MDT 2013 – Configuring your environment for Bitlocker deployments with TPM, Windows 8.1 and MDT 2013

In a previous post I explained how we could deploy the HP Elitepad 900 with the Microsoft Deployment Toolkit.

For that same project that I have recently worked on, it was a requirement that this tablet would be deployed unattended, securely and reproducible.

I defined the following actions that needed to be done:

  1. Extending the AD Schema
  2. Update policy templates (since we where running Server 2008 R2)
  3. Configure ‘Bitlocker’ Group Policy Settings
  4. Configure CustomSettings.ini
  5. Configure Task Sequence
  6. Configure Unattended.xml
  7. Use a domain account
  8. Perform a test deployment

1. Extending the AD Schema

On the internet there was a lot of information to find on how to achieve this. The information that I found useful was mostly from Microsoft’s own blog sites and was very helpful in configuring this to get it to work first time right.

The blogs that helped me achieve this:

From the link below a complete documentation guide and 4 vbs scripts help you configure the Active Directory Domain Environment to be prepped for storing Bitlocker information into Active Directory.

Requirements

The basic requirements on how to achieve having bitlocker write information into active directory, can be derived from the document: “Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information.doc” which can be downloaded from the link I have provided.

2. Update policy templates

Updating the policy templates makes sure, that the Group Policy Manager can posses over the latest available policy templates out there. When running a Server 2012 R2 domain controller, these templates are already available, but if you’re running an earlier version of Windows Server (from 2003 sp2 up to 2008 R2), it is recommended that the policy templates are updated.

This can be done by:

  1. Downloading the Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2
  2. Updating the current templates with the new templates

Step 2. is actually quite easy, type in your FQDN followed by “\SYSVOL\Policies” which brings you to the folder where the policy templates are located. Just in case before you do anything, creating a back-up of the current policy files might come in handy in case you want to rollback or something goes wrong.

Just paste the new templates in the Policies folder, to find the new Server 2012R2 and Windows 8.1 policies available in the Group Policy Manager straightaway.

3. Configure ‘Bitlocker’ Group Policy Setting

Configuring the required group policy settings for Bitlocker, makes sure all the necessary information about the computer object will be stored in Active Directory that is being deployed. In the zip file at the bottom of this page you will find the desired GPO configuration in HTML, needed to store the information Active Directory. Also these policies are perfectly explained in the referenced document above, and in the provided ‘useful links’  section at the bottom of this page. And to get you started, I have provided a screenshot of those policies right here:

figure 1.1: Bitlocker GPO Configuration

bitlocker-policy

4. Configure CustomSettings.ini

Configuring the CustomSettings.ini. Basically there is enough information to find in the documentation of MDT itself on how to configure the properties for bitlocker, and which properties you can configure and what their values are. However I did some investigation, and came up with the following configuration:

figure 1.2: DeploymentShare properties, Rules (customsettings.ini)

bitlocker-csini

codeblock 1.1: customsettings.ini rules

As you can see I have set my priority on Model 1st and Default 2nd.

So all rules stated under  HP Elitepad 900 overrule the Default section, and only apply for this model.

For clarification I often comment my customsettings.ini, since the people who are going to work with it, may want to understand why a certain setting is set.

BDEInstallSuppress=NO
BDEWaitForEncryption=FALSE
BDEDriveLetter=S:
BDEDriveSize=2000
BDEInstall=TPMKey
BDERecoveryKey=AD
BDEKeyLocation=C:\Windows\BDEKey

5. Configure Task Sequence

When the CustomSettings.ini is configured, the next thing we need to do is make some adjustments in the task sequence on the Bitlocker part:

figure 1.3: Task Sequence properties, configuring bitlocker

bitlocker-ts

In the ‘State Restore’ section, click on the “Enable Bitlocker” step, and check the following:

  • Current Operating System Drive
  • TPM Only
  • Choose where to create the recovery key
  • In Active directory

Alternatively you may check: “Wait for bitlocker to complete the drive encryption process on all drives before continuing the task sequence execiution

This means, that the Task Sequence will wait until the entire drive is encrypted, then perform a reboot, and continue with the task sequence.

6. Configuring Unattended.xml

Configuring the Unattended.xml has little to nothing to do with configuring bitlocker, however, to achieve a fully unattended installation. It is recommended you extend your Windows 8.1 Unattended.xml in the TaskSequenceID folder with the following additions:

codeblock 1.2: Windows 8.1 unattended.xml additions to suppress Windows 8.1 setup wizard

The following strings make sure the Windows 8.1 setup will not interfere with the process.

7. Use a domain account

Since we are configuring deployments to work with Bitlocker and storing the recovery password into Active Directory we at least need some form of authentication. My experiences are, that the domain join account which is used to join the machine to the domain, has enough privileges to first: create the computer object in Active Directory and second: write the bitlocker recovery key and TPM owner information into Active Directory on the same computer object.

A domain account does not need all kind of fancy privileges and certainly not needs to be an Domain Admin. To see which privileges are required, please visit the following two blogs which explain it perfectly:

8. Perform a test deployment

The only thing that remained was performing a deployment test, which of-course I did, and the results were very satisfying 🙂

figure 1.4: trace64.exe – bdd.log

trace64-tmp

figure 1.5: computer object properties – active directory

computer-object-properties

figure 1.6 computer object properties – bitlocker-recover

computer-object-bitlocker

Usefull links

These links helped me on my way achieving this:

Find attached the resultant set of policy that has been configured in Group Policy Manager, a copy of the BDD.log of a successful deployment, the screenshots used in this blog, and a copy of my customsettings.ini rules that I have used.

zip
BlogContents.zip

If there are any questions or improvements you’d like to share, please feel free to contribute in the comment section!

Thanks for reading this blog! 😀

ps. forgive me for the Dutch computer object property screenshots, this is just for the moment until I can retrieve some English looking panes.

14 thoughts on “MDT 2013 – Configuring your environment for Bitlocker deployments with TPM, Windows 8.1 and MDT 2013

  1. Eoin Ryan

    Thanks for this Rens. I’m interested to know how you settled on this combination of PCR settings, which to disable and which to enable.
    In our early testing, we’ve found that minor changes to laptops (e.g in a docking station or not) will prompt a recovery key request. The solution seems to be in the PCR settings, but it’s hard to find a practical explanation of each settings to tweak them for zero irritation and acceptable security. Did you find a particularly good guide? (I’ve clicked through most of your links on this page at this point!)

    Reply
  2. Tom Weustink

    I was wondering where you base the S: drive on?

    In all online references I’ve never seen this block of code mentioned for CustomSettings.ini. What makes you use it? Apart from “it’s working for me(tm)”.

    Reply
    1. Rens Hollanders

      Hi Tom,

      I’ve based the letter S from the bitlocker drive, on the default setting which is available in the MDT documentation. Which can also be found here: http://systemscenter.ru/mdt2012.en/bdedriveletter.htm
      Nothing more, nothing less.

      Open the MDT console, go to help and check the property reference, to find the same letter.

      And since it’s working for me xD 😛

      Cheers! Rens

      Reply
      1. Tom Weustink

        Alright 🙂

        I gave it a try, and ended up with a system that can’t boot at all anymore.
        Need to go right now, and already closed the laptop I was testing with.
        Somehow that S: drive is messing things up here.

        In general, Bitlocker/MDT and Bitlocker/AD drives me crazy.
        Just can’t seem to get it working, and I know I must be very close.
        But it’s a show stopper right now…

        Reply
        1. Rens Hollanders

          Please post the bitlocker properties, you have configured in your customsettings.ini and a copy of your bdd.log

          Reply
          1. Tom Weustink

            ; Bitlocker Configuration
            BDEInstallSuppress=NO
            BDEWaitForEncryption=True
            BDEDriveLetter=S:
            BDEDriveSize=2000
            BDEInstall=TPMKey
            BDERecoveryKey=AD
            BDEKeyLocation=C:\Windows\BDEKey
            SkipBitLocker=YES

            Posting bdd.log is tricky as it’s 1.9MByte large…
            I could mail it if you want?

  3. Dan

    Hi thank you for this post

    Before I commenced, do you think this post is relevant for me. I’m currently configuring MDT to upgrade windows 7 to 10 and I was looking at automating BitLocker using the Enable BitLocker section

    Reply
  4. Craig Brady

    Hi Rens

    I’m trying to get my deployment to automatically turn on Bitlocker but I previously had the setting skip Bitlocker=NO in custom settings.ini but even after manually setting in the deployment you still need to click turn on bitlocker post deployment.

    I’ve tried the settings outlined in this post. As well as configuring the task sequence with my preferred settings

    Current OS Drive / TPM Only / Store in AD / Wait for bit locker to complete.

    [Settings]
    Priority=Default
    Properties=MyCustomProperty

    ; Bitlocker Configuration
    BDEInstallSuppress=NO
    BDEWaitForEncryption=False
    BDEDriveLetter=S:
    BDEDriveSize=2000
    BDEInstall=TPMKey
    BDERecoveryKey=AD
    BDEKeyLocation=C:\Windows\BDEKey

    [Default]

    SkipBitLocker=YES

    Any advice would be appreciated.
    Thanks

    Reply
    1. Rens Hollanders Post author

      SkipBitlocker YES or NO means the page in WinPE during the wizard setup is skipped yes or no. (You know the same page where it asks you for your computername, regional settings etc.)
      Not sure .

      The settings I’ve always used are:
      BDEInstallSuppress=NO
      BDEWaitForEncryption=False
      BDEDriveLetter=S:
      BDEDriveSize=2000
      BDEInstall=TPMKey
      BDERecoveryKey=AD
      BDEKeyLocation=C:\Windows\BDEKey

      You should check logging, and check which Windows version you are using. For example storing keys in AD will only work with Enterprise SKU instead of Windows Professional.

      Reply
  5. Jamie Donaldson

    Hey Rens,

    I’m really impressed with the article, so thank you for that. I’ve followed it and it works a treat, except for one issue – I’m being asked by a laptop to provide the USB key which has the bitlocker recovery key on. It’s an HP Elitebook 820 that I know has a TPM chip…

    This issue is despite group policy and the MDT task sequence stating “TPM Only”, as per figure 1.3. I suspect my AD config is good, since I can see the key is being successfully stored in AD and the BDE key location does contain the text file.

    BDEInstallSuppress=NO
    BDEWaitForEncryption=False
    BDEDriveLetter=S:
    BDEDriveSize=2000
    BDEInstall=TPMKey
    BDERecoveryKey=AD
    BDEKeyLocation=\\tdc.local\netlogon\bitlocker

    Any ideas?

    Thanks once again 🙂

    Jamie

    Reply
    1. Rens Hollanders Post author

      Hi Jamie,

      Though one to answer. The article itself is pretty old, I’m a bit of the technical stuff at the moment. If it works flawlessly for other models, then I think the Elitebook 820 is the anomaly here. Although that seems as a very recent laptop model to me. What happens when you configure Bitlocker through TPM manually on the machine, or what happens when you do this without the presence of the USB stick?

      Regards

      Reply
  6. Kim-André Knive

    Hi Rens,
    great blog post.

    I’m getting the following error when trying to use BitLocker during the task sequence, and no help from The Internet yet 😮

    Successfully established connection using supplied credentials.
    Successfully established connection using supplied credentials.
    FAILURE ( 6714 ): -2147024891 0x80070005: Save External Key to File

    AD is prepped OK, the GPOs are in place and I’ve tried both to set the BDEKeyLocation to c:\windows as well as a network share.

    If I try to manually activate BitLocker after the deployment, it works flawlessly – and the recovery key is stored in AD as well.

    any ideas? Thanks!

    Reply
    1. Rens Hollanders Post author

      Hi Kim,

      Unfortunately I’m out of this material completely. Perhaps you could try a different path, as it seems the process cannot save the external key to file. C:\Windows seems like an odd location to me. Also with the network share you need to provide network credentials that have access to the share. Could you try to create a directory in C upfront and place the key there? Like C:\BDEkey\BDE.txt

      Kind regards

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *