none
Deploying BitLocker w/ MDT+UDI

    Question

  • I'm currently dealing with 3 different technologies so I apologize if this question is being presented in the wrong forum.

    It is my goal to provide OSD using ConfigMgr 2012 + MDT/UDI. A core piece to the UDI configuration is allowing my help desk team to enable BitLocker at deployment time. This is where my issue lies. I've searched for several days and tried various methods for getting this process to work with little-to-no success.

    My Setup:

    • ConfigMgr 2012 SP1
    • MDT/UDI Update 1
    • Client OS - Windows 7 Enterprise x64
    • BitLocker (managed via GPO - using DRA - recovery keys stored in AD)

    I am doing a barebones installation of Windows using a custom WIM file that was captured using a build-and-capture TS. The deployment task sequence is right out of the box (right-click > Create MDT Task Sequence). From the UDI perspective I've simply added my join domain settings.

    My Goal:

    Configure my MDT task sequence to properly enable BitLocker based on the selections made via UDI.

    Problem

    #1 - A barebones MDT task sequence with UDI fails. At first boot BitLocker is in a suspended state. Attempting to resume BitLocker fails indicating that no recovery keys were found. I check the protection state of the drive and sure enough there are no protectors applied.

    I followed option 1 from this article, which seem to best match my use case. The drive now encrypts but the DRA that is assigned via GPO is not applied. Forcing a policy update and rebooting does nothing.

    #2 - In a replacement scenario if I re-image a drive that has BitLocker I find that the "Disable BitLocker" step doesn't seem to be doing its job. The task sequence will continue to fail until I boot the current OS, suspend BL, and then boot directly into PXE.

     Any advice is greatly appreciated!

    Wednesday, September 11, 2013 9:41 PM

Answers

  • #1 before the pre-provision bitlocker step create a new step called Set OSDBitLockerMode and that's a set task sequence variable step. Set that variable to TPM (or another valid value). Then just copy the Enable BitLocker step from a regular CM12 task sequence, and set the TPM (or whichever you prefer) protectors option in that step, replace the UDI Enable BitLocker step with this one. Works fine for me.

    #2 are you starting that task sequence in Windows or WinPE. You should be starting it in Windows if you want that to work.

    on a side note take a look at this frontend, it does many bitlocker functions and more



    Step by Step Configuration Manager Guides > 2012 Guides | 2007 Guides | I'm on Twitter > ncbrady

    Thursday, September 12, 2013 5:16 PM
    Moderator
  • I've found the answer I was looking for, per the following article: Using Data Recovery Agents with BitLocker.

    In an imaging scenario it wasn't clear to me that the identification field needed to be manually updated following encryption. I was expecting Group Policy to do the heavy lifting. So the fix was simple - execute the following command after the image sequence:

    manage-bde -SetIdentifier C:

    Immediately after running this command I confirmed the identification field was accurate and the DRA was assigned.

    Hope this information proves useful!

    • Marked as answer by ImageGuy Wednesday, October 09, 2013 2:49 PM
    Wednesday, October 09, 2013 2:49 PM

All replies

  • Hi,

    1. You need to utilize ROSP to check whether the policy is applied properly. Also, you need to set BitLocker Identification first.

    2. The smsts.log needs to be investigated.


    Juke Chou
    TechNet Community Support

    Thursday, September 12, 2013 4:53 PM
    Moderator
  • #1 before the pre-provision bitlocker step create a new step called Set OSDBitLockerMode and that's a set task sequence variable step. Set that variable to TPM (or another valid value). Then just copy the Enable BitLocker step from a regular CM12 task sequence, and set the TPM (or whichever you prefer) protectors option in that step, replace the UDI Enable BitLocker step with this one. Works fine for me.

    #2 are you starting that task sequence in Windows or WinPE. You should be starting it in Windows if you want that to work.

    on a side note take a look at this frontend, it does many bitlocker functions and more



    Step by Step Configuration Manager Guides > 2012 Guides | 2007 Guides | I'm on Twitter > ncbrady

    Thursday, September 12, 2013 5:16 PM
    Moderator
  • Thank you both for your helpful feedback.

    @Niall

    I am going to try your recommendations for #1 now. The steps look promising and I haven't gone this route thus far.

    Regarding #2, I was starting the TS from WinPE so that certainly explains why the Disable BitLocker step wasn't working. Thank you for clarifying. Unfortunately we don't have MBAM implemented today so I'll continue with the suspend process. The HTA looks promising! I'll have to add that to my list of items to try.

    Thursday, September 12, 2013 10:35 PM
  • Hi Niall,

    The steps you provided allowed the BitLocker process to successfully start encrypting and store the keys in AD. Unfortunately the DRA that I have applied via GPO is not being associated as 1 of the protectors.

    For clarification - I leverage Group Policy to assign a DRA. The cert is applied through Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > BitLocker Drive Encryption

    From what I can see Group Policy isn't applied until the task sequence is complete. Any suggestions?

    Friday, September 13, 2013 2:03 AM
  • Hi,

    As I said above, you need to check the identification field. Refer to

    http://technet.microsoft.com/en-us/library/dd875560(v=WS.10).aspx#BKMK_proc1


    Juke Chou
    TechNet Community Support

    Friday, September 13, 2013 3:19 AM
    Moderator
  • Hi Juke, I can confirm that my GPO for BitLocker is configured with a unique identifier. Although Niall's method worked for enabling BitLocker and saving the keys to AD, neither the identifier or DRA are being applied. I assume this is due to Group Policy not running prior to the Enable BitLocker task.
    Friday, September 13, 2013 3:41 AM
  • Hi,

    The DRA will be added afterwards. Check the identifier by manage-bde -get command.


    Juke Chou
    TechNet Community Support

    Friday, September 13, 2013 5:27 AM
    Moderator
  • I allowed the drive to fully encrypt and receive the GPO once the task sequence completed. I used Niall's suggestion to get the drive encrypted successfully. Neither the Identification Field nor the DRA are being registered once the encryption process completes.

    Disk encrypted through the task sequence:

    C:\Windows\system32>manage-bde -status c:
    BitLocker Drive Encryption: Configuration Tool version 6.1.7601
    Copyright (C) Microsoft Corporation. All rights reserved.
    
    Volume C: [Local Disk]
    [OS Volume]
    
        Size:                 148.56 GB
        BitLocker Version:    Windows 7
        Conversion Status:    Fully Encrypted
        Percentage Encrypted: 100%
        Encryption Method:    AES 128
        Protection Status:    Protection On
        Lock Status:          Unlocked
        Identification Field: None
        Key Protectors:
            Numerical Password
            TPM And PIN

    Disk encrypted manually:

    C:\Windows\system32>manage-bde -status c:
    BitLocker Drive Encryption: Configuration Tool version 6.1.7601
    Copyright (C) Microsoft Corporation. All rights reserved.
    
    Volume C: [Local Disk]
    [OS Volume]
    
        Size:                 237.99 GB
        BitLocker Version:    Windows 7
        Conversion Status:    Fully Encrypted
        Percentage Encrypted: 100%
        Encryption Method:    AES 128 with Diffuser
        Protection Status:    Protection On
        Lock Status:          Unlocked
        Identification Field: <removed>
        Key Protectors:
            Numerical Password
            TPM And PIN
            Data Recovery Agent (Certificate Based)
            Data Recovery Agent (Certificate Based)
            Data Recovery Agent (Certificate Based)


    Friday, September 13, 2013 3:22 PM
  • Identification Field: None

    The field has not been applied successfully.


    Juke Chou
    TechNet Community Support

    Monday, September 16, 2013 7:15 AM
    Moderator
  • Hi Juke,

    I'm a bit confused as to what direction your trying to point me in. Excuse my ignorance =) The details from 9/13 show the task sequence not applying the identification field and DRA. As far as I can tell this is due to the fact that Group Policy doesn't get applied until after the TS is complete. So we end up with the following order of activities:

    Execute Task Sequence.... 
    
    - Misc tasks - 
    1. Format drive 
    2. Set OSDBitLockerMode - TPM and PIN 
    3. Pre-provision BitLocker - Misc tasks (apply OS, setup Windows) - 
    4. Enable BitLocker (CM12 task) - TPM and PIN - store in AD 
    - Misc tasks - 
    Task sequence complete.... 
    Group Policy applied.... 
    

    At this point I login and can confirm the drive was encrypted successfully, TPM and PIN protectors are correct, and the recovery keys are saved to Active Directory. Unfortunately the identification field and DRA are not applied, as the encryption process occurred BEFORE Group Policy could force the proper criteria (identification field and DRA).

    Some steps I've tried to remediate this behavior:

    1. Create a "Run Command" task sequence to run go update /force before the "Enable BitLocker" step. This results in the TS hanging indefinitely. NEXT...

    2. Add my Group Policy settings using a GPO pack. Sadly I discovered GPO packs don't appear to support applying public keys. NEXT...

    3. Inject the relative FVE registry keys from a properly encrypted system prior to the "Enable BitLocker" step. This includes the identification field. Encryption runs successfully but I still don't see the identification field or DRA.

    I'm running out of ideas. What am I missing here? I can't be the only one running into this issue.

    • Edited by ImageGuy Saturday, October 05, 2013 2:16 AM
    Saturday, October 05, 2013 2:10 AM
  • Quick update -

    I thought perhaps I could apply the certificate protector following the image sequence, since everything else is working as it should.

    To do this I imaged a system using the methods mentioned previously and confirmed the disk encrypted successfully. I then executed the following command on the encrypted system: manage-bde -protectors -add C: -Certificate -cf "<path to cert>"

    Results:

    ERROR: An error occurred (code 0x80310086):
    BitLocker Drive Encryption cannot be applied to this drive as currently configured because of Group Policy settings. The certificate you provided for drive encryption is self-signed. Current Group Policy settings do not permit the use of self-signed certificates. Obtain a new certificate from your certification authority before attempting to enable BitLocker.
    So it seems this method will not work. Although the certificate in question is applying properly on systems where I manually enable BitLocker. This is a self-signed certificate that I've added to my GPO (Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption).

    Tuesday, October 08, 2013 4:19 PM
  • I've found the answer I was looking for, per the following article: Using Data Recovery Agents with BitLocker.

    In an imaging scenario it wasn't clear to me that the identification field needed to be manually updated following encryption. I was expecting Group Policy to do the heavy lifting. So the fix was simple - execute the following command after the image sequence:

    manage-bde -SetIdentifier C:

    Immediately after running this command I confirmed the identification field was accurate and the DRA was assigned.

    Hope this information proves useful!

    • Marked as answer by ImageGuy Wednesday, October 09, 2013 2:49 PM
    Wednesday, October 09, 2013 2:49 PM
  • Hi ImageGuy

    I'm also facing similar problem. I want to assign DRA certificate during OSD only. Is it possible to assign DRA certificate during OSD TS by running below command line step

    manage-bde -protectors -add C: -Certificate -cf "<path to cert>"

    Any other inputs please


    Cheers | Navdeep Sidhu

    Thursday, November 14, 2013 3:34 PM
  • Hi Navdeep,

    In my case the DRA certificate was already published via Group Policy, so the command I listed above was sufficient enough to meet my needs. I have added certificates manually using the command you posted, but if your already on a domain it seems Group Policy would be the preferred / simplest route to take.

    Thursday, November 14, 2013 3:43 PM
  • Hi

    Thanks for the quick response.

    Unfortunately GPO is not being applied during OSD TS hence need to find an alternate way to assign DRA certificate during OSD TS only.

    I'm using registry values to define BiLocker settings before "Enable BitLocker" step however DRA certificate is the one which is not being applied during OSD TS.

    Any ideas please!


    Cheers | Navdeep Sidhu

    Thursday, November 14, 2013 3:52 PM
  • Sounds like you are at the same spot I was. Assuming your DRA is setup correctly in Group Policy, give these steps a try:

    1. Inject the registry settings prior to the "Enable BitLocker" step (as you are doing currently).
    2. Run the "Enable BitLocker" step.
    3. Add a final Run Command with this command (adjusting the drive letter as needed): manage-bde -SetIdentifier C:

    Group Policy will attempt to assign the DRA but will fail if the SetIdentifier command is not executed. Once the identification field is populated and matches up properly the DRA should apply accordingly.

    Thursday, November 14, 2013 4:02 PM
  • Group Policy will attempt to assign the DRA but will fail if the SetIdentifier command is not executed. Once the identification field is populated and matches up properly the DRA should apply accordingly.

    Thanks for your response. Did you get this working in your enviornment by following above mentioned commands during OSD TS & then allowing Group Policy to assign the DRA as soon as OSD TS gets finish..Does this make sense?

    I'm also thinking to apply DRA settings through a local GPO by copying the policy file under path %systemroot%\system32\grouppolicy\Machine during the build.


    Cheers | Navdeep Sidhu

    Friday, November 15, 2013 6:30 AM