Ok a lot of us are forced to implement full disk encryption and unfortunately most of the time our input into the solution is never requested. So ConfigMgr & MDT have built-in actions to handle HDD Encryption by disabling the protectors etc.. Third party products generally don't provide these means as its considered a security risk. So the challenge is how do i perform a computer refresh to my computer systems that are encrypted? Well you could painfully decrypt the HDD but that would take hours. You could even just blow the system away and not worry about the data if your policies allowed for that. But for us suckers who care about our users or are forced to care about our users!
We have to come up with a solution that will work, which brings us to the purpose of this blog posting.
We will use a Client Replace Task Sequence to gather the data, then we will use another task sequence that is MDT Integrated to Refresh the system as a bare metal New computer deployment and restore the data.
1) First you are going to create a Standard Client Replace Task Sequence Below are the steps actually needed for this to work. (this has been slightly modified to remove and add certain features that are needed)
2) If you plan on specifying any capture options you can place them in the TS using the OSDMigrateAdditionalOptions variable like below. NOTE: if you use the /ue or /ui switches you need to implement step 4 otherwise the TS will use the /all switch which will break your TS.
3) Now if you plan on refreshing from XP to Windows 7 you will need to incorporate a fix to account for settings that will not migrate which can be found at the below link. see screenshot for example.
4) If you are using any capture options that use the /ue or /ui switches you need to specify how user profiles will be captured by selecting the Config files you want to use with your capture otherwise the TS will use the /all switch.
5) Ok so you probably think you are ready to capture user state now don't you? Well now we need to get some hotfixes installed first since we are capturing to SMP. Download hotfix KB977203 and install on your site servers. After you do that you will have a new client hotfix that you need to install and a ccmcertfix utility that will need to run on your client systems. (These steps can be automated in several different ways to make things a lot easier.) The locations of both of these files are shown below.
i.e. these will be found in the ConfigMgr Installation Directory.
6) Now you can create an advertisement for your modified Client Replace Task Sequence to run against your systems. This TS when ran will contact the client systems local SMP and create a computer association for you. Data is always stored on the SMP in this scenario because its a "Replace Scenario". You can also manually create the Computer association ahead of time if you prefer to control that for large role outs etc. or if you want to actually do a replace scenario.
7) With luck you have just captured user state and settings from your XP Machine and have a Computer Association created and your data is sitting on your SMP.
NOTE: If you want you can copy the Mig file locally to a machine from your SMP and test that your settings were captured by using the Windows Easy Transfer Wizard to restore the data. Just grab the Recovery Key from the computer association and you are good to go.
8) So now what's the trick to get my stuff back down to my newly imaged windows 7 system? Luckily that is the easy part of the process. As long as you use a MDT Integrated Task Sequence all the steps needed to restore your data are already setup for you. The ZTIUserstate.wsf script will handle the restore and since we have a computer association the data will come right back down to your machine. Below is a screenshot of what that should look like.
9) Whichever TS you decide to use to deploy your image will have to be kicked off from boot media since your HDD is encrypted and you will not be able to read the HDD after your reboot. So you will need to create your boot media with a custom pre execution hook in order to get past the encrypted HDD and wipe it clean. For that we are going to use an example from Michael Peterson at this Link. Now you can burn your boot media and boot from your cd and kick off your TS which should wipe the disc apply your wim and restore your data and settings automagically…
Any questions or further explanation on how this process works etc… please comment on my blog and let me know how I can improve the quality of my blogs.