MDT 2013 – Configuring your environment for Bitlocker deployments with TPM, Windows 8.1 and MDT 2013

In a previous post I explained how we could deploy the HP Elitepad 900 with the Microsoft Deployment Toolkit.

For that same project that I have recently worked on, it was a requirement that this tablet would be deployed unattended, securely and reproducible.

I defined the following actions that needed to be done:

  1. Extending the AD Schema
  2. Update policy templates (since we where running Server 2008 R2)
  3. Configure ‘Bitlocker’ Group Policy Settings
  4. Configure CustomSettings.ini
  5. Configure Task Sequence
  6. Configure Unattended.xml
  7. Use a domain account
  8. Perform a test deployment

1. Extending the AD Schema

On the internet there was a lot of information to find on how to achieve this. The information that I found useful was mostly from Microsoft’s own blog sites and was very helpful in configuring this to get it to work first time right.

The blogs that helped me achieve this:

From the link below a complete documentation guide and 4 vbs scripts help you configure the Active Directory Domain Environment to be prepped for storing Bitlocker information into Active Directory.

Requirements

The basic requirements on how to achieve having bitlocker write information into active directory, can be derived from the document: “Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information.doc” which can be downloaded from the link I have provided.

2. Update policy templates

Updating the policy templates makes sure, that the Group Policy Manager can posses over the latest available policy templates out there. When running a Server 2012 R2 domain controller, these templates are already available, but if you’re running an earlier version of Windows Server (from 2003 sp2 up to 2008 R2), it is recommended that the policy templates are updated.

This can be done by:

  1. Downloading the Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2
  2. Updating the current templates with the new templates

Step 2. is actually quite easy, type in your FQDN followed by “\SYSVOL\Policies” which brings you to the folder where the policy templates are located. Just in case before you do anything, creating a back-up of the current policy files might come in handy in case you want to rollback or something goes wrong.

Just paste the new templates in the Policies folder, to find the new Server 2012R2 and Windows 8.1 policies available in the Group Policy Manager straightaway.

3. Configure ‘Bitlocker’ Group Policy Setting

Configuring the required group policy settings for Bitlocker, makes sure all the necessary information about the computer object will be stored in Active Directory that is being deployed. In the zip file at the bottom of this page you will find the desired GPO configuration in HTML, needed to store the information Active Directory. Also these policies are perfectly explained in the referenced document above, and in the provided ‘useful links’  section at the bottom of this page. And to get you started, I have provided a screenshot of those policies right here:

figure 1.1: Bitlocker GPO Configuration

bitlocker-policy

4. Configure CustomSettings.ini

Configuring the CustomSettings.ini. Basically there is enough information to find in the documentation of MDT itself on how to configure the properties for bitlocker, and which properties you can configure and what their values are. However I did some investigation, and came up with the following configuration:

figure 1.2: DeploymentShare properties, Rules (customsettings.ini)

bitlocker-csini

codeblock 1.1: customsettings.ini rules

As you can see I have set my priority on Model 1st and Default 2nd.

So all rules stated under  HP Elitepad 900 overrule the Default section, and only apply for this model.

For clarification I often comment my customsettings.ini, since the people who are going to work with it, may want to understand why a certain setting is set.

BDEInstallSuppress=NO
BDEWaitForEncryption=FALSE
BDEDriveLetter=S:
BDEDriveSize=2000
BDEInstall=TPMKey
BDERecoveryKey=AD
BDEKeyLocation=C:\Windows\BDEKey

5. Configure Task Sequence

When the CustomSettings.ini is configured, the next thing we need to do is make some adjustments in the task sequence on the Bitlocker part:

figure 1.3: Task Sequence properties, configuring bitlocker

bitlocker-ts

In the ‘State Restore’ section, click on the “Enable Bitlocker” step, and check the following:

  • Current Operating System Drive
  • TPM Only
  • Choose where to create the recovery key
  • In Active directory

Alternatively you may check: “Wait for bitlocker to complete the drive encryption process on all drives before continuing the task sequence execiution

This means, that the Task Sequence will wait until the entire drive is encrypted, then perform a reboot, and continue with the task sequence.

6. Configuring Unattended.xml

Configuring the Unattended.xml has little to nothing to do with configuring bitlocker, however, to achieve a fully unattended installation. It is recommended you extend your Windows 8.1 Unattended.xml in the TaskSequenceID folder with the following additions:

codeblock 1.2: Windows 8.1 unattended.xml additions to suppress Windows 8.1 setup wizard

The following strings make sure the Windows 8.1 setup will not interfere with the process.

7. Use a domain account

Since we are configuring deployments to work with Bitlocker and storing the recovery password into Active Directory we at least need some form of authentication. My experiences are, that the domain join account which is used to join the machine to the domain, has enough privileges to first: create the computer object in Active Directory and second: write the bitlocker recovery key and TPM owner information into Active Directory on the same computer object.

A domain account does not need all kind of fancy privileges and certainly not needs to be an Domain Admin. To see which privileges are required, please visit the following two blogs which explain it perfectly:

8. Perform a test deployment

The only thing that remained was performing a deployment test, which of-course I did, and the results were very satisfying 🙂

figure 1.4: trace64.exe – bdd.log

trace64-tmp

figure 1.5: computer object properties – active directory

computer-object-properties

figure 1.6 computer object properties – bitlocker-recover

computer-object-bitlocker

Usefull links

These links helped me on my way achieving this:

Find attached the resultant set of policy that has been configured in Group Policy Manager, a copy of the BDD.log of a successful deployment, the screenshots used in this blog, and a copy of my customsettings.ini rules that I have used.

zip
BlogContents.zip

If there are any questions or improvements you’d like to share, please feel free to contribute in the comment section!

Thanks for reading this blog! 😀

ps. forgive me for the Dutch computer object property screenshots, this is just for the moment until I can retrieve some English looking panes.

8 thoughts on “MDT 2013 – Configuring your environment for Bitlocker deployments with TPM, Windows 8.1 and MDT 2013

  1. Eoin Ryan

    Thanks for this Rens. I’m interested to know how you settled on this combination of PCR settings, which to disable and which to enable.
    In our early testing, we’ve found that minor changes to laptops (e.g in a docking station or not) will prompt a recovery key request. The solution seems to be in the PCR settings, but it’s hard to find a practical explanation of each settings to tweak them for zero irritation and acceptable security. Did you find a particularly good guide? (I’ve clicked through most of your links on this page at this point!)

    Reply
  2. Tom Weustink

    I was wondering where you base the S: drive on?

    In all online references I’ve never seen this block of code mentioned for CustomSettings.ini. What makes you use it? Apart from “it’s working for me(tm)”.

    Reply
    1. Rens Hollanders

      Hi Tom,

      I’ve based the letter S from the bitlocker drive, on the default setting which is available in the MDT documentation. Which can also be found here: http://systemscenter.ru/mdt2012.en/bdedriveletter.htm
      Nothing more, nothing less.

      Open the MDT console, go to help and check the property reference, to find the same letter.

      And since it’s working for me xD 😛

      Cheers! Rens

      Reply
      1. Tom Weustink

        Alright 🙂

        I gave it a try, and ended up with a system that can’t boot at all anymore.
        Need to go right now, and already closed the laptop I was testing with.
        Somehow that S: drive is messing things up here.

        In general, Bitlocker/MDT and Bitlocker/AD drives me crazy.
        Just can’t seem to get it working, and I know I must be very close.
        But it’s a show stopper right now…

        Reply
        1. Rens Hollanders

          Please post the bitlocker properties, you have configured in your customsettings.ini and a copy of your bdd.log

          Reply
          1. Tom Weustink

            ; Bitlocker Configuration
            BDEInstallSuppress=NO
            BDEWaitForEncryption=True
            BDEDriveLetter=S:
            BDEDriveSize=2000
            BDEInstall=TPMKey
            BDERecoveryKey=AD
            BDEKeyLocation=C:\Windows\BDEKey
            SkipBitLocker=YES

            Posting bdd.log is tricky as it’s 1.9MByte large…
            I could mail it if you want?

  3. Dan

    Hi thank you for this post

    Before I commenced, do you think this post is relevant for me. I’m currently configuring MDT to upgrade windows 7 to 10 and I was looking at automating BitLocker using the Enable BitLocker section

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *