The CM12 UEFI BitLocker Frontend HTA – Part 1. The features.

This is version 4.0 of the original windows-noob FrontEnd HTA, and this time it has evolved to support System Center 2012 R2 Configuration Manager using UEFI (or legacy capable) hardware running Windows 8.1 Enterprise with Update.


The CM12 UEFI BitLocker HTA.png


For the purpose of documenting the history of this HTA I’ll list the previous versions below and which version of Configuration Manager they were designed to work with:


Ver 1. – windows-noob FrontEnd HTA (Configuration Manager 2007 R2 & MDT 2010 update 1)

Ver 2. – The BitLocker FrontEnd HTA (Configuration Manager 2007 R2 & MDT 2010 update 1)

Ver 3. – The CM12 BitLocker FrontEnd HTA (Configuration Manager 2012 R2 MDT 2012 update 1)


The key point of this FrontEnd that makes it stand out from others is that it allows you to Backup, Reinstall or do New Computer scenarios on BitLocker encrypted UEFI computers while still in WinPE.


Let’s take a look at the main features. The FrontEnd has tabs to allow you to easily navigate through the options. In each tab are further options which can be enabled via checkboxes or via drop down menus or other clickable buttons.


The About tab


In the About tab (default view) you get to see some information about the frontend itself, and if the computer name (detected by the webservice) is already in AD, if it is it will be highlighted in blue as shown below.


computername detected in AD.png


If the computer is not in AD then you’ll be informed of the fact with a nice red colour and a message as shown below.


computername NOT detected in AD.png


In addition you can optionally enter a username which will also be checked against AD membership via a web service. The username entered must be entered as simply the username, do not specify a domain name or \ infront of the username as this will generate an error.


Below you can see what happens when the user name provided is not detected in AD.


username NOT in AD.png


and below you can see when the user is detected in AD


username is in AD.png


The username entered here will become the Primary user of the computer and if enabled in the task sequence, they will become the local administrator of that computer.


The Backup tab


The backup tab allows you to perform quick or extensive disc checking on the disc in cases where you feel there may be problems with the disc that you’d like to be fixed before backing it up.


quick checkdisc.png


You have the ability to do a Full WIM backup of the computer which can either be stored locally on that computer or on a network share, the network share (and sub folder) are defined in the task sequence in the following steps:


set backup server.png


Finally, you can backup the User state to a network share called USMTStores by choosing the last option, xcopy to network.


xcopy to network.png


Once this user state is backed up to the network you’ll be informed of the progress and then the task sequence will shutdown the computer. This captured state can be restored later on another computer using the New Computer tab via the State Restore Options drop down menu.


The Reinstall tab


The Reinstall tab allows you to reinstall the computer with Windows 8.1 with update while retaining the users data using hard linking. In addition, you can choose to change the regional and language options via the two drop down menus.


drop down menus with regional and language options.png


In addition to the above, you can select to install the System Center Endpoint Protection antivirus client agent and enable BitLocker.


The New Computer tab


The New Computer tab is where you’ll want to do your New Computer installations, and it offers you the same options as the Reinstall scenario, but in addition, you can specify the encryption level (algorithm) that BitLocker uses.


encryption options.png


In addition, you can use the State Restore Options drop down menu to select the type of restore you want to achieve, if you select SMP (State Migration Point) then you should have backed up (captured) user data to the SMP from a source computer beforehand.


state restore options.png


In addition to restoring from the SMP, you can choose to restore previously backed up User state  (via the xcopy to network backup option) by selecting the profile name listed.


The tools tab


This tab provides some tools to help the operator view useful information about the computer they are working on, or to for example open up SMSTS.LOG via the CMTrace tool, or to open a cmd prompt for troubleshooting.


the tools tab.png


In addition you can click on the Deployment Info icon to see detailed information about the computer, including whether it is in an encrypted state or not.


deployment info.png


Finally, you can use the top three boxes to search for computer names, which if found will be shown in the drop down menu, and from there you can select one, and then click on Make Association button, this will make an association with the computer you are currently using and the target you selected.


successfully associated computers.png


Tip: you can verify this association via the User State Migration node in Assets and Compliance in the System Center 2012 R2 Configuration Manager console as shown below.


verify computer association.png


Note: If you like to experiment, then after making an association above, go back to the Backup tab, and without selecting anything in Backup options, click on Proceed. This is an experimental feature still in development so your results may vary.


What about the rest of the features


The task sequence and associated scripts do more than the above, and below I’ve listed the main features.

  • detects if there is no power cord plugged in to your laptop and alerts you of the fact.
  • detects if the hardware is Surface Pro 3 and installs the driver package
  • if no TPM is found it disables the BitLocker capability in the HTA
  • allows you to do Reinstall computer scenarios on Hyperv enabled Gen 2 virtual machines with BitLocker.
  • allows you to Notify the end user if the task sequence was successful or unsuccessful
  • creates a REG key upon successful task sequence completion and adds it to the registry
  • creates a text file in c:\ with the DATE and TIME to demonstrate successful task sequence
  • copies CMTrace.exe to the Windows\ of the OS drive.


Download the HTA


Ok now that you’ve seen the above you’ll no-doubt want to try it, trust me it’s worth it, but it’s not for the faint hearted. For that reason I’ll produce a Part 2 of this guide which will help you with installation of the bits and pieces.


You will need the following in place before trying to use the HTA to it’s full potential.


* Configuration Manager 2012 R2

* MDT 2013 integrated with Configuration Manager 2012

* Language packs for the Appropriate Operating System

* Maik Kosters Web Services (version 7.3)

* MBAM Server 2.0 (or greater) to store and manage the BitLocker encryption recovery keys


Attached File  The CM12 UEFI BitLocker   2.61MB   28 downloads


Unzip the contents, you’ll find a ZIP file within, you should import that as a Task Sequence in System Center 2012 R2 Configuration Manager. Once done you cannot save the task sequence until you satisfy all the missing packages it references and they are listed in the rough guide.


The other two folders should be used as packages that are referenced in the task sequence.


Please review Part 2 for installation and setup instructions *coming soon* of if you cant wait, review the Rough Guide (it’s rough, trust me) text file included in the download zip.


Related Reading


CM12 in a Lab – How can I reinstall BitLockered UEFI computers using network boot and System Center 2012 R2 Configuration Manager ?


Thanks !


I want to say thanks to my beta testers Eswar Koneti, Peter van Der Woude and Paul Winstanley for their support during this development.

This entry was posted in Surface Pro 3. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.