We need to Create two new ConfigMgr Packages for X86 and X64 CCTK.

  • Copy %ProgramFiles%\Dell\CCTK\* to a location that
    will be used for Configuration Manager. You will have two subfolders,
    x86, and x86_64
  • Create two ConfigMgr Packages, using the source directory for x86, and x86_64. Send these packages to your Distribution Points

Step 3. Download BitLocker Scripts.

In order to Enable Bitlocker in this example task sequence, we use a script, Microsoft has kindly provided us with the scripts we need right here

Step 4. Create the BitLockers Scripts package

Create a new package containing the bitlocker scripts you downloaded above and distribute it to your DP’s.

Step 5. Download the windows-noob sample BitLocker task sequence.

Import this task sequence:

Attached File
 Deploy Windows 7 Ent X64 – BITLOCKER in WinPE.xml (32.54K)

Number of downloads: 0

into Configmgr and resolve the missing packages by pointing to the following packages where necessary:-

  • Operating System Image (Windows 7 X64)
  • Configuration Manager Client Package
  • CCTK X86 Package
  • CCTK X64 Package
  • Bitlocker Scripts

So how does it all work then ?

The task sequence is broken down into Two main groups for TPM, one to
deal with enabling TPM functions when using an X86 boot image, the other
for X64 boot images

Resized to 84% (was 1147 x 804) – Click image to enlargeAttached Image: monthly_07_2011/post-1-0-10222300-1309886413.png

As we haven’t injected the HAPI drivers into WinPE (remember, we didn’t
want to have to generate new boot images, we wanted to keep our current
process mostly untouched) we must manually inject them before each step
(unless theres more than one step before the next Restart)

this is done via an xcopy command which copies the CCTK architecture files to x:\

Resized to 84% (was 1155 x 481) – Click image to enlargeAttached Image: monthly_07_2011/post-1-0-18138500-1309886650.png

and then we inject the HAPI drivers in the next step

Resized to 84% (was 1146 x 479) – Click image to enlargeAttached Image: monthly_07_2011/post-1-0-95176400-1309887507.png

Next we set the Bios Password (you can change the password to something else if you wish)

Resized to 84% (was 1149 x 473) – Click image to enlargeAttached Image: monthly_07_2011/post-1-0-45141100-1309887653.png

and then we Enable the TPM chip

Resized to 84% (was 1146 x 491) – Click image to enlargeAttached Image: monthly_07_2011/post-1-0-68452100-1309887783.png

after a restart of the computer (to let the bios make the changes) we have to redo the xcopy/enable HAPI drivers before the next step, Activating the TPM chip

Resized to 84% (was 1146 x 495) – Click image to enlargeAttached Image: monthly_07_2011/post-1-0-89931400-1309887916.png

after another restart and CCTK xcopy/enable HAPI group and we then remove the bios password set earlier

Resized to 84% (was 1150 x 499) – Click image to enlargeAttached Image: monthly_07_2011/post-1-0-48781100-1309888035.png

Once the steps above are done Windows will install as normal and then set windows settings etc, before finally getting to the Configure and Enable BitLocker group, this happens within Windows.

This group is responsible for preparing the disc partition for BitLocker using manage-bde

Resized to 99% (was 979 x 599) – Click image to enlargeAttached Image: monthly_07_2011/post-1-0-93085100-1309888177.png

and finally after another restart, we Enable BitLocker using the Enablebitlocker vbs script from Microsoft.

Attached Image: monthly_07_2011/post-1-0-36661700-1309889235.png

That’s it ! Windows will then end up at the familiar login screen but
you may notice the HDD LED is very busy, this is because BitLocker is
busy Encrypting the drive,

have fun and please let me know how you get on with this,

cheers !

niall.

References:-

BitLocker Hardware Requirements – http://windows.micro…rive-Encryption

Microsoft Scripts to Enable Bitlocker – http://go.microsoft…./?LinkID=151997

BiLocker Info – a List of Resources – http://myitforum.com…-resources.aspx

(Full post with screenshots is available here).

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.