Recently I’ve been at a customer site performing a Windows 7 migration. The decision was made to enable BitLocker on all laptop systems during the OSD process. It took some research, but here is the way we ended up doing it.
The low down:
The models we had to work with were: 6930p, 8530w, 8440p, and 8440w. We knew that all systems had a TPM chip that we could utilize for BitLocker so we did not have to worry about having a flash drive, or something else to keep the BitLocker key on. Also, we decided to publish the BitLocker recovery keys to AD. One thing to note, we built our base Windows 7 image using ConfigMgr with MDT 2010 Update 1 integration and utilizing the MDT Build & Capture TS. Anyone that uses this out of the box will realize only one partition is created and used, and the 100MB or 300MB System Reserved partition is not present for use with BitLocker. Continue reading and you’ll see out I overcame this.
Here are the steps that we followed to prepare AD for BitLocker:http://technet.microsoft.com/en-us/library/cc766015(WS.10).aspx I won’t go into it with any detail since we had the AD administrator complete these steps.
Now that we have AD ready, it was time to figure out how to manipulate the BIOS from the OS in an automated way to enable the TPM chip and set a BIOS password, which is required when utilizing TPM with BitLocker. I was able to stumble upon Mike Nystroms blog (http://itbloggen.se/cs/blogs/micke/archive/2010/10/18/enable-tpm-via-task-sequence-on-hp-boxes.aspx) to get a better understanding of the tools that HP provides to accomplish this task.
The next step is to get the BiosConfigUtility.exe command line utility from the HP System Software Manager product. The version I ended up using was the same one that Mike used in his blog, 2.14 Rev A. You can get SSM from here: ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.exe and verify the models you are using are supported from here:ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.html After downloading SSM, I used 7-Zip to open the SSM executable (sp49507.exe) and extract out the BiosConfigUtility.
Utilizing the HP BiosConfigUtility, I was able to run the following command from an HP laptop to build my configuration file that I would use during OSD to configure TPM and set the BIOS password. From an elevated command prompt run the following to get a dump of all the possible BIOS settings:
1: BiosConfigUtility.exe /GetConfig:Config.txt
This will dump all of the settings from the BIOS that can be configured using the utility. There will be a lot of settings that can be removed from the file, that way we are only messing with TPM and setting the BIOS password. Here is what I ended up with for my config file, I saved it as TPMEnable.REPSET to follow the steps in Mike’s blog:
Putting it all Together:
Now we have AD prepped and our tool for configuring the TPM chip on HP laptops, it’s time to put it all in a Task Sequence.
I discovered that enabling BitLocker too early in the TS would result in falilures if I chose to not allow full disk encryption before continuing the TS. One example is state restore. When BitLocker is encrypting a disk, the available disk space drops to around 5GB. With the ConfigMgr believing this is the only amount of space left, the TS will typically fail. To avoid this as much as possible, I moved enabling BitLocker as the absolute last step in the TS.
First we’ll need to make a package for the BiosConfigUtility in ConfigMgr. I won’t go over these steps since they are pretty basic, but the only source files you’ll need in the package are: BiosConfigUtility.exe and the TPMEnable.REPSET configuration file. Replicate the package to your DP. Now create a new program with the command line to run the BiosConfigUtility that will configure the BIOS to enable TPM and set the BIOS password. Here is the command line I used:
1: BiosConfigUtility.exe /setConfig:TPMEnable.REPSET /NewAdminPassword:”PASSWORD”
Obviously I didn’t use PASSWORD as the actual BIOS password in production, make sure to replace it with something stronger that meets the password requirements in your TPMEnable.REPSET configuration file.
The Task Sequence:
Let’s focus on the TS and getting the steps in the correct order for BitLocker to enable on laptop systems during the deployment of a new Windows 7 image.
As I mentioned earlier, I put enabling BitLocker as the last step in the TS. I also grouped the steps, which consists of 3 actual configuration steps and 2 reboots under a group named “Enable BitLocker”. I then went to the options tab of the group and added a condition for the group to only run if the system being imaged is a laptop. Since MDT 2010 Update 1 is integrated with ConfigMgr in my environment, I can simply use the “IsLaptop equals True” TS variable.
Now let’s create the steps in the order we need to get BitLocker enabled. Here are the steps:
- Create a new General Step to install software, choose the BiosConfigUtility package we created earlier and the program containing the command line to run the tool.
- Since the computer will need to restart to complete the process of enabling the TPM chip, add a Restart Computer step to reboot back into the OS, and not the Boot Image.
- Now, this is where we will have to overcome the fact that we donot have a System Reserve partition for BitLocker to use on our hard drive. To get pas this, create a Run Command line step to run the following command:
1: cmd /c “bdehdcfg.exe –target default –quiet”
There is a built in utility in Windows to prepare a drive for BitLocker. That is exactly what this step is doing, creating the 300MB partition on the OS drive. Once you run this step, another reboot will be required. Note: be sure to check the box to Disable 64-bit file system redirection if deploying the x64 version of Windows 7.
- The final step, after preparing the BitLocker partition and rebooting the system once more, is to actually enable BitLocker. To do this, create a final step in the group using the Enable BitLocker built-in step. Under Choose the drive to encrypt, make sure the radial button next to TPM only is selected. The under Choose where to create the recovery key, choose In Active Directory. I then chose to NOT wait for BitLocker to finish encrypting the drive before proceeding with the TS.
Performing these steps should successfully get BitLocker up and running on HP laptops in your environment. Obviously you can customize the steps here to apply to pretty much any model from any manufacturer.
Here are some things I’ve seen that have caused the BitLocker steps to fail:
- The BDEHDCFG.EXE utility will fail to prepare the drive for BitLocker if the laptop is not on AC power. I always image on AC power, but accidently forgot to plug in a laptop today and learned this lesson the hard way.
- When using the Auto-Apply driver step in the TS, make sure to NOT include the Infineon TPM driver from HP. This driver would cause the Enable BitLocker step in the TS to not be able to communicate with TPM through Windows 7. Once I removed this driver and let Windows use it’s built-in generic driver, everything started working fine and I could see the TPM device through the TPM interface from within Windows.
Hopefully someone finds this helpful. Please post comments, good or bad.