Windows to Go Step-by-Step

Leave a reply

I’ve been itching to do Windows to Go for some time now, but I had to acquire an approved USB memory stick, which I did last week. Windows to Go only takes a few minutes and can come in really handy. Here is a short step-by-step to get Windows to Go up and running.

What You Will Need
A copy of the Window 8 RTM media
The Windows Automated Installation Kit download
7-Zip
Approved USB memory stick or hard drive
A Windows 7 or Window 8 machine with at least one USB 3.0 port

You can see the approved USB devices at this URL: http://technet.microsoft.com/en-us/library/hh831833.aspx

BTW-a USB drive can be used in place of a USB memory stick. In this step-by-step I’m using a Kingston DataTraveler Workspace 64GB. Whether using a memory stick or a hard drive, I will refer to “the device” as the “USB drive.”

Part I – Partition and Format the USB Drive
Boot your machine and logon.
Insert the USB drive into a USB 3.0 port. In my case, I’m using a Dell E6330, and the USB 3.0 ports are constructed in a way that prevents me from plugging my USB drive in directly, so I had to get an extender. The Workspace device is “thick” and the Dell’s USB 3.0 ports are recessed.
Open a command prompt as an administrator and enter the following command: Diskpart
The command should return the following:

C:\Windows\system32>diskpart
Microsoft DiskPart version 6.2.9200
Copyright (C) 1999-2012 Microsoft Corporation.
On computer: WIN8RTM-TW

DISKPART>

At the DISKPART> prompt enter List Disk
The command displays the list of disk devices:

DISKPART> list disk
Disk ### Status Size Free Dyn Gpt
——– ————- ——- ——- — —
Disk 0 Online 465 GB 0 B
Disk 1 Online 39 GB 0 B
Disk 2 Online 465 GB 0 B
Disk 3 Online 59 GB 0 B
DISKPART>

In my example above, I’m running Windows 8 from a VHD (Disk1) located on the physical internal drive (Disk0) and I have an external USB hard drive connected (Disk2) which means Disk3 is my USB drive. I need to select Disk 3 as the Diskpart operations target, so enter Select Disk 3.

DISKPART> select disk 3
Disk 3 is now the selected disk.
DISKPART>

Now I need to clean the USB drive. Just enter clean at the DISKPART prompt.

DISKPART> clean
DiskPart succeeded in cleaning the disk.
DISKPART>

Now create a primary partition on the USB drive. At the DISKPART prompt enter create partition primary.

DISKPART> create partition primary
DiskPart succeeded in creating the specified partition.
DISKPART>

Now format the new partition using the NTFS file system: format fs=ntfs quick.
You don’t have to use a quick format, but a 64GB USB memory stick takes a l-o-n-g time to format.

DISKPART> format fs=ntfs quick
100 percent completed
DiskPart successfully formatted the volume.
DISKPART>

Finally, mark the partition as Active and exit DiskPart.

DISKPART> active
DiskPart marked the current partition as active.
DISKPART> exit
Leaving DiskPart…
C:\Windows\system32>

Part II – Extract the ImageX Tool
You need to extract the ImageX tool from the WAIK (for Windows 7) or the ADK (Windows Assessment and Deployment Kit). You can either install the entire WAIK and then find the ImageX program, or you can mount the WAIK iso and open neutral.cab file in the 7-Zip Archive viewer, which is what I did. I extracted the file F1_imagex to C:\Tools\ImageX.exe. The ADK is installed as it is downloaded, so extracting just ImageX is problematic.

Find the file F1_imagex and extract the file.

Once you have copied the F1_imagex file to C:\Tools, rename the file to Imagex.exe.

Part III – Apply the Windows 8 Image to the USB Drive
Mount your Windows 8 RTM iso or put the Windows 8 RTM DVD media in your DVD drive and locate the file install.wim. It should be in the sources folder. (Note: this screen capture was done after the fact. In the example below, the Windows 8 media is exposed on drive H:.)

Now, use the ImageX tool to apply the Windows 8 image to the USB drive. In this case, the USB drive is exposed as drive G:. The numeral “1” after the wim file name indicates ImageX should apply the first image that is part of the wim file. The image source is on drive H: and the image target is drive G:.

C:\Windows\system32>c:\tools\imagex.exe /apply h:\sources\install.wim 1 g:\
ImageX Tool for Windows
Copyright (C) Microsoft Corp. All rights reserved.
Version: 6.1.7600.16385
[ 100% ] Applying progress

Successfully applied image.
Total elapsed time: 9 min 52 sec

C:\Windows\system32>

Now, make the USB drive (G:) bootable using bcdboot.exe.

C:\Windows\system32>bcdboot.exe g:\windows /s g: /f ALL
Boot files successfully created.

C:\Windows\system32>

Your Windows to Go USB drive is ready to use. You will need to set your BIOS to either give you an option to choose your boot device, or set the USB port higher in the boot order priority in order to force your machine to boot to the new Windows to Go device. In my case, my Dell laptop allows me to press F12 at startup to choose my boot device. This is what I did, but I ran into a big problem, no USB device listed in the boot drive options menu. After some experimentation, I determined that my USB 3.0 ports, which have to be added to the laptop using the DVD drive bay, are not boot capable. RATS! No worries, moving the USB drive to a USB 2.0 port allowed my to boot my machine and performance was very good. The first time you use the USB drive on a machine Windows will have to detect hardware. In my case, all the hardware drivers I needed were available. This detection is a one-time thing per machine, i.e., the next time I boot my laptop from the Windows to Go USB drive, it will skip the device detection phase. If I try to boot another machine using my Windows to Go USB drive, it will have to go through device detection again. Not perfect, but in a pinch, this is a great solution for using your own PC without having to bring your own PC. Total time to create my Windows to Go device: about 20 minutes.

Enjoy!

SCCM 2012 + MBAM – Start to Finish – Part 6

Leave a reply

In the first part of this multipart series, we discussed the objectives of this exercise and the required components. The first part also covered the TPM settings required for BitLocker encryption and for the MBAM agent to take ownership of the TPM, the BIOS configuration utility (CCTK) and the actual commands used to configure the TPM. The first post finished by referencing David Hornbaker’s post describing how to use the StartMBAMEncryption script and how to customize the registry import files used by that script for a specific MBAM Server environment.

In Part 2 we covered creating and configuring the group policies required to enable MBAM clients to communicate with the MBAM server, and how often the MBAM client communicates with the MBAM server. We also covered optional policy settings designed to hide the default BitLocker Drive Encryption Control Panel applet from end users.

In Part 3 of this multipart post, we covered the required packages and programs to automate MBAM client distribution and OS partition encryption. Three packages\programs were covered:
1. BIOS Configuration Utility (CCTK) files package. The program associated with this package simply copies the package files and folder hierarchy to a permanent location on the OS partition.
2. MBAM Client (agent) installer package. The program associated with this package performs a silent install of the MBAM agent.
3. StartMBAMEncryption script package. The program associated with this package runs the StartMBAMEncryption.wsf script.

In Part 4 of this multipart post, we covered the tasks used in the task sequence that accomplish the following:
· Partition the hard disk
· Copy the Windows 7 image to the drive
· Install device drivers
· Join the computer to the domain
· Copy the CCTK executables to c:\windows\cctk
· Set the BIOS setup password
· Enable the TPM
· Activate the TPM
· Reboot the computer
· Clear the BIOS setup password
· Install the MBAM Agent
· Encrypt the OS partition using the MBAM agent
Note: This OSD task sequence assumes the target is a new or re-purposed machine. There is no User State data to migrate.

In Part 5 of this multipart post, we covered the following:
· How the MBAM agent installation and drive encryption tasks look from the client side.
· The steps the user must take to set the BitLocker PIN.
· How to verify the MBAM Agent was installed (and verify that the Group Policy to hide the BitLocker Drive Encryption applet in Control Panel is working).
· How to verify drive C: is encrypted.
· How to use the MBAM Server console to verify the TPM Owner password file was pushed by the MBAM agent to the MBAM Server.
· How to use a SQL query to verify the MBAM Agent pushed the TPM Owner password file to the MBAM database.
· How to use the Event viewer on the client to verify the MBAM group policy was applied and that the MBAM Agent successfully communicated the drive encryption status to the MBAM Server.
· How to use the BitLocker Recovery console and the MBAM Server console to verify the MBAM Agent stored the drive Recovery Key in the MBAM database.

In Part 6, I will attempt to identify common errors and misconfigurations with appropriate workarounds and fixes.

Objectives:
A quick recap of the objectives never hurts:

Provision a laptop with a Windows 7 operating system using SCCM OSD
Using an automated BIOS configuration utility, place the Trusted Protection Module (TPM) in the proper state for MBAM to take ownership.
Install the MBAM agent and configure the agent to communicate with the MBAM server.
Instruct the MBAM agent to take ownership of the TPM.
Instruct the MBAM agent to encrypt the OS partition using BItLocker.
At first logon, the laptop user should be prompted to enter a BitLocker PIN.

Note: This environment uses Dell laptops as test machines. CCTK.exe, the BIOS configuration utility used in this example, is specific to Dell hardware.

Common Issues

Error 0x8009030D – Service Account Cannot Access the Private Key
I did not run into this problem in my home lab, but I have run into it at two client sites so far, so I thought I would mention it. The event log on the MBAM server has a recurring error:
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

It turned out that this error is generated when the SQL Server service account does not have access to the machine keys used for the SSL Server private credential. This is kind of an odd error, since the service account was a member of the local administrators group.

The Fix:
1. Open Windows Explorer and navigate to: C:\ProgramData\Microsoft\Crypto\RSA\
2. Right click on the folder MachineKeys
3. Verify the SQL Server service account has at least read to this folder
4. I had to assign read permissions to the individual files within the MachineKeys folder to get this to work!

Error message “An error has occurred” when you click the Hardware tab in the MBAM Console
This is, by far, the most common error I’ve encountered with MBAM. It is so common, there is a KB article describing the issue and resolution at http://support.microsoft.com/kb/2620280.

The basic problem is that the machine cannot resolve ‘”localhost” properly. The fix replaces instances of “localhost” in the web.config file with the true FQDN of the MBAM server.

Administrator Cannot Retrieve the TPM Owner Password File
This error is particularly tricky, since the Administrator can usually retrieve the recovery key for the affected machine. To verify you have this specific problem, open the SQL Server Management Studio on the SQL Server hosting the MBAM database. Expand the MBAM Recovery and Hardware database tables node. Right-click the RecoveryAndHardwareCore.Machines table and return the top 1000 rows. It should look something like this:

Notice two things. There are entries for the different machines in the table, so MBAM has been installed on those machines. However, the TpmPassword column is populated with NULL instead of a hash value. I traced this problem back to the original TPM setup using CCTK. In all test cases, the TPM ownership was established before the MBAM client was installed, preventing MBAM from taking ownership. This behavior allows MBAM to encrypt the drive and store the recovery key in the MBAM database, but not the TPM Password file. Since this file is necessary for administrators only when performing TPM functions and not BitLocker functions (like PIN resets), this condition may go overlooked until it is too late. The fix is to ensure that the task sequence used to configure the TPM enables the TPM and creates the endorsement key pair, but does not take ownership. The MBAM client itself must take ownership for this to work!
Note: To be fair to CCTK, this was usually the result of the TPM module not being cleared properly.

There is no way to transfer or take ownership retroactively. The best thing to do when a machine is found in this state is to
1. Isolate the machine and decrypt the drive
2. Clear the TPM module from the Control Panel and reboot
3. Re-apply the task sequence described in this series

Summary
I hope this series will save network administrators time and frustration when implementing MBAM in their environments. This stuff really does work!

Credit Where Credit is Due Department

“If I have seen further it is by standing on the shoulders of giants”

This multipart post references material found at the following websites:

Using MBAM to start BitLocker Encryption in a Task Sequence
David Hornbaker
http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

Enable TPM in task sequence with SCCM and CCTK
Joachim Nässlander
http://nullsession.com/2010/12/enable-tpm-in-task-sequence-with-sccm-and-cctk/

How to Enable Trusted Platform Module Using a ConfigMgr 2007 Task Sequence
No author credited
http://en.community.dell.com/techcenter/os-applications/w/wiki/how-to-enable-trusted-platform-module-using-a-configmgr-2007-task-sequence.aspx

Check to see if the TPM is enabled
Tim Mintner
http://blogs.technet.com/b/deploymentguys/archive/2010/12/22/check-to-see-if-the-tpm-is-enabled.aspx

BitLocker/MBAM–Endorsement Keys and TPM Ownership
Dustin Hedges
http://myitforum.com/myitforumwp/2011/11/14/bitlockermbamendorsement-keys-and-tpm-ownership/

Customising Windows 7 deployments – part 5
Niall Brady
http://www.windows-noob.com/forums/index.php?/topic/3875-customising-windows-7-deployments-part-5/

This posting is provided “AS IS” with no warranties and confers no rights.

SCCM 2012 + MBAM Start to Finish – Part 5

1 Reply

In the fifth part of this multipart post, I will cover following:
· How the MBAM agent installation and drive encryption tasks look from the client side.
· The steps the user must take to set the BitLocker PIN.
· How to verify the MBAM Agent was installed (and verify that the Group Policy to hide the BitLocker Drive Encryption applet in Control Panel is working).
· How to verify drive C: is encrypted.
· How to use the MBAM Server console to verify the TPM Owner password file was pushed by the MBAM agent to the MBAM Server.
· How to use a SQL query to verify the MBAM Agent pushed the TPM Owner password file to the MBAM database.
· How to use the Event viewer on the client to verify the MBAM group policy was applied and that the MBAM Agent successfully communicated the drive encryption status to the MBAM Server.
· How to use the BitLocker Recovery console and the MBAM Server console to verify the MBAM Agent stored the drive Recovery Key in the MBAM database.

Objectives:

A quick recap of the objectives never hurts:

Provision a laptop with a Windows 7 operating system using SCCM OSD
Using an automated BIOS configuration utility, place the Trusted Protection Module (TPM) in the proper state for MBAM to take ownership.
Install the MBAM agent and configure the agent to communicate with the MBAM server.
Instruct the MBAM agent to take ownership of the TPM.
Instruct the MBAM agent to encrypt the OS partition using BItLocker.
At first logon, the laptop user should be prompted to enter a BitLocker PIN.

Note: This environment uses Dell laptops as test machines. CCTK.exe, the BIOS configuration utility used in this example, is specific to Dell hardware.

MBAM from the Client Machine’s Perspective

After the last reboot in the task sequence, the MBAM agent is installed.

The picture isn’t as clear as I would like, but the dialog says “Running Action: Install MBAM”

Shortly thereafter, the dialog changes to “Running Action: Install StartEncryption”

On the test machine there was some delay at this point, as much as three minutes. If the machine’s TPM is not Enabled and Activated, the task sequence will error out here. The first indicator of success is the drive light coming on solid and staying on. No reboots or any other warning, the screen just changes to the logon prompt:

From the user perspective, press CTRL-ALT-DEL and logon.

Instead of the usual background, the user may see the System Center wallpaper:

Notice the notification balloon in the lower right corner; the drive is encrypting.

If the user logged on immediately after the task sequence completes, as I did here, there is no prompt for a BitLocker PIN yet. This is due the policy requiring the PIN has yet to be applied. By default, it could take up to two hours for the policy to apply. A couple of workarounds are:

Reboot the machine after BitLocker encryption starts. This will not affect BitLocker, it will continue to encrypt the drive after rebooting.
Run gpupdate /force.
Wait for Group Policy application before logging on.

I wanted to see what would happen if I hurried through the process. Of course, I jumped through all kinds of hoops to hurry the process. I ran gpupdate /force and even logged off and logged on. Eventually I was rewarded with this:

If I waited for a while (maybe an hour or so) at the logon prompt at the end of the task sequence, this is what I saw when logging on for the first time:

It does not matter what the background is, or when the dialog is displayed, either way the Group Policy requiring a BitLocker PIN has been applied.
NOTE: A bit of explanation here. For this process to work, the drive encryption *must* start prior to the policy requiring a PIN is applied, otherwise BitLocker will not start encrypting the drive until a PIN is entered. Our objective is to automate as much of this process as possible. ConfigMgr will prevent the workstation from processing Group Policies until after the task sequence is complete. This is something to keep in mind if the reader is attempting to use this task sequence with a MDT 2012 task sequence, which does allow the workstation to process policies.

Click Start.

When prompted, enter a PIN

Note: The policy applied allows both letters and numbers in the PIN.
After confirming the PIN, click Create PIN.

I entered an @ in my password. Just letters and numbers are allowed:

After re-entering a valid password and clicking Create PIN, a success dialog is displayed.

Click Exit.

The PIN is used at a warm or cold boot, and when bringing the machine out of hibernation. The PIN is *NOT* used when waking a sleeping machine. This will cramp my ConfigMgr style, any task sequence or update requiring a reboot will require user intervention from now on.

Verifying Agent Installation and Drive Encryption

Yes, when Bill Evans first logged on, he saw a notification balloon stating that the drive was being encrypted. However, if Bill had waited until the following morning to logon, he would have missed that notification. To verify, open Control Panel.

Note: This screen shot verifies two things. First, we can tell the MBAM Agent has been installed because the name of the BitLocker applet is BitLocker Encryption Options, not the default BitLocker applet named BitLocker Drive Encryption.Second, the fact that the default applet is hidden verifies that the Group Policy described in part two of this multipart post is hiding the default BitLocker applet as desired.

Now, open the BitLocker Encryption Options applet. The information displayed verifies drive C:, the OS partition, has been encrypted.

Note: Clicking the Manage your PIN link allows the user to change the PIN at any time. The user is *not* prompted for the old PIN or any other kind of identification. The same process is used to recover drives where the PIN is unknown, forgotten, or changed without the owner’s knowledge. There is only one PIN per machine. The first person that logs on after the policy requiring a PIN is applied gets to choose the PIN.

Verifying the Password Hash was pushed to the MBAM Server

If the TPM ownership was already taken before the MBAM Agent attempted to take ownership, there are no errors, the script moves on and encrypts the drive. To verify the agent took ownership, check for the Owner password file on the MBAM server and/or query the MBAM database on the SQL Server.

Check for the Owner Password File on the MBAM Server

From the MBAM server site, click Manage TPM and enter the computer’s domain and computer name. If the MBAM agent took ownership, the MBAM Server will return the TPM Owner Password file as seen here:
Note: This test does not endanger any data on the encrypted drive.

Querying the MBAM Recovery and Hardware Database

On the SQL Server where the MBAM Recovery and Hardware database resides, logon as a SQL administrator and open the SQL Server Management Studio.
Navigate to the MBAM Recovery and Hardware database. Expand the Tables node, right click the RecoveryAndHardwareCore.Machines table and select Return Top 1000 Rows. Find the entry for the name of the computer. The example below shows that MBAMTEST10 did not copy its password hash to the MBAM server properly, but MBAMTEST24 did. (24^thtime’s the charm!)

Note: *Do NOT* try to manually enter failed password file hash entries!

Verifying the Recovery Key is Stored on the MBAM Server

On the client side, look for two Event log entries. First, Event ID 1, MBAM group policy settings have been applied successfully.

Without the Group Policy settings, the MBAM agent does not know to which server it should report its status. Next, Event ID 3, the encryption status was communicated to the MBAM Server successfully.

To check for the Recovery Key on the server, you’ll need to get the machine to display the Recovery Key ID. If you’ve enabled a BitLocker PIN, you can press ESC at the PIN prompt to enter the Recovery Console.

Note: Doing this will not endanger any data on the disk.

Now write down the Recovery Key ID. Only the first eight characters are required. Again, this is not going to put any of your data in danger. This is just a test.

Note: At this point, we have all the information we need for the database population test. You can press ESC to exit the Recovery console, or just reboot. Enter the correct PIN at boot and you are back in business on the test machine.

Go to the MBAM Server console, click Drive Recovery and enter the eight-character Recovery Key ID, then click Submit.

If the MBAM agent worked properly, the drive recovery key is displayed in the console:

This verifies the MBAM agent successfully stored the driver recovery key in the MBAM database.

Summary

Part 5 of this multipart post covered the following:

How the MBAM agent installation and drive encryption look from the client side
The steps the user must take to set the BitLocker PIN
How to verify the MBAM Agent was installed (and verify the Group Policy to hide BitLocker Drive Encryption applet in Control Panel is working)
How to verify drive C: is encrypted.
How to use the MBAM Server console to verify the TPM Owner password file was pushed by the MBAM agent to the MBAM Server.
How to use a SQL query to verify the MBAM Agent pushed the TPM Owner password file to the MBAM Server
How to use the Event viewer on the client to verify the MBAM group policy has been applied and that the MBAM Agent has successfully communicated the drive encryption status to the MBAM Server.
How to use the BitLocker Recovery console and the MBAM Server console to verify the MBAM Agent has stored the drive Recovery Key in the MBAM database.

Part 6 of this multipart post will cover common MBAM deployment issues and resolutions.

Credit Where Credit is Due Department

“If I have seen further it is by standing on the shoulders of giants”

This multipart post references material found at the following websites:

Enable TPM in task sequence with SCCM and CCTK
Joachim Nässlander
http://nullsession.com/2010/12/enable-tpm-in-task-sequence-with-sccm-and-cctk/

Check to see if the TPM is enabled
Tim Mintner
http://blogs.technet.com/b/deploymentguys/archive/2010/12/22/check-to-see-if-the-tpm-is-enabled.aspx

BitLocker/MBAM–Endorsement Keys and TPM Ownership
Dustin Hedges
http://myitforum.com/myitforumwp/2011/11/14/bitlockermbamendorsement-keys-and-tpm-ownership/

Customising Windows 7 deployments – part 5
Niall Brady
http://www.windows-noob.com/forums/index.php?/topic/3875-customising-windows-7-deployments-part-5/

This posting is provided “AS IS” with no warranties and confers no rights.

SCCM 2012 + MBAM Start to Finish – Part 4

Leave a reply

In Part 3 of this multipart post, we covered the required packages and programs to automated MBAM client distribution and OS partition encryption. Three packages\programs were covered:

1. BIOS Configuration Utility (CCTK) files package. The program associated with this package simply copies the package files and folder hierarchy to a permanent location on the OS partition.

2. MBAM Client (agent) installer package. The program associated with this package performs a silent install of the MBAM agent.

3. StartMBAMEncryption script package. The program associated with this package runs the StartMBAMEncryption.wsf script.

In the fourth part of this multipart post, I will cover the tasks included in the task sequence. I will not cover in detail those tasks which are part of the OS installation – there are many fine posts on that subject. I include these tasks so readers can determine the order of tasks and which tasks are prerequisite to MBAM agent configuration. I will concentrate on those tasks which are critical to MBAM agent installation and configuration.

Note: This OSD task sequence assumes the target is a new or re-purposed machine. There is no User State data to migrate.

Objectives:

A quick recap of the objectives never hurts:
· Provision a laptop with a Windows 7 operating system using SCCM OSD
· Using an automated BIOS configuration utility, place the Trusted Protection Module (TPM) in the proper state for MBAM to take ownership.
· Install the MBAM agent and configure the agent to communicate with the MBAM server.
· Instruct the MBAM agent to take ownership of the TPM.
· Instruct the MBAM agent to encrypt the OS partition using BItLocker.
· At first logon, the laptop user should be prompted to enter a BitLocker PIN.

Note: This environment uses Dell laptops as test machines. CCTK.exe, the BIOS configuration utility used in this example, is specific to Dell hardware.

Task Sequence Prerequisites

If the test workstation has used BitLocker previously:

1. Run TPM.msc. Click Clear TPM

NOTE: You need to do this only if your disk is already encrypted with BitLocker.

2. At the Clear the TPM security hardware prompt, select I do not have the TPM owner password

3. This requires a reboot. When prompted, clear the TPM. In this example, press F12.

4. Use Diskpart to “clean” the disk.
Note: This step requires boot media or boot image with Command Prompt support enabled.

1. Boot the machine with TS boot media, or PXE boot to WinPE

2. Before entering a password, press F8 to open a Command Prompt.

3. Enter the following commands:
X:\sms\bin\x64> diskpart
DISKPART> select disk 0
DISKPART> clean
DISKPART> exit
X:\sms\bin\x64> exit

4. Now enter continue on with your task sequence.

Task Sequence Construction

Installing the OS

Task	Purpose
	This task is standard in SCCM Operating System Deployment task sequences. This task is performed only if the computer is not already in WinPE.
	Partition Disk 0. This task creates the Boot partition and the Operating System partition. Microsoft recommendation at this date is to create a boot partition at 600MB in size. Under normal circumstances, the remainder of disk 0 would become the Operating System partition. In this case, the OS partition is limited to 40GB in order to shorten encryption times during testing.
	Boot partition detail. The partition is assigned a variable (BOOTPART) which can be called from other tasks.
	OS partition detail. Assignment of the variable OSPART is critical to success of this task sequence.Again, under normal circumstances, this partition would be 100% of the remaining disk. 40GB size allows for faster testing of the task sequence.
	Apply Operating System. This task downloads the WIM file containing the operating system image. In this example, image 1 of 1 is being applied to the partition assigned the variable OSPART.
	Apply Windows Settings. This task applies the settings defined, such as the product key, time zone and administrator account password. These values apply to every computer that uses this task sequence for OS installation.
	Set Task Sequence Variable. This task was necessary in my lab environment, since I did not have the use of DHCP. Under normal circumstances, an OSD task sequence does not need this variable defined.
	Apply Network Settings. This task joins the computer to the domain, identifies the account configured to join computers to the domain and identifies the target OU for the computer account in Active Directory. In this example, the network adapter is assigned a static IP address – a limitation of the lab environment. Under normal circumstances, DHCP is used to acquire addresses and there is no need to assign static addresses.
	Apply Device Drivers.
	Setup Windows and Configuration Manager. This task performs device detection and OOB setup. This task actually applies those items configured in the Apply Windows Settings and Apply Network Settings tasks. This task automatically reboots the computer.
	Install Intel Display Driver. Self-explanatory.
	The Display Driver installation program requires that the system restart before any other changes can be made. It is better to let ConfigMgr control the restart. Be sure to reboot to the currently installed default operating system.

Modifying the TPM State

All tasks up to this point are associated with an ordinary operating system deployment. The next set of tasks modifies the state of the TPM to ensure the MBAM Agent can take ownership of the TPM. This process was explained in detail in Part 1. To recap, the tasks associated with the TPM have to accomplish the following:

1. Set the BIOS setup password. Some operations of the CCTK utility require that a BIOS password be set. This exercise assumes no BIOS password is set on the test machine.

2. Enable the TPM.

3. Reboot the machine – Note: this reboot is not required by all Dell BIOS versions.

4. Activate the TPM

5. Reboot the machine

6. Clear the BIOS setup password, returning the BIOS password to its original state

Note: this exercise assumes there is no BIOS setup password configured on the target workstation. If a standard BIOS setup password is used, disable or delete the Set BIOS Password and Clear BIOS Password tasks.

Task	Purpose
	Copy CCTK. This task installs a package that runs a batch file. This is a workaround, since a direct copy requires a user context in which to run. To avoid this, the package files are downloaded to the CCMCache folder. One of the files is the Copy Files batch, which copies the CCTK files and scripts to a permanent folder: c:\windows\cctk.
	Set BIOS Password. This task uses the CCTK to set a BIOS password, allowing subsequent configuration commands to be automated. (BIOS configuration modification is always password protected.)Note: This task must be run in the security context of a local administrator.
	Enable TPM. This task enables the TPM module.Note: This task must be run in the security context of a local administrator.
	Restart Computer. A computer is required after enabling the TPM module.
	Activate TPM. This task activates the TPM module.Note: This task must be run in the security context of a local administrator.
	Restart Computer. TPM activation requires a reboot.
	Clear BIOS Password. This task uses the CCTK to clear the BIOS password, returning the password configuration to its original state.Note: This task must be run in the security context of a local administrator.
	Install MBAM. This task copies the MBAM installer package to the CCMCache and installs the agent using msiexec.exe (the Windows installer).
	Install StartMBAMEncryption. This tasks copies two vbscript files and two support files to the CCMCache, then runs the StartMBAMEncryption.vbs file. This file instructs the MBAM agent to initialize (take ownership) of the TPM and push the TPM owner file to the MBAM server. After the TPM is initialized, the script instructs the MBAM agent to encrypt the OS drive.

Summary

In Part 4 of this multipart post, we covered the tasks used in the task sequence that accomplishes the following:
· Partition the hard disk
· Copy the Windows 7 image to the drive
· Install device drivers
· Join the computer to the domain
· Copy the CCTK executables to c:\windows\cctk
· Set the BIOS setup password
· Enable the TPM
· Activate the TPM
· Reboot the computer
· Clear the BIOS setup password
· Install the MBAM Agent
· Encrypt the OS partition using the MBAM agent

Part 5 of this multipart post will cover the steps to verify communication with the MBAM server and drive encryption.

Credit Where Credit is Due Department

“If I have seen further it is by standing on the shoulders of giants”

This multipart post references material found at the following websites:

Enable TPM in task sequence with SCCM and CCTK
Joachim Nässlander
http://nullsession.com/2010/12/enable-tpm-in-task-sequence-with-sccm-and-cctk/

Check to see if the TPM is enabled
Tim Mintner
http://blogs.technet.com/b/deploymentguys/archive/2010/12/22/check-to-see-if-the-tpm-is-enabled.aspx

BitLocker/MBAM–Endorsement Keys and TPM Ownership
Dustin Hedges
http://myitforum.com/myitforumwp/2011/11/14/bitlockermbamendorsement-keys-and-tpm-ownership/

Customising Windows 7 deployments – part 5
Niall Brady
http://www.windows-noob.com/forums/index.php?/topic/3875-customising-windows-7-deployments-part-5/

This posting is provided “AS IS” with no warranties and confers no rights.

SCCM 2012 + MBAM Start to Finish – Part 3

Leave a reply

Objectives:

Note: This environment uses Dell laptops as test machines. CCTK.exe, the BIOS configuration utility used in this example, is specific to Dell hardware.

Task Sequence Package Requirements

NOTE: This post refers to the software sources share. This is a generic label for a simple file share that the SCCM packages use as the source for software imported into the Content Library. In the test lab, this share is located on the SCCM server. There is nothing preventing locating this share on another server with file services.

In the following configuration documentation, if a configuration setting is not called out, it was left at its default value or unconfigured if that setting has no default value.

MBAM Agent

Microsoft recommends creating only one package for MBAM Agent deployment. The MBAM Client installation software should be stored in two subfolders, x86 and x64 (I changed the name of the x64 folder to amd64 to match other dual-bitness packages in my environment). Theoretically, two separate packages, each with one program would work, but Microsoft recommends one package with two programs. In my example, I created the software package with the two subfolders. Since I did not test 32-bit clients, I created only the program for 64-bit clients.

Configuration	Notes
	Here are the source files for the MBAM Client (agent) in my lab environment. I copied these from the MDOP 2011 R2 distribution media.
	Use a name that fits conventions used in the target environment. In this example, the name is simply MBAM Client.
	Configure the package as having source files. Set the source to point to the empty parent folder of both 32-bit and 64-bit versions.
	Distribute the package to at least one distribution point.
	Create a program for the MBAM Client package. In this example, the package has one program, MBAM Agent. The program command line is: msiexec.exe /i MBAMCLient-64bit.msi /qIn this example, this program starts in the amd64 subfolder of the package file structure.
	In the test environment, the program was limited to running on Windows 7 64-bit machines only.
	The program is configured to run whether or not a user is logged on.
	Be sure to configure the program to allow installation within a Task Sequence without the package being deployed.Note: SCCM 2012 Deployments are similar to Advertisements in SCCM 2007.

Start MBAM Encryption

This package contains four files

StartMBAMEncryption.wsf	Script that stops and starts the MBAM Agent, imports registry entries and starts OS partition encryption. This script can be downloaded from:http://blogs.technet.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-03-48-21-05/StartMBAMEncryption.zip
ZTIUtility.vbs	Called by StartMBAMEncryption.wsf. This script is part of the MDT. Assuming MDT 2012 was installed on the SCCM 2012, copy this file from <installation drive letter>:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Scripts to the software source folder for the package.
AddMBAMRegEntries.reg	Registry settings file created in Part 1 of this post. The file should be copied to the software sources folder for the package.
RemoveMBAMRegEntries.reg	Registry settings file created in Part 1 of this post. The file should be copied to the software sources folder for the package.

Configuration	Notes
	There are four source files to include in the package. StartMBAMEncryption.wsf is script available for download from http://blogs.technet.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-03-48-21-05/StartMBAMEncryption.zipThe two reg files are the two files created in the last section of the Part 1 of this multipart post. ZTIUtility.vbs is part of the MDT, which should be installed on the SCCM server. In the lab environment, this file was located in C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Scripts.
	Use a package name that fits conventions used in the target environment. In this example, the name is MBAM Encryption Script.
	Configure the package to have source files. Set the source folder to the folder in the software source share where the four files mentioned above are copied.
	Distribute the package content to at least on Distribution Point.
	Create a program for the MBAM Encryption Script package. In this example, the program is named StartEncryption. The command line used by the program is cscript.exe StartMBAMEncryption.wsf /addRegFile:AddMBAMRegEntries.reg /removeRegFile:RemoveMBAMRegEntries.reg
	This program is configured to run on Windows 7 64-bit machines only.
	The program is configured to run whether or not a user is logged on.
	Be sure to configure the program to allow installation within a Task Sequence without the package being deployed.Note: SCCM 2012 Deployments are similar to Advertisements in SCCM 2007.

CCTK

The Dell Client Configuration Tool Kit (CCTK) is the utility used to automate BIOS changes, i.e., changing the configuration of the Trusted Protection Module (TPM). This example uses version 2.1 for Windows, and can be downloaded from here:

http://en.community.dell.com/techcenter/systems-management/w/wiki/1952.dell-client-configuration-toolkit.aspx

What the CCTK does in this exercise was discussed in detail in Part 1 of this multipart post. Suffice to say, the CCTK places the TPM in the correct state that allows the MBAM agent to take ownership of the TPM.

Unlike the other packages that install and run some type of executable, this package simply copies the content of the package to a permanent location on the workstation’s hard drive. The CCTK is actually called by other tasks. The package’s single program runs CopyFiles.cmd. This batch copies the package content to the \Windows\cctk folder. The batch copies a text file to the CCM\Logs folder in order to troubleshoot execution problems, i.e., if the file success.txt is in the CCM\Logs folder, the CCTK files were copied to the local hard drive correctly.

CopyFiles.cmd

md \windows\cctk
xcopy . \windows\cctk /s/e
copy \windows\cctk\success.txt \windows\ccm\logs\cctk-success.txt

Configuration	Notes
	The package source files include executables, scripts and dlls. The CCTK BIOS utility is hardware specific. In this example a Dell Lattitude E6320 is used as a test machine.
	Use a package name that fits conventions used in the target environment. In this example, the name is Dell CCTK.
	Configure the package to have source files. Set the source folder to the folder in the software source share where the files mentioned in the overview above are copied.
	Distribute the package content to at least on Distribution Point.
	Create a program for the Dell CCTK package. In this example, the program is named Copy files The command line used by the program is copyfiles.cmd
	This program is configured to run on Windows 7 64-bit machines only.
	The program is configured to run whether or not a user is logged on.
	Be sure to configure the program to allow installation within a Task Sequence without the package being deployed.Note: SCCM 2012 Deployments are similar to Advertisements in SCCM 2007.

Summary

In Part 3 of this multipart post, we covered the required packages and programs to automated MBAM client distribution and OS partition encryption. Three packages\programs were covered:

1. BIOS Configuration Utility (CCTK) files package. The program associated with this package simply copies the package files and folder hierarchy to a permanent location on the OS partition.

2. MBAM Client (agent) installer package. The program associated with this package performs a silent install of the MBAM agent.

3. StartMBAMEncryption script package. The program associated with this package runs the StartMBAMEncryption.wsf script.

Part 4 will detail the tasks used in the task sequence.

Credit Where Credit is Due Department

“If I have seen further it is by standing on the shoulders of giants”

This multipart post references material found at the following websites:

Credit Where Credit is Due Department

“If I have seen further it is by standing on the shoulders of giants”

This multipart post references material found at the following websites:

Enable TPM in task sequence with SCCM and CCTK
Joachim Nässlander
http://nullsession.com/2010/12/enable-tpm-in-task-sequence-with-sccm-and-cctk/

Check to see if the TPM is enabled
Tim Mintner
http://blogs.technet.com/b/deploymentguys/archive/2010/12/22/check-to-see-if-the-tpm-is-enabled.aspx

BitLocker/MBAM–Endorsement Keys and TPM Ownership
Dustin Hedges
http://myitforum.com/myitforumwp/2011/11/14/bitlockermbamendorsement-keys-and-tpm-ownership/

Customising Windows 7 deployments – part 5
Niall Brady
http://www.windows-noob.com/forums/index.php?/topic/3875-customising-windows-7-deployments-part-5/

This posting is provided “AS IS” with no warranties and confers no rights.

Updated Dog Food Infrastructure Track Info

Leave a reply

I have some updated info on the infrastructure track at Dog Food coming up in two short weeks!

Also, my apologies to Scott Villinski – I shorted him an “L” in my last post. Sorry Scott.

The complete lowdown on Dog Food: http://dogfoodcon.com/

Enjoy!

Commvault – Randy DeMeno	CommVault will focus and demonstrate how to use Windows Server 2012 as the base operating environment for heterogeneous data management. This includes backup, disaster recovery, granular application recovery (Exchange, SharePoint, AD), archiving, content search, E-Discovery, SRM, DeDuplication and Encryption – all by using Windows Server 2012 as the base platform. More than half of the session will be live demonstrations of the above including how simple it is to integrate Windows Azure for tiered and off-site storage.
AppSense – Jeremy Steinman	Your always-connected users want faster and more intuitive technology and freedom to work anywhere, anytime, on any devices. Join AppSense to learn how to give your users the freedom to get things done, while maintaining security and manageability. Learn how powerful user virtualization can be and how leveraging AppSense can accelerate Windows desktop migration, deployment and management. Discover better ways of reducing time, cost and complexity with a solid end result of increasing user satisfaction and productivity – see for yourself with a live AppSense demo.
Fusion-io – Andrew Morris	Fusion-io will focus on application acceleration through the use of Enterprise Flash products. Microsoft has been pushing local storage to reduce cost and improve performance when compared with SAN technology. Fusion-io is the fastest storage on the market today, and we will discuss how to use it in Microsoft environments to achieve better performance and ROI, for VDI, VM migrations, Databases and more. Microsoft’s 2012 products all have a local storage options to replace shared storage and Fusion-io can use this features to make your infrastructure fly.
Dell – Jason Gorrell	Cloud Client Computing with Dell Wyse As the market leader in thin computing Wyse, now Dell Wyse, is able to assist you in your virtualization project. We’ll explore your options for choosing an endpoint solution for whatever Desktop/App virtualization strategy you’ve chosen – Citrix, Microsoft, VMware, etc. Virtualizing your Desktop/Applications can be a challenge but choosing the right endpoint doesn’t have to be.
Citrix – Brian Jacobs	Deliver virtual desktops and apps on-demand to every user XenDesktop can assist you with accessing Windows desktops and applications into an on-demand service available to any user, anywhere, on any device. With XenDesktop, you can securely deliver individual a consistent rich experience across ALL – Windows XP, Windows Vista, Windows 7 & 8 over LAN/WAN—all with a high-definition user experience
Azure – Infrastructure as a Service, Keith Mayer	Customers can create Virtual Machines, of which they have complete control, to run the Microsoft Data Centers. As of the preview the Virtual Machines supported Windows Server 2008 and 2012 RC operating systems and a few distributions of Linux.
SCCM 2012 Overview– Tom Walters	More than 10 Reasons to Deploy SCCM 2012 NOW! SCCM 2012 offers a number of new features and improvements; so many, that the top 10 list just won’t do. This session will cover the new Administrator experience, improvements to Software Updates, hierarchy optimization, the user-centric experience and 2007 to 2012 migration tips.
Hyper-V 3 and SCVMM Overview – Tom Walters	SCVMM 2012 + Hyper-V 3.0: Primetime Ready This session will cover new features and improvements that provide the foundation for deploying and maintaining a private cloud for organizations big and small. Support for multiple hypervisors, service templates, high availability options and Server App-V will be covered. Come and see why SCVMM 2012 with Hyper-V 3.0 is primetime ready.
Veeam – James Moots	Veeam Backup and Replication is built specifically for virtual environments to provide fast backup and recovery for virtual machines running on both VMware and Microsoft Hyper-V. With a single license, from a unified console, you can support your entire virtual infrastructure with industry leading features such as instant file level recovery and streamlined VM recovery, scalability, 2-in-1 backup and replication, built-in de-duplication, centralized management and much more. Whether you are using VMware or Hyper-V, we’ve got you covered!

From the Shameless Plug Department

2 Replies

Time for a shameless plug for the upcoming Dog Food conference to be held November 8 and 9 at the Microsoft office in Columbus (at Polaris). We have a great infrastructure track lined up. Here are some featured speakers:

Commvault – Randy DeMeno	CommVault will focus and demonstrate how to use Windows Server 2012 as the base operating environment for heterogeneous data management. This includes backup, disaster recovery, granular application recovery (Exchange, SharePoint, AD), archiving, content search, E-Discovery, SRM, DeDuplication and Encryption – all by using Windows Server 2012 as the base platform. More than half of the session will be live demonstrations of the above including how simple it is to integrate Windows Azure for tiered and off-site storage.
AppSense – Jeremy Steinman	Your always-connected users want faster and more intuitive technology and freedom to work anywhere, anytime, on any devices. Join AppSense to learn how to give your users the freedom to get things done, while maintaining security and manageability. Learn how powerful user virtualization can be and how leveraging AppSense can accelerate Windows desktop migration, deployment and management. Discover better ways of reducing time, cost and complexity with a solid end result of increasing user satisfaction and productivity – see for yourself with a live AppSense demo.
Fusion-io – Andrew Morris	Fusion-io will focus on application acceleration through the use of Enterprise Flash products. Microsoft has been pushing local storage to reduce cost and improve performance when compared with SAN technology. Fusion-io is the fastest storage on the market today, and we will discuss how to use it in Microsoft environments to achieve better performance and ROI, for VDI, VM migrations, Databases and more. Microsoft’s 2012 products all have a local storage options to replace shared storage and Fusion-io can use this features to make your infrastructure fly.
Dell – Phil Vachon	TBD
Citrix – Brian Jacobs	Deliver virtual desktops and apps on-demand to every user XenDesktop can assist you with accessing Windows desktops and applications into an on-demand service available to any user, anywhere, on any device. With XenDesktop, you can securely deliver individual a consistent rich experience across ALL – Windows XP, Windows Vista, Windows 7 & 8 over LAN/WAN—all with a high-definition user experience
Azure – Infrastructure as a Service, Keith Mayer	Customers can create Virtual Machines, of which they have complete control, to run the Microsoft Data Centers. As of the preview the Virtual Machines supported Windows Server 2008 and 2012 RC operating systems and a few distributions of Linux.
SCCM 2012 Overview– Tom Walters	More than 10 Reasons to Deploy SCCM 2012 NOW! SCCM 2012 offers a number of new features and improvements; so many, that the top 10 list just won’t do. This session will cover the new Administrator experience, improvements to Software Updates, hierarchy optimization, the user-centric experience and 2007 to 2012 migration tips.
Hyper-V 3 and SCVMM Overview – Tom Walters	SCVMM 2012 + Hyper-V 3.0: Primetime Ready This session will cover new features and improvements that provide the foundation for deploying and maintaining a private cloud for organizations big and small. Support for multiple hypervisors, service templates, high availability options and Server App-V will be covered. Come and see why SCVMM 2012 with Hyper-V 3.0 is primetime ready.

Yes, that’s me at the bottom of they list – they occasionally throw me a bone (no pun intended)

A special shout-out to some Microsoft SMEs that will be presenting but not listed above:

Bruce Adamczak – Windows Server 2012 New Features. Bruce will also be doing a chalk talk on performance counters and how they will make life better. Also, follow Bruce’s blog as he explores the new world of Server 2012 at http://blogs.technet.com/b/bruce_adamczak/

Scott Vilinski – Scott will be presenting System Center 2012 overviews for Orchestrator, Service Manager and Operations Manager.

Keith Mayer and Scott Vilinski will be doing a Windows 8 New Features Overview (not together, on separate days)

Please go to the official Dog Food site for more information:
http://dogfoodcon.com/

Enjoy!

TWaltersMCT

Experience is something you don't get until just after you need it.

Windows to Go Step-by-Step

SCCM 2012 + MBAM – Start to Finish – Part 6

Credit Where Credit is Due Department

SCCM 2012 + MBAM Start to Finish – Part 5

MBAM from the Client Machine’s Perspective

Verifying Agent Installation and Drive Encryption

Verifying the Password Hash was pushed to the MBAM Server

Check for the Owner Password File on the MBAM Server

Querying the MBAM Recovery and Hardware Database

Verifying the Recovery Key is Stored on the MBAM Server

Summary

Credit Where Credit is Due Department

SCCM 2012 + MBAM Start to Finish – Part 4

Objectives:

Task Sequence Prerequisites

Task Sequence Construction

Installing the OS

Modifying the TPM State

Summary

Credit Where Credit is Due Department

SCCM 2012 + MBAM Start to Finish – Part 3

Objectives:

Task Sequence Package Requirements

MBAM Agent

Start MBAM Encryption

CCTK

Summary

Credit Where Credit is Due Department

Credit Where Credit is Due Department

Updated Dog Food Infrastructure Track Info

From the Shameless Plug Department

Follow “TWaltersMCT”