In a previous post I explained how we could deploy the HP Elitepad 900 with the Microsoft Deployment Toolkit.
For that same project that I have recently worked on, it was a requirement that this tablet would be deployed unattended, securely and reproducible.
I defined the following actions that needed to be done:
- Extending the AD Schema
- Update policy templates (since we where running Server 2008 R2)
- Configure ‘Bitlocker’ Group Policy Settings
- Configure CustomSettings.ini
- Configure Task Sequence
- Configure Unattended.xml
- Use a domain account
- Perform a test deployment
1. Extending the AD Schema
On the internet there was a lot of information to find on how to achieve this. The information that I found useful was mostly from Microsoft’s own blog sites and was very helpful in configuring this to get it to work first time right.
The blogs that helped me achieve this:
- Backing Up BitLocker and TPM Recovery Information to AD DS
- BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory
- How to backup recovery information in AD after BitLocker is turned ON in Windows 7
From the link below a complete documentation guide and 4 vbs scripts help you configure the Active Directory Domain Environment to be prepped for storing Bitlocker information into Active Directory.
Requirements
The basic requirements on how to achieve having bitlocker write information into active directory, can be derived from the document: “Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information.doc” which can be downloaded from the link I have provided.
2. Update policy templates
Updating the policy templates makes sure, that the Group Policy Manager can posses over the latest available policy templates out there. When running a Server 2012 R2 domain controller, these templates are already available, but if you’re running an earlier version of Windows Server (from 2003 sp2 up to 2008 R2), it is recommended that the policy templates are updated.
This can be done by:
- Downloading the Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2
- Updating the current templates with the new templates
Step 2. is actually quite easy, type in your FQDN followed by “\SYSVOL\Policies” which brings you to the folder where the policy templates are located. Just in case before you do anything, creating a back-up of the current policy files might come in handy in case you want to rollback or something goes wrong.
Just paste the new templates in the Policies folder, to find the new Server 2012R2 and Windows 8.1 policies available in the Group Policy Manager straightaway.
3. Configure ‘Bitlocker’ Group Policy Setting
Configuring the required group policy settings for Bitlocker, makes sure all the necessary information about the computer object will be stored in Active Directory that is being deployed. In the zip file at the bottom of this page you will find the desired GPO configuration in HTML, needed to store the information Active Directory. Also these policies are perfectly explained in the referenced document above, and in the provided ‘useful links’ section at the bottom of this page. And to get you started, I have provided a screenshot of those policies right here:
figure 1.1: Bitlocker GPO Configuration
4. Configure CustomSettings.ini
Configuring the CustomSettings.ini. Basically there is enough information to find in the documentation of MDT itself on how to configure the properties for bitlocker, and which properties you can configure and what their values are. However I did some investigation, and came up with the following configuration:
figure 1.2: DeploymentShare properties, Rules (customsettings.ini)
codeblock 1.1: customsettings.ini rules
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[Settings] Priority=Model, Default Properties=MyCustomProperty [HP Elitepad 900] ; Bitlocker Configuration BDEInstallSuppress=NO BDEWaitForEncryption=False BDEDriveLetter=S: BDEDriveSize=2000 BDEInstall=TPMKey BDERecoveryKey=AD BDEKeyLocation=C:\Windows\BDEKey |
As you can see I have set my priority on Model 1st and Default 2nd.
So all rules stated under HP Elitepad 900 overrule the Default section, and only apply for this model.
For clarification I often comment my customsettings.ini, since the people who are going to work with it, may want to understand why a certain setting is set.
BDEInstallSuppress=NO
BDEWaitForEncryption=FALSE
BDEDriveLetter=S:
BDEDriveSize=2000
BDEInstall=TPMKey
BDERecoveryKey=AD
BDEKeyLocation=C:\Windows\BDEKey
5. Configure Task Sequence
When the CustomSettings.ini is configured, the next thing we need to do is make some adjustments in the task sequence on the Bitlocker part:
figure 1.3: Task Sequence properties, configuring bitlocker
In the ‘State Restore’ section, click on the “Enable Bitlocker” step, and check the following:
- Current Operating System Drive
- TPM Only
- Choose where to create the recovery key
- In Active directory
Alternatively you may check: “Wait for bitlocker to complete the drive encryption process on all drives before continuing the task sequence execiution”
This means, that the Task Sequence will wait until the entire drive is encrypted, then perform a reboot, and continue with the task sequence.
6. Configuring Unattended.xml
Configuring the Unattended.xml has little to nothing to do with configuring bitlocker, however, to achieve a fully unattended installation. It is recommended you extend your Windows 8.1 Unattended.xml in the TaskSequenceID folder with the following additions:
codeblock 1.2: Windows 8.1 unattended.xml additions to suppress Windows 8.1 setup wizard
|
1 2 3 4 5 6 7 8 9 |
<OOBE> <HideEULAPage>true</HideEULAPage> <HideOnlineAccountScreens>true</HideOnlineAccountScreens> <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> <NetworkLocation>Work</NetworkLocation> <ProtectYourPC>1</ProtectYourPC> <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> <HideLocalAccountScreen>true</HideLocalAccountScreen> </OOBE> |
The following strings make sure the Windows 8.1 setup will not interfere with the process.
7. Use a domain account
Since we are configuring deployments to work with Bitlocker and storing the recovery password into Active Directory we at least need some form of authentication. My experiences are, that the domain join account which is used to join the machine to the domain, has enough privileges to first: create the computer object in Active Directory and second: write the bitlocker recovery key and TPM owner information into Active Directory on the same computer object.
A domain account does not need all kind of fancy privileges and certainly not needs to be an Domain Admin. To see which privileges are required, please visit the following two blogs which explain it perfectly:
8. Perform a test deployment
The only thing that remained was performing a deployment test, which of-course I did, and the results were very satisfying 🙂
figure 1.4: trace64.exe – bdd.log
figure 1.5: computer object properties – active directory
figure 1.6 computer object properties – bitlocker-recover
Usefull links
These links helped me on my way achieving this:
- How to backup recovery information in AD after BitLocker is turned ON in Windows 7
- Requirements to save Bitlocker Recovery Key to AD using MDT
- Backing Up BitLocker and TPM Recovery Information to AD DS
- BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory
- Prepare your organization for BitLocker: Planning and Policies
- BitLocker Drive Encryption Overview
- Active Directory and BitLocker – Part 1: Introduction
- Active Directory and BitLocker – Part 2: Schema update, ACE settings, Password Recovery Viewer
- Q: Does BitLocker Drive Encryption support a recovery method that calls on Active Directory for storing the recovery information?
- Enable BitLocker, Automatically save Keys to Active Directory
- Backing up your BitLocker keys to Active Directory
- Storing Bitlocker Key to AD using MDT
Find attached the resultant set of policy that has been configured in Group Policy Manager, a copy of the BDD.log of a successful deployment, the screenshots used in this blog, and a copy of my customsettings.ini rules that I have used.
If there are any questions or improvements you’d like to share, please feel free to contribute in the comment section!
Thanks for reading this blog! 😀
ps. forgive me for the Dutch computer object property screenshots, this is just for the moment until I can retrieve some English looking panes.
Thanks for this Rens. I’m interested to know how you settled on this combination of PCR settings, which to disable and which to enable.
In our early testing, we’ve found that minor changes to laptops (e.g in a docking station or not) will prompt a recovery key request. The solution seems to be in the PCR settings, but it’s hard to find a practical explanation of each settings to tweak them for zero irritation and acceptable security. Did you find a particularly good guide? (I’ve clicked through most of your links on this page at this point!)
Rens – thank you for the time you put in to making your blog. I have found all of the information useful. I’m running into an issue following this guide and was wondering if you could take a look and let me know what you think. I’ve posted it in TechNet:
https://social.technet.microsoft.com/Forums/en-US/73c5e0fe-2448-43a8-a24a-f5d9e863b2a2/mdt-2013-storing-bitlocker-recovery-keys-in-ad-for-win7enterprise-deployment?forum=mdt
I was wondering where you base the S: drive on?
In all online references I’ve never seen this block of code mentioned for CustomSettings.ini. What makes you use it? Apart from “it’s working for me(tm)”.
Hi Tom,
I’ve based the letter S from the bitlocker drive, on the default setting which is available in the MDT documentation. Which can also be found here: http://systemscenter.ru/mdt2012.en/bdedriveletter.htm
Nothing more, nothing less.
Open the MDT console, go to help and check the property reference, to find the same letter.
And since it’s working for me xD 😛
Cheers! Rens
Alright 🙂
I gave it a try, and ended up with a system that can’t boot at all anymore.
Need to go right now, and already closed the laptop I was testing with.
Somehow that S: drive is messing things up here.
In general, Bitlocker/MDT and Bitlocker/AD drives me crazy.
Just can’t seem to get it working, and I know I must be very close.
But it’s a show stopper right now…
Please post the bitlocker properties, you have configured in your customsettings.ini and a copy of your bdd.log
; Bitlocker Configuration
BDEInstallSuppress=NO
BDEWaitForEncryption=True
BDEDriveLetter=S:
BDEDriveSize=2000
BDEInstall=TPMKey
BDERecoveryKey=AD
BDEKeyLocation=C:\Windows\BDEKey
SkipBitLocker=YES
Posting bdd.log is tricky as it’s 1.9MByte large…
I could mail it if you want?
Hi thank you for this post
Before I commenced, do you think this post is relevant for me. I’m currently configuring MDT to upgrade windows 7 to 10 and I was looking at automating BitLocker using the Enable BitLocker section
Hi Rens
I’m trying to get my deployment to automatically turn on Bitlocker but I previously had the setting skip Bitlocker=NO in custom settings.ini but even after manually setting in the deployment you still need to click turn on bitlocker post deployment.
I’ve tried the settings outlined in this post. As well as configuring the task sequence with my preferred settings
Current OS Drive / TPM Only / Store in AD / Wait for bit locker to complete.
[Settings]
Priority=Default
Properties=MyCustomProperty
; Bitlocker Configuration
BDEInstallSuppress=NO
BDEWaitForEncryption=False
BDEDriveLetter=S:
BDEDriveSize=2000
BDEInstall=TPMKey
BDERecoveryKey=AD
BDEKeyLocation=C:\Windows\BDEKey
[Default]
SkipBitLocker=YES
Any advice would be appreciated.
Thanks
SkipBitlocker YES or NO means the page in WinPE during the wizard setup is skipped yes or no. (You know the same page where it asks you for your computername, regional settings etc.)
Not sure .
The settings I’ve always used are:
BDEInstallSuppress=NO
BDEWaitForEncryption=False
BDEDriveLetter=S:
BDEDriveSize=2000
BDEInstall=TPMKey
BDERecoveryKey=AD
BDEKeyLocation=C:\Windows\BDEKey
You should check logging, and check which Windows version you are using. For example storing keys in AD will only work with Enterprise SKU instead of Windows Professional.
Hey Rens,
I’m really impressed with the article, so thank you for that. I’ve followed it and it works a treat, except for one issue – I’m being asked by a laptop to provide the USB key which has the bitlocker recovery key on. It’s an HP Elitebook 820 that I know has a TPM chip…
This issue is despite group policy and the MDT task sequence stating “TPM Only”, as per figure 1.3. I suspect my AD config is good, since I can see the key is being successfully stored in AD and the BDE key location does contain the text file.
BDEInstallSuppress=NO
BDEWaitForEncryption=False
BDEDriveLetter=S:
BDEDriveSize=2000
BDEInstall=TPMKey
BDERecoveryKey=AD
BDEKeyLocation=\\tdc.local\netlogon\bitlocker
Any ideas?
Thanks once again 🙂
Jamie
Hi Jamie,
Though one to answer. The article itself is pretty old, I’m a bit of the technical stuff at the moment. If it works flawlessly for other models, then I think the Elitebook 820 is the anomaly here. Although that seems as a very recent laptop model to me. What happens when you configure Bitlocker through TPM manually on the machine, or what happens when you do this without the presence of the USB stick?
Regards
Hi Rens,
great blog post.
I’m getting the following error when trying to use BitLocker during the task sequence, and no help from The Internet yet 😮
Successfully established connection using supplied credentials.
Successfully established connection using supplied credentials.
FAILURE ( 6714 ): -2147024891 0x80070005: Save External Key to File
AD is prepped OK, the GPOs are in place and I’ve tried both to set the BDEKeyLocation to c:\windows as well as a network share.
If I try to manually activate BitLocker after the deployment, it works flawlessly – and the recovery key is stored in AD as well.
any ideas? Thanks!
Hi Kim,
Unfortunately I’m out of this material completely. Perhaps you could try a different path, as it seems the process cannot save the external key to file. C:\Windows seems like an odd location to me. Also with the network share you need to provide network credentials that have access to the share. Could you try to create a directory in C upfront and place the key there? Like C:\BDEkey\BDE.txt
Kind regards