Step 1 – Update the Schema / Verify you have the correct Schema
All of my DC’s were either running 2008 R2 or were higher than the minimum of server 2003 SP1.
If you have a mixture of DC’s like me, you will be fine as server 2008 DC’s already have the schema extensions in place for bitlocker. If have an all server 2003 environment then update the Schema using the official documentation found here:
http://technet.microsoft.com/en-us/library/dd875529(WS.10).aspx
Its also worth noting that BitLocker does not impose any requirements on domain or forest functional levels. However, domain controllers running operating systems earlier than Windows Server 2003 with SP1 should be removed from mixed-functional-level environments (or upgraded), because backed up BitLocker and TPM information will not be protected on those domain controllers.
If you wish to verify that you have the correct schema extensions in place (as I did) then hop onto a DC as a domain admin/schema admin and crack open ADSI edit.
Right at very root of ADSI edit click right click and select “connect to” then under the naming context select the schema as below
Browse through the schema and you should see 6 attributes (only 5 are in the shot below)
These are:
CN=ms-FVE-KeyPackage
CN=ms-FVE-RecoveryGuid
CN=ms-FVE-RecoveryInformation
CN=ms-FVE-RecoveryPassword
CN=ms-FVE-VolumeGuid
CN=ms-TPM-OwnerInformation
Step 2 – Run Add-TPMSelfWriteACE.vbs to allow recovery passwords to be stored in AD
For the next step hop back onto a DC as domain admin and run the script Add-TPMSelfWriteACE.vbs and verify that you get a “success” message. The sample deployment scripts for bitlocker (including this one) can be found here:
http://archive.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?ReleaseId=3205
If you are not sure how to run these scripts please seek help from a colleague.
Step 3 – Verify the ACE has been added
To do this I suggest using a domain admin account again and drilling down deep into your AD structure and finding a random computer object (this is just to prove that the ACE has been inherited)
If you right click on your computer, properties and under security click effective permissions and enter “SELF” you should see these 2 attributes:
Create msFVE-RecoveryInformation Objects
Delete msFVE-RecoveryInformation Objects
This will allow computers to read and write their recovery passwords to and from AD.
Step 4 – Configuring Group Policy To automate saving Recovery Passwords & TPM info To AD
Below is the Group policy I set for our Bitlocker test environment, set yours up the same (You can always come back later and tweak it, but for now let’s just get it working ;) )
Now Apply this to a test OU with a single computer in it and let’s start with SCCM
Step 5 – Setting Your Disk In The SCCM Tasksequence
The first step is to partition the disk correctly. Copy / create a new task sequence and edit your “Partition Disk” step as follows ensuring that BDE is the boot partition
Ensure that BDE is the Boot Partition, it is 1536mb in size (or bigger if you wish) and that you set a variable called BDEPART
Ensure that OS partition has a variable set called OSPART, the partition can be whatever size you like (I just set mine to use 100% of the remaining space)
Now open your “Apply Operating System” step and set the destination to a “Logical drive letter stored in a variable” and set the Variable name to OSPART as below:
Step 6 – Setting up the enable bitlocker Step
Within your Task sequence add the “Enable Bitlocker” step and configure it as shown below:
Step 7 – Setup HP SSM (optional)
The machine I was testing on was a HP 2730p so I decided to go down the route of using a utility from the HP SSM called “BiosConfigUtility.exe”
Download the HP SSM from here:
http://h20331.www2.hp.com/hpsub/cache/284133-0-0-225-121.html?jumpid=ex_R2845_vanityim/gossm/ka011106
I booted up my 2730p and ran the following:
BiosConfigUtility.exe /Advanced /GetConfig:GetConfig2730p.txtThis created me a text file showing all of the current settings and more importantly what their names are. I then began to construct my task sequence, the finished article is below but I will go through each step:
Step 8 – The BiosConfigUtility Steps
I placed a restart in between each step since we are editing Bios settings (just to be on the safe side). During my testing I found (from the smsts.log file) that the “Enable Bitlocker” step would not work unless I set the restart to boot into full OS as shown below:
So I set all of the restarts to do this and haven’t yet changed any of them back so they may work from the boot image they may not, when I get chance I will test and edit this post.
Anyway, setting the bios password.
This step runs a batch file that contains the following:
xcopy /S /E /R /I /Q /Y "%~dp0"*.* "%systemroot%\temp\HPSSM" >NULObviously that’s not my password but you get the idea.
"%systemroot%\temp\HPSSM\BiosConfigUtility.EXE" /NewSetupPassword:MyBiosPassword
rd "%systemroot%\temp\HPSSM" /s /q
exit /b
The next step “HP 2730p – Full TPM Setup” was originally all of the TPM settings in “GetConfig.txt” set to enabled but I found that the TPM wasn't enabling so I put it in a step of its own. Below is my batch file that applies this config:
xcopy /S /E /R /I /Q /Y "%~dp0"*.* "%systemroot%\temp\HPSSM" >NULAnd below are the contents of “FullTPMConfig2730p.txt”
"%systemroot%\temp\HPSSM\BiosConfigUtility.EXE" /CurSetupPassword:MyBiosPassword /Advanced /SetConfig:FullTPMConfig2730p.txt
rd "%systemroot%\temp\HPSSM" /s /q
exit /b
English
Embedded Security Device
*Device available
Device hidden
Embedded Security Activation Policy
F1 to Boot
Allow user to reject
*No prompts
OS Management of TPM
*Enable
Disable
OS management of Embedded Security Device
*Enable
Disable
Reset of TPM from OS
*Enable
Disable
Reset of Embedded Security Device through OS
*Enable
Disable
Always Prompt for HP SpareKey Enrollment
*Disable
Enable
HP SpareKey
*Disable
Enable
The next step is to take ownership of the TPM, I did this using the manage-bde.exe tool. Create a batch file as follows:
manage-bde -tpm -TakeOwnership MyTPMPasswordAgain not my password so put something better in there.
exit /b
The final Step is to Enable the TPM, as I said I tried this in the Full setup step but it didn’t work, perhaps If I take ownership of the TPM then apply the settings it will work. Anyway for now this is what I have so again to enable the TPM create a txt file called “EnableTPM.txt” containing this:
English
Activate Embedded Security On Next Boot
*Enable
And apply it using this batch file:
xcopy /S /E /R /I /Q /Y "%~dp0"*.* "%systemroot%\temp\HPSSM" >NUL
"%systemroot%\temp\HPSSM\BiosConfigUtility.EXE" /CurSetupPassword:MyBiosPassword /Advanced /SetConfig:EnableTPM.txt
rd "%systemroot%\temp\HPSSM" /s /q
exit /b
That’s it for those steps, now update your DP’s and PXE boot your machine. Good Luck!
P.S Im sure I could cut down those steps now but this worked for me last thing on Friday so I’m blogging it over the weekend, I will update this once I have cleaned up a bit :)
Grab a cup of Coffee, wait for your image to apply and move onto the next step.....
Step 9 – Verifying your Recovery Password and TPM info have been stored in AD
If you skipped the HP SSM Steps carry on here.
Now we have a machine with Bit locker installed the first thing I did was to run
manage-bde.exe -statusfrom a command prompt as admin and check that the drive was indeed encrypting:
As you can see that looks promising (apart from the AES 128, I will be changing that in group policy later)
So that’s our machine encrypting lets check AD…..
If you run the active directory snap-in as domain admin you should see the bitlocker recovery tab with the current password stored in there as below:
If you do not see this tab you will need to run:
regsvr32.exe BdeAducExt.dllon your workstation and then re-open the active directory snap-in as domain admin.
The last step is to verify the TPM Owner info is being stored in AD, I did this by opening the computer object in ADSI edit and checking that the attribute msTPM-OwnerInformation had a hash of my password in there:
And I also ran the script Get-TPMOwnerInfo.vbs from the machine in question and verified that I got back the hash as expected
That’s pretty much it, one more thing to note is that you will see this now in Active Directory to enable you to search for bitlocker recovery passwords
And as always test test and test some more, this is only a very rough guide but it works which is the main thing, I still have lots of testing and tweaking to do myself before implementing but I will be putting all of my findings up here for future reference.
Also Thanks to this guy:
http://weikingteh.wordpress.com/2011/02/23/enabling-bitlocker-with-configuration-manager-sccm-operating-system-deployment-osd
For getting me started with partitioning the disk correctly,
Cheers!
No comments:
Post a Comment