In a previous post I explained how we could deploy the HP Elitepad 900 with the Microsoft Deployment Toolkit.
For that same project that I have recently worked on, it was a requirement that this tablet would be deployed unattended, securely and reproducible.
I defined the following actions that needed to be done:
- Extending the AD Schema
- Update policy templates (since we where running Server 2008 R2)
- Configure ‘Bitlocker’ Group Policy Settings
- Configure CustomSettings.ini
- Configure Task Sequence
- Configure Unattended.xml
- Use a domain account
- Perform a test deployment
1. Extending the AD Schema
On the internet there was a lot of information to find on how to achieve this. The information that I found useful was mostly from Microsoft’s own blog sites and was very helpful in configuring this to get it to work first time right.
The blogs that helped me achieve this:
- Backing Up BitLocker and TPM Recovery Information to AD DS
- BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory
- How to backup recovery information in AD after BitLocker is turned ON in Windows 7
From the link below a complete documentation guide and 4 vbs scripts help you configure the Active Directory Domain Environment to be prepped for storing Bitlocker information into Active Directory.
Requirements
The basic requirements on how to achieve having bitlocker write information into active directory, can be derived from the document: “Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information.doc” which can be downloaded from the link I have provided.
2. Update policy templates
Updating the policy templates makes sure, that the Group Policy Manager can posses over the latest available policy templates out there. When running a Server 2012 R2 domain controller, these templates are already available, but if you’re running an earlier version of Windows Server (from 2003 sp2 up to 2008 R2), it is recommended that the policy templates are updated.
This can be done by:
- Downloading the Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2
- Updating the current templates with the new templates
Step 2. is actually quite easy, type in your FQDN followed by “\SYSVOL\Policies” which brings you to the folder where the policy templates are located. Just in case before you do anything, creating a back-up of the current policy files might come in handy in case you want to rollback or something goes wrong.
Just paste the new templates in the Policies folder, to find the new Server 2012R2 and Windows 8.1 policies available in the Group Policy Manager straightaway.
3. Configure ‘Bitlocker’ Group Policy Setting
Configuring the required group policy settings for Bitlocker, makes sure all the necessary information about the computer object will be stored in Active Directory that is being deployed. In the zip file at the bottom of this page you will find the desired GPO configuration in HTML, needed to store the information Active Directory. Also these policies are perfectly explained in the referenced document above, and in the provided ‘useful links’ section at the bottom of this page. And to get you started, I have provided a screenshot of those policies right here:
figure 1.1: Bitlocker GPO Configuration
4. Configure CustomSettings.ini
Configuring the CustomSettings.ini. Basically there is enough information to find in the documentation of MDT itself on how to configure the properties for bitlocker, and which properties you can configure and what their values are. However I did some investigation, and came up with the following configuration:
figure 1.2: DeploymentShare properties, Rules (customsettings.ini)
codeblock 1.1: customsettings.ini rules
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[Settings] Priority=Model, Default Properties=MyCustomProperty [HP Elitepad 900] ; Bitlocker Configuration BDEInstallSuppress=NO BDEWaitForEncryption=False BDEDriveLetter=S: BDEDriveSize=2000 BDEInstall=TPMKey BDERecoveryKey=AD BDEKeyLocation=C:\Windows\BDEKey |
As you can see I have set my priority on Model 1st and Default 2nd.
So all rules stated under HP Elitepad 900 overrule the Default section, and only apply for this model.
For clarification I often comment my customsettings.ini, since the people who are going to work with it, may want to understand why a certain setting is set.
BDEInstallSuppress=NO
BDEWaitForEncryption=FALSE
BDEDriveLetter=S:
BDEDriveSize=2000
BDEInstall=TPMKey
BDERecoveryKey=AD
BDEKeyLocation=C:\Windows\BDEKey
5. Configure Task Sequence
When the CustomSettings.ini is configured, the next thing we need to do is make some adjustments in the task sequence on the Bitlocker part:
figure 1.3: Task Sequence properties, configuring bitlocker
In the ‘State Restore’ section, click on the “Enable Bitlocker” step, and check the following:
- Current Operating System Drive
- TPM Only
- Choose where to create the recovery key
- In Active directory
Alternatively you may check: “Wait for bitlocker to complete the drive encryption process on all drives before continuing the task sequence execiution”
This means, that the Task Sequence will wait until the entire drive is encrypted, then perform a reboot, and continue with the task sequence.
6. Configuring Unattended.xml
Configuring the Unattended.xml has little to nothing to do with configuring bitlocker, however, to achieve a fully unattended installation. It is recommended you extend your Windows 8.1 Unattended.xml in the TaskSequenceID folder with the following additions:
codeblock 1.2: Windows 8.1 unattended.xml additions to suppress Windows 8.1 setup wizard
1 2 3 4 5 6 7 8 9 |
<OOBE> <HideEULAPage>true</HideEULAPage> <HideOnlineAccountScreens>true</HideOnlineAccountScreens> <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> <NetworkLocation>Work</NetworkLocation> <ProtectYourPC>1</ProtectYourPC> <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> <HideLocalAccountScreen>true</HideLocalAccountScreen> </OOBE> |
The following strings make sure the Windows 8.1 setup will not interfere with the process.
7. Use a domain account
Since we are configuring deployments to work with Bitlocker and storing the recovery password into Active Directory we at least need some form of authentication. My experiences are, that the domain join account which is used to join the machine to the domain, has enough privileges to first: create the computer object in Active Directory and second: write the bitlocker recovery key and TPM owner information into Active Directory on the same computer object.
A domain account does not need all kind of fancy privileges and certainly not needs to be an Domain Admin. To see which privileges are required, please visit the following two blogs which explain it perfectly:
8. Perform a test deployment
The only thing that remained was performing a deployment test, which of-course I did, and the results were very satisfying 🙂
figure 1.4: trace64.exe – bdd.log
figure 1.5: computer object properties – active directory
figure 1.6 computer object properties – bitlocker-recover
Usefull links
These links helped me on my way achieving this:
- How to backup recovery information in AD after BitLocker is turned ON in Windows 7
- Requirements to save Bitlocker Recovery Key to AD using MDT
- Backing Up BitLocker and TPM Recovery Information to AD DS
- BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory
- Prepare your organization for BitLocker: Planning and Policies
- BitLocker Drive Encryption Overview
- Active Directory and BitLocker – Part 1: Introduction
- Active Directory and BitLocker – Part 2: Schema update, ACE settings, Password Recovery Viewer
- Q: Does BitLocker Drive Encryption support a recovery method that calls on Active Directory for storing the recovery information?
- Enable BitLocker, Automatically save Keys to Active Directory
- Backing up your BitLocker keys to Active Directory
- Storing Bitlocker Key to AD using MDT
Find attached the resultant set of policy that has been configured in Group Policy Manager, a copy of the BDD.log of a successful deployment, the screenshots used in this blog, and a copy of my customsettings.ini rules that I have used.
If there are any questions or improvements you’d like to share, please feel free to contribute in the comment section!
Thanks for reading this blog! 😀
ps. forgive me for the Dutch computer object property screenshots, this is just for the moment until I can retrieve some English looking panes.