ConfigMgr Console – Errors in App log is by design?

Leave a reply

While troubleshooting some update deployments at a client recently, I noticed errors were being thrown whenever I clicked the Content Status link on the Deployment object in the Monitoring workspace. Hard to follow? Let me help-

Pick a deployment, any deployment. Go to the Monitoring workspace in the ConfigMgr Console. Highlight a deployment and click the Content Status link in the lower right corner.

Hmm, the ConfigMgr Console reports no status information is available for this deployment.

That’s not right, better check the even log. YIKES! Multiple errors are generated every time I click that Content Status link in the console. It turns out that multiple identical errors are generated.

Here is the detail from the error (just in case someone is searching on this error):

Log Name: Application
Source: Critical
Date: 12/16/2013 7:48:11 PM
Event ID: 1
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SCCM12R2.qsidemo.biz
Description:

Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException\r\nNot found , property = ObjectType\r\n at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObjectBase.get_Item(String name)at Microsoft.ConfigurationManagement.AdminConsole.ContentMonitoring.DisplayUtilities.ShowObjectIcon(Object sender, ScopeNode scopeNode, IResultObject selectedResultObject, AssemblyDescription& resourceAssembly)\r\nNot found \r\nSystem.Management.ManagementException\r\nNot found \r\n at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)

at System.Management.PropertyData.RefreshPropertyInfo()

at System.Management.PropertyDataCollection.get_Item(String propertyName)

at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObjectBase.get_Item(String name)\r\nManagementException details:

Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=”Critical” />
<EventID Qualifiers=”0″>1</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=”2013-12-17T00:48:11.000000000Z” />
<EventRecordID>3154</EventRecordID>
<Channel>Application</Channel>
<Computer>SCCM12R2.qsidemo.biz</Computer>
<Security />
</System>

<EventData>
<Data>Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException\r\nNot found , property = ObjectType\r\n at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObjectBase.get_Item(String name)

at Microsoft.ConfigurationManagement.AdminConsole.ContentMonitoring.DisplayUtilities.ShowObjectIcon(Object sender, ScopeNode scopeNode, IResultObject selectedResultObject, AssemblyDescription& resourceAssembly)\r\nNot found

\r\nSystem.Management.ManagementException\r\nNot found \r\n at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)

at System.Management.PropertyData.RefreshPropertyInfo()

at System.Management.PropertyDataCollection.get_Item(String propertyName)

at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObjectBase.get_Item(String name)\r\nManagementException details:</Data>

</EventData>

</Event>

Wow, this looks serious. What can be wrong? My demo environment appears to be functioning properly.

It turns out this behavior is by design!

Clicking the Content Status link in the deployment object takes you to a page with no information AND generates errors in the event log. What the #&^$%????

Yep, a call to MS Support confirmed this. The information about the deployment that I wanted could be accessed by clicking the View Status link (which was hidden beneath the bottom of my display), as shown here:

I just had to scroll down to get the correct link. When I click View Status, I don’t get any errors in the event log AND I see the information I wanted:

Hooray, that’s the detail on the deployment I needed.

I have to wonder why Microsoft would design the console in such a way that clicking a link generates errors in the application log, but then again, I’m no software developer!

I hope this saves someone some time.

Lots of Failed Requests on AD-integrated CA

Leave a reply

I was deploying Configuration Manager at a client recently and came across an issue with hundreds of failed requests on the AD-integrated Certificate Authority. Every failed request had the same content:

The revocation function was unable to check revocation because the revocation server was offline 0x80092013 (-2146885613)

and

Error verifying request signature or signing certificate

This was a vanilla PKI configuration, so I looked in ADSIEdit to confirm that the CRL Distribution Points were there and were accessible.

I also checked the security to verify all systems would be able to read the information there.

Yes, Everyone has read permissions to the CDP.

These screen shots are from my demo lab, but in the client’s environment, I saw additional CDP objects listed that I knew nothing about. I checked the Certification Authorities node, no extra objects there, but the CDP node had three additional objects. According to Microsoft support, when a CA is uninstalled, its object under Certification Authorities is removed, but the object under CDP is not.

Upon further investigation, it turns out that these objects did refer to servers that had been CA’s in the past, but were no longer acting as CA’s.

So, why the errors? It turns out that these CA’s had issued a number of computer certificates and now those certificates were expiring. When I setup the autoenrollment policy for the ConfigMgr client authentication certificates, I used my usual settings, as seen here in the Group Policy Editor.

This policy operates against any certificate that is expired, not just those issued by the current CA. When the certificates issued by the decommissioned CA expired, this policy caused the client to try to renew the certificate, which led to the failed requests, since those CA’s were no longer online, and the CRLs left on the CDP were expired.

The bottom line: in this situation, this behavior is by design. The failed requests had no effect on my ConfigMgr deployment.

2013 Dog Food Conference – Open for Submissions

Leave a reply

The annual Dog Food Conference is scheduled for November 21 and 22 at the Microsoft building in Columbus. There is still time to submit your idea for a presentation at: http://dogfoodcon.com/tracks.html.

While other area conferences tend to be developer-oriented, Dog Food leans toward IT Pros (but has some development topics in the mix). Presenting is a great way to connect with peers and generate new business connections. If you find yourself going on and on about System Center 2012 R2 new features when going to dinner with friends and family, you’re just what Dog Food needs! Here are some presentation ideas I’d like to throw out:
SharePoint BI for Admins: 5 Easy Things that Impress Business Owners
PowerShell Tips for IT Admins: Automating Your Everyday Tasks
Extending Your Active Directory Infrastructure to the Cloud
10 Reasons to Upgrade to Windows Server 2012 R2 Now!
Windows Azure IaaS: How to Setup Your Own Proof of Concept
Where’s My Data? Backing Up and Restoring Hybrid Environments

That’s just the tip of the iceberg, so go to http://dogfoodcon.com/tracks.html and submit your presentation for consideration.

Hope to see you there!

Try Windows Server 2012 R2 – Risk Free! Part II

Leave a reply

Would you like to get up to speed on the new features of Windows Server 2012 R2 but don’t have an extra server? This is the post for you! In this multi-part post I’ll show you how to test drive Windows Server R2 Preview risk free.

In Part I of this multi-part post, I covered how to open a command prompt in the Windows Server 2012 R2 Preview installation, use DISKPART to create, select and attach a bootable VHD, and to install Windows Server 2012 R2 Preview to that bootable VHD.

In Part II we’ll finish Windows Server 2012 R2 Preview setup, prepare the machine for our productivity apps and install and configure basic Windows features we’ll want to use during our test drive, such as the Desktop Experience and Hyper-V.

Objectives

Install Windows Server 2012 R2 Preview to a bootable VHD on a laptop or desktop. Note: the laptop or desktop must meet the minimum hardware requirements for Windows Server 2012 R2.
Ensure productivity applications are available from within Windows Server 2012 R2.
Reconfigure the Windows Explorer to use the physical drive so Windows Server 2012 R2 can share the same data with the original OS, in this example Windows 7.
Make Windows Server 2012 R2 Preview behave more like a desktop operating system, reducing the need to return to booting from the physical hard drive and giving us more time to play with new features.

Finishing Windows Setup

When we left our machine in Part I, we had just started copying files to the VHD.

After about 15 minutes (in my case) the file installation finishes and the machine reboots

What the ??????? When my machine reboots I get a fish?

I guess it’s OK, the fish is getting devices ready

Just like in Windows Server 2012, R2 will reboot after detecting devices. This is normal.

In case you’ve been wondering why the machine did not reboot to Windows 7, it’s because the boot manager made the newest operating system on the machine the default.

NOTE: Being at the top of the list does not necessarily make this default operating system.

Windows setup is complete, I’m ready to logon as Administrator

Windows finalizes its settings and my Windows Server 2012 R2 Preview test drive is ready to go

Prep the Windows Installation for Use

After logging on, the first thing I want to do is verify I have network access, or be ready to install my network device drivers

The second thing I’ll do is set this machine to the correct time zone, in my case that’s Eastern US

Time to accept again.

Remember, we’re all in this together!

Now I can install some features required for my productivy apps, like the dotNet Framework 3.5, Ink and Handwriting, and the Desktop Experience. From Server Manager, click Manage and select Add Roles and Features

I threw in the Telnet Client because I usually need it sooner or later.

And in my case I’m installing on a laptop, so I don’t want to forget the Wireless LAN Service

Roles and Features setup warns me that not all the components required for this setup have been copied to the disk.

I need to specify an alternate location for the dotNet Framework 3.5. It’s on the distribution media, it’s just not copied to disk along with the other feature components. The files required are in <drive>:\sources\sxs, as shown here

Once the alternate path is configured, click Install to continue

I noticed that the dotNet Framework 3.5 install was not “smooth” in this preview, the DVD ground a lot, but eventually finished

The reboot warning was understated, in my case my machine rebooted twice before I could log back on.

Now I’ll change my computer name from the auto-generated setup name to one of my choosing by opening Computer properties

Before I reboot, I might as well add a Role I know will require a reboot – Hyper-V

Rats, Hyper-V still does not recognize my Wireless adapter

In my case, I don’t think my laptop is robust enough to handle live migration. This choice is yours.

I want to make sure my storage locations for virtual machines and disks is on the physical drive, not my bootable VHD

As expected, finishing the Hyper-V installation requires a reboot

In Part III of this multi-part post we’ll tweak a couple things in the file system to allow our new OS and old OS to share data files (since we did not get to that in Part II). Stay tuned!

Try Windows Server 2012 R2 – Risk Free! Part 1

2 Replies

Ok, you’re probably saying to yourself, isn’t this just recycling his post from last year about Windows 8? You are correct, score yourself 15 bonus points! However, the lesson learned here still has value, so read on.

Objectives

In Part I of this multi-part post I will show you how to test drive Windows Server 2012 R2 (Preview) without risk. The only things you need are 40GB of free disk space on your Windows 7 or later laptop/desktop, the distribution media for Windows Server 2012 R2 Preview, and a couple of hours. If you have a newer laptop/desktop, you may want to go to your hardware vendor’s site and download Windows Server 2012 or Window 8 x64 drivers for your devices before getting started.

If you don’t have the Windows Server 2012 R2 Preview media yet, go to the link above and download the ISO. When you register for the download, Microsoft will email you an activation key. Burn the ISO to DVD or copy to bootable USB device.

My description of what needs to be done will assume you are running Windows 7. The procedure will work with any Windows operating system that allows boot to VHD.

If you are particularly paranoid, perform a Windows backup to a USB or ESATA drive. This step is not absolutely necessary because of the “risk free” part mentioned above. All of your Windows 7 (or 8) files and data will remain after Windows Server 2012 R2 Preview installation, and you can still boot to Windows 7 (or 8) if you wish.

Installing Windows Server 2012 R2 Preview to a Bootable VHD

Booting to a virtual hard disk (VHD) is nothing new, so if you already know this, you may want to skip ahead. For those of you who have never tried booting from VHD, here is how to do this:

Insert the Windows Server 2012 R2 Preview installation media into the DVD drive or USB port and boot the machine. Be sure to tell the machine you want to boot using the CD\DVD drive or USB port, otherwise, you’ll probably just boot to Windows 7 and my screen shots below will make no sense whatsoever. The startup screen appears. In my case, this screen stayed the same for about 4-5 minutes with the hard drive light pegged. No worries, it eventually moves on. When you get to the screen that says Windows Setup (as shown below) press Shift + F10 to open a command prompt.

At the command prompt, verify which drive letter is used to access your Windows OS partition. In my case, I had a single OS partition on the disk, so my drive letter is D:. C: points to the boot partition normally hidden by Windows 7. The Windows OS partition is the one I want, so D: it is.
In the command prompt, run DISKPART.
At the DISKPART prompt, enter
Create vdisk file=d:\WinSrv12R2.vhd maximum=40000
40000 is the size of the vdisk in MBs. This can take a while, diskpart actually reserves all the space necessary for the disk. The filename can be any name that doesn’t conflict with the current file system.

Continue after receiving the message “Diskpart successfully created the virtual disk file.”
Now enter at the DISKPART prompt select vdisk file=c:\WinSrv12R2.vhd
Then enter at the DISKPART prompt attach vdisk
Then Exit the DISKPART prompt
Finally, at the command prompt enter Exit

I just noticed, some of my screen shots kind of look like the text prologue in the Star Wars movies – cool.

Episode IV
DO NOT exit Windows setup. At the setup dialog box, verify the regional settings and click NEXT to continue

When prompted, click Install Now

When prompted, enter the product key Microsoft emailed you after registering

Since I want this test drive to be risk free, I expect to use my laptop like a workstation after I install Windows Server 2012 R2, so I will definitely need to go with the Full (GUI) installation, as seen here

We always accept

Ok, time to pay attention! We don’t want to upgrade Windows 7, we want to install a separate copy of Windows Server 2012 R2 Preview, so choose Custom: Install Windows only (Advanced) when prompted:

Next, move the highlight bar to the partition which represents the VHD we created with DISKPART. If you created a vdisk of 40000MB, it will appear here as an Unallocated Space drive that is 39.1GB in size. The key thing is to make sure the partition is marked as Unallocated Space.

With the highlight bar on the correct drive, click New.

Accept the default size which should equal the value of the maximum switch used to create the vdisk. In this example, that value was 40000MB. Click Apply.

Note: The System Reserved partition is the boot partition created when I installed Windows 7.

With the correct drive still highlighted, click Format.

Click OK to get past the warning about losing data when formatting a drive.

Now that the device is formatted, click Next to continue.
NOTE: The warning Windows can’t be installed on drive 1 partition 1 is expected. You can ignore this.

In Part II of this multi-part post we’ll complete the Windows Server 2012 R2 Preview installation and tweak a couple things in the file system to allow our new OS and old OS to share data files.

Windows to Go Step-by-Step

Leave a reply

I’ve been itching to do Windows to Go for some time now, but I had to acquire an approved USB memory stick, which I did last week. Windows to Go only takes a few minutes and can come in really handy. Here is a short step-by-step to get Windows to Go up and running.

What You Will Need
A copy of the Window 8 RTM media
The Windows Automated Installation Kit download
7-Zip
Approved USB memory stick or hard drive
A Windows 7 or Window 8 machine with at least one USB 3.0 port

You can see the approved USB devices at this URL: http://technet.microsoft.com/en-us/library/hh831833.aspx

BTW-a USB drive can be used in place of a USB memory stick. In this step-by-step I’m using a Kingston DataTraveler Workspace 64GB. Whether using a memory stick or a hard drive, I will refer to “the device” as the “USB drive.”

Part I – Partition and Format the USB Drive
Boot your machine and logon.
Insert the USB drive into a USB 3.0 port. In my case, I’m using a Dell E6330, and the USB 3.0 ports are constructed in a way that prevents me from plugging my USB drive in directly, so I had to get an extender. The Workspace device is “thick” and the Dell’s USB 3.0 ports are recessed.
Open a command prompt as an administrator and enter the following command: Diskpart
The command should return the following:

C:\Windows\system32>diskpart
Microsoft DiskPart version 6.2.9200
Copyright (C) 1999-2012 Microsoft Corporation.
On computer: WIN8RTM-TW

DISKPART>

At the DISKPART> prompt enter List Disk
The command displays the list of disk devices:

DISKPART> list disk
Disk ### Status Size Free Dyn Gpt
——– ————- ——- ——- — —
Disk 0 Online 465 GB 0 B
Disk 1 Online 39 GB 0 B
Disk 2 Online 465 GB 0 B
Disk 3 Online 59 GB 0 B
DISKPART>

In my example above, I’m running Windows 8 from a VHD (Disk1) located on the physical internal drive (Disk0) and I have an external USB hard drive connected (Disk2) which means Disk3 is my USB drive. I need to select Disk 3 as the Diskpart operations target, so enter Select Disk 3.

DISKPART> select disk 3
Disk 3 is now the selected disk.
DISKPART>

Now I need to clean the USB drive. Just enter clean at the DISKPART prompt.

DISKPART> clean
DiskPart succeeded in cleaning the disk.
DISKPART>

Now create a primary partition on the USB drive. At the DISKPART prompt enter create partition primary.

DISKPART> create partition primary
DiskPart succeeded in creating the specified partition.
DISKPART>

Now format the new partition using the NTFS file system: format fs=ntfs quick.
You don’t have to use a quick format, but a 64GB USB memory stick takes a l-o-n-g time to format.

DISKPART> format fs=ntfs quick
100 percent completed
DiskPart successfully formatted the volume.
DISKPART>

Finally, mark the partition as Active and exit DiskPart.

DISKPART> active
DiskPart marked the current partition as active.
DISKPART> exit
Leaving DiskPart…
C:\Windows\system32>

Part II – Extract the ImageX Tool
You need to extract the ImageX tool from the WAIK (for Windows 7) or the ADK (Windows Assessment and Deployment Kit). You can either install the entire WAIK and then find the ImageX program, or you can mount the WAIK iso and open neutral.cab file in the 7-Zip Archive viewer, which is what I did. I extracted the file F1_imagex to C:\Tools\ImageX.exe. The ADK is installed as it is downloaded, so extracting just ImageX is problematic.

Find the file F1_imagex and extract the file.

Once you have copied the F1_imagex file to C:\Tools, rename the file to Imagex.exe.

Part III – Apply the Windows 8 Image to the USB Drive
Mount your Windows 8 RTM iso or put the Windows 8 RTM DVD media in your DVD drive and locate the file install.wim. It should be in the sources folder. (Note: this screen capture was done after the fact. In the example below, the Windows 8 media is exposed on drive H:.)

Now, use the ImageX tool to apply the Windows 8 image to the USB drive. In this case, the USB drive is exposed as drive G:. The numeral “1” after the wim file name indicates ImageX should apply the first image that is part of the wim file. The image source is on drive H: and the image target is drive G:.

C:\Windows\system32>c:\tools\imagex.exe /apply h:\sources\install.wim 1 g:\
ImageX Tool for Windows
Copyright (C) Microsoft Corp. All rights reserved.
Version: 6.1.7600.16385
[ 100% ] Applying progress

Successfully applied image.
Total elapsed time: 9 min 52 sec

C:\Windows\system32>

Now, make the USB drive (G:) bootable using bcdboot.exe.

C:\Windows\system32>bcdboot.exe g:\windows /s g: /f ALL
Boot files successfully created.

C:\Windows\system32>

Your Windows to Go USB drive is ready to use. You will need to set your BIOS to either give you an option to choose your boot device, or set the USB port higher in the boot order priority in order to force your machine to boot to the new Windows to Go device. In my case, my Dell laptop allows me to press F12 at startup to choose my boot device. This is what I did, but I ran into a big problem, no USB device listed in the boot drive options menu. After some experimentation, I determined that my USB 3.0 ports, which have to be added to the laptop using the DVD drive bay, are not boot capable. RATS! No worries, moving the USB drive to a USB 2.0 port allowed my to boot my machine and performance was very good. The first time you use the USB drive on a machine Windows will have to detect hardware. In my case, all the hardware drivers I needed were available. This detection is a one-time thing per machine, i.e., the next time I boot my laptop from the Windows to Go USB drive, it will skip the device detection phase. If I try to boot another machine using my Windows to Go USB drive, it will have to go through device detection again. Not perfect, but in a pinch, this is a great solution for using your own PC without having to bring your own PC. Total time to create my Windows to Go device: about 20 minutes.

Enjoy!

SCCM 2012 + MBAM – Start to Finish – Part 6

Leave a reply

In the first part of this multipart series, we discussed the objectives of this exercise and the required components. The first part also covered the TPM settings required for BitLocker encryption and for the MBAM agent to take ownership of the TPM, the BIOS configuration utility (CCTK) and the actual commands used to configure the TPM. The first post finished by referencing David Hornbaker’s post describing how to use the StartMBAMEncryption script and how to customize the registry import files used by that script for a specific MBAM Server environment.

In Part 2 we covered creating and configuring the group policies required to enable MBAM clients to communicate with the MBAM server, and how often the MBAM client communicates with the MBAM server. We also covered optional policy settings designed to hide the default BitLocker Drive Encryption Control Panel applet from end users.

In Part 3 of this multipart post, we covered the required packages and programs to automate MBAM client distribution and OS partition encryption. Three packages\programs were covered:
1. BIOS Configuration Utility (CCTK) files package. The program associated with this package simply copies the package files and folder hierarchy to a permanent location on the OS partition.
2. MBAM Client (agent) installer package. The program associated with this package performs a silent install of the MBAM agent.
3. StartMBAMEncryption script package. The program associated with this package runs the StartMBAMEncryption.wsf script.

In Part 4 of this multipart post, we covered the tasks used in the task sequence that accomplish the following:
· Partition the hard disk
· Copy the Windows 7 image to the drive
· Install device drivers
· Join the computer to the domain
· Copy the CCTK executables to c:\windows\cctk
· Set the BIOS setup password
· Enable the TPM
· Activate the TPM
· Reboot the computer
· Clear the BIOS setup password
· Install the MBAM Agent
· Encrypt the OS partition using the MBAM agent
Note: This OSD task sequence assumes the target is a new or re-purposed machine. There is no User State data to migrate.

In Part 5 of this multipart post, we covered the following:
· How the MBAM agent installation and drive encryption tasks look from the client side.
· The steps the user must take to set the BitLocker PIN.
· How to verify the MBAM Agent was installed (and verify that the Group Policy to hide the BitLocker Drive Encryption applet in Control Panel is working).
· How to verify drive C: is encrypted.
· How to use the MBAM Server console to verify the TPM Owner password file was pushed by the MBAM agent to the MBAM Server.
· How to use a SQL query to verify the MBAM Agent pushed the TPM Owner password file to the MBAM database.
· How to use the Event viewer on the client to verify the MBAM group policy was applied and that the MBAM Agent successfully communicated the drive encryption status to the MBAM Server.
· How to use the BitLocker Recovery console and the MBAM Server console to verify the MBAM Agent stored the drive Recovery Key in the MBAM database.

In Part 6, I will attempt to identify common errors and misconfigurations with appropriate workarounds and fixes.

Objectives:
A quick recap of the objectives never hurts:

Provision a laptop with a Windows 7 operating system using SCCM OSD
Using an automated BIOS configuration utility, place the Trusted Protection Module (TPM) in the proper state for MBAM to take ownership.
Install the MBAM agent and configure the agent to communicate with the MBAM server.
Instruct the MBAM agent to take ownership of the TPM.
Instruct the MBAM agent to encrypt the OS partition using BItLocker.
At first logon, the laptop user should be prompted to enter a BitLocker PIN.

Note: This environment uses Dell laptops as test machines. CCTK.exe, the BIOS configuration utility used in this example, is specific to Dell hardware.

Common Issues

Error 0x8009030D – Service Account Cannot Access the Private Key
I did not run into this problem in my home lab, but I have run into it at two client sites so far, so I thought I would mention it. The event log on the MBAM server has a recurring error:
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

It turned out that this error is generated when the SQL Server service account does not have access to the machine keys used for the SSL Server private credential. This is kind of an odd error, since the service account was a member of the local administrators group.

The Fix:
1. Open Windows Explorer and navigate to: C:\ProgramData\Microsoft\Crypto\RSA\
2. Right click on the folder MachineKeys
3. Verify the SQL Server service account has at least read to this folder
4. I had to assign read permissions to the individual files within the MachineKeys folder to get this to work!

Error message “An error has occurred” when you click the Hardware tab in the MBAM Console
This is, by far, the most common error I’ve encountered with MBAM. It is so common, there is a KB article describing the issue and resolution at http://support.microsoft.com/kb/2620280.

The basic problem is that the machine cannot resolve ‘”localhost” properly. The fix replaces instances of “localhost” in the web.config file with the true FQDN of the MBAM server.

Administrator Cannot Retrieve the TPM Owner Password File
This error is particularly tricky, since the Administrator can usually retrieve the recovery key for the affected machine. To verify you have this specific problem, open the SQL Server Management Studio on the SQL Server hosting the MBAM database. Expand the MBAM Recovery and Hardware database tables node. Right-click the RecoveryAndHardwareCore.Machines table and return the top 1000 rows. It should look something like this:

Notice two things. There are entries for the different machines in the table, so MBAM has been installed on those machines. However, the TpmPassword column is populated with NULL instead of a hash value. I traced this problem back to the original TPM setup using CCTK. In all test cases, the TPM ownership was established before the MBAM client was installed, preventing MBAM from taking ownership. This behavior allows MBAM to encrypt the drive and store the recovery key in the MBAM database, but not the TPM Password file. Since this file is necessary for administrators only when performing TPM functions and not BitLocker functions (like PIN resets), this condition may go overlooked until it is too late. The fix is to ensure that the task sequence used to configure the TPM enables the TPM and creates the endorsement key pair, but does not take ownership. The MBAM client itself must take ownership for this to work!
Note: To be fair to CCTK, this was usually the result of the TPM module not being cleared properly.

There is no way to transfer or take ownership retroactively. The best thing to do when a machine is found in this state is to
1. Isolate the machine and decrypt the drive
2. Clear the TPM module from the Control Panel and reboot
3. Re-apply the task sequence described in this series

Summary
I hope this series will save network administrators time and frustration when implementing MBAM in their environments. This stuff really does work!

Credit Where Credit is Due Department

“If I have seen further it is by standing on the shoulders of giants”

This multipart post references material found at the following websites:

Using MBAM to start BitLocker Encryption in a Task Sequence
David Hornbaker
http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

Enable TPM in task sequence with SCCM and CCTK
Joachim Nässlander
http://nullsession.com/2010/12/enable-tpm-in-task-sequence-with-sccm-and-cctk/

How to Enable Trusted Platform Module Using a ConfigMgr 2007 Task Sequence
No author credited
http://en.community.dell.com/techcenter/os-applications/w/wiki/how-to-enable-trusted-platform-module-using-a-configmgr-2007-task-sequence.aspx

Check to see if the TPM is enabled
Tim Mintner
http://blogs.technet.com/b/deploymentguys/archive/2010/12/22/check-to-see-if-the-tpm-is-enabled.aspx

BitLocker/MBAM–Endorsement Keys and TPM Ownership
Dustin Hedges
http://myitforum.com/myitforumwp/2011/11/14/bitlockermbamendorsement-keys-and-tpm-ownership/

Customising Windows 7 deployments – part 5
Niall Brady
http://www.windows-noob.com/forums/index.php?/topic/3875-customising-windows-7-deployments-part-5/

This posting is provided “AS IS” with no warranties and confers no rights.

SCCM 2012 + MBAM Start to Finish – Part 5

3 Replies

In the fifth part of this multipart post, I will cover following:
· How the MBAM agent installation and drive encryption tasks look from the client side.
· The steps the user must take to set the BitLocker PIN.
· How to verify the MBAM Agent was installed (and verify that the Group Policy to hide the BitLocker Drive Encryption applet in Control Panel is working).
· How to verify drive C: is encrypted.
· How to use the MBAM Server console to verify the TPM Owner password file was pushed by the MBAM agent to the MBAM Server.
· How to use a SQL query to verify the MBAM Agent pushed the TPM Owner password file to the MBAM database.
· How to use the Event viewer on the client to verify the MBAM group policy was applied and that the MBAM Agent successfully communicated the drive encryption status to the MBAM Server.
· How to use the BitLocker Recovery console and the MBAM Server console to verify the MBAM Agent stored the drive Recovery Key in the MBAM database.

Objectives:

A quick recap of the objectives never hurts:

Provision a laptop with a Windows 7 operating system using SCCM OSD
Using an automated BIOS configuration utility, place the Trusted Protection Module (TPM) in the proper state for MBAM to take ownership.
Install the MBAM agent and configure the agent to communicate with the MBAM server.
Instruct the MBAM agent to take ownership of the TPM.
Instruct the MBAM agent to encrypt the OS partition using BItLocker.
At first logon, the laptop user should be prompted to enter a BitLocker PIN.

Note: This environment uses Dell laptops as test machines. CCTK.exe, the BIOS configuration utility used in this example, is specific to Dell hardware.

MBAM from the Client Machine’s Perspective

After the last reboot in the task sequence, the MBAM agent is installed.

The picture isn’t as clear as I would like, but the dialog says “Running Action: Install MBAM”

Shortly thereafter, the dialog changes to “Running Action: Install StartEncryption”

On the test machine there was some delay at this point, as much as three minutes. If the machine’s TPM is not Enabled and Activated, the task sequence will error out here. The first indicator of success is the drive light coming on solid and staying on. No reboots or any other warning, the screen just changes to the logon prompt:

From the user perspective, press CTRL-ALT-DEL and logon.

Instead of the usual background, the user may see the System Center wallpaper:

Notice the notification balloon in the lower right corner; the drive is encrypting.

If the user logged on immediately after the task sequence completes, as I did here, there is no prompt for a BitLocker PIN yet. This is due the policy requiring the PIN has yet to be applied. By default, it could take up to two hours for the policy to apply. A couple of workarounds are:

Reboot the machine after BitLocker encryption starts. This will not affect BitLocker, it will continue to encrypt the drive after rebooting.
Run gpupdate /force.
Wait for Group Policy application before logging on.

I wanted to see what would happen if I hurried through the process. Of course, I jumped through all kinds of hoops to hurry the process. I ran gpupdate /force and even logged off and logged on. Eventually I was rewarded with this:

If I waited for a while (maybe an hour or so) at the logon prompt at the end of the task sequence, this is what I saw when logging on for the first time:

It does not matter what the background is, or when the dialog is displayed, either way the Group Policy requiring a BitLocker PIN has been applied.
NOTE: A bit of explanation here. For this process to work, the drive encryption *must* start prior to the policy requiring a PIN is applied, otherwise BitLocker will not start encrypting the drive until a PIN is entered. Our objective is to automate as much of this process as possible. ConfigMgr will prevent the workstation from processing Group Policies until after the task sequence is complete. This is something to keep in mind if the reader is attempting to use this task sequence with a MDT 2012 task sequence, which does allow the workstation to process policies.

Click Start.

When prompted, enter a PIN

Note: The policy applied allows both letters and numbers in the PIN.
After confirming the PIN, click Create PIN.

I entered an @ in my password. Just letters and numbers are allowed:

After re-entering a valid password and clicking Create PIN, a success dialog is displayed.

Click Exit.

The PIN is used at a warm or cold boot, and when bringing the machine out of hibernation. The PIN is *NOT* used when waking a sleeping machine. This will cramp my ConfigMgr style, any task sequence or update requiring a reboot will require user intervention from now on.

Verifying Agent Installation and Drive Encryption

Yes, when Bill Evans first logged on, he saw a notification balloon stating that the drive was being encrypted. However, if Bill had waited until the following morning to logon, he would have missed that notification. To verify, open Control Panel.

Note: This screen shot verifies two things. First, we can tell the MBAM Agent has been installed because the name of the BitLocker applet is BitLocker Encryption Options, not the default BitLocker applet named BitLocker Drive Encryption.Second, the fact that the default applet is hidden verifies that the Group Policy described in part two of this multipart post is hiding the default BitLocker applet as desired.

Now, open the BitLocker Encryption Options applet. The information displayed verifies drive C:, the OS partition, has been encrypted.

Note: Clicking the Manage your PIN link allows the user to change the PIN at any time. The user is *not* prompted for the old PIN or any other kind of identification. The same process is used to recover drives where the PIN is unknown, forgotten, or changed without the owner’s knowledge. There is only one PIN per machine. The first person that logs on after the policy requiring a PIN is applied gets to choose the PIN.

Verifying the Password Hash was pushed to the MBAM Server

If the TPM ownership was already taken before the MBAM Agent attempted to take ownership, there are no errors, the script moves on and encrypts the drive. To verify the agent took ownership, check for the Owner password file on the MBAM server and/or query the MBAM database on the SQL Server.

Check for the Owner Password File on the MBAM Server

From the MBAM server site, click Manage TPM and enter the computer’s domain and computer name. If the MBAM agent took ownership, the MBAM Server will return the TPM Owner Password file as seen here:
Note: This test does not endanger any data on the encrypted drive.

Querying the MBAM Recovery and Hardware Database

On the SQL Server where the MBAM Recovery and Hardware database resides, logon as a SQL administrator and open the SQL Server Management Studio.
Navigate to the MBAM Recovery and Hardware database. Expand the Tables node, right click the RecoveryAndHardwareCore.Machines table and select Return Top 1000 Rows. Find the entry for the name of the computer. The example below shows that MBAMTEST10 did not copy its password hash to the MBAM server properly, but MBAMTEST24 did. (24^thtime’s the charm!)

Note: *Do NOT* try to manually enter failed password file hash entries!

Verifying the Recovery Key is Stored on the MBAM Server

On the client side, look for two Event log entries. First, Event ID 1, MBAM group policy settings have been applied successfully.

Without the Group Policy settings, the MBAM agent does not know to which server it should report its status. Next, Event ID 3, the encryption status was communicated to the MBAM Server successfully.

To check for the Recovery Key on the server, you’ll need to get the machine to display the Recovery Key ID. If you’ve enabled a BitLocker PIN, you can press ESC at the PIN prompt to enter the Recovery Console.

Note: Doing this will not endanger any data on the disk.

Now write down the Recovery Key ID. Only the first eight characters are required. Again, this is not going to put any of your data in danger. This is just a test.

Note: At this point, we have all the information we need for the database population test. You can press ESC to exit the Recovery console, or just reboot. Enter the correct PIN at boot and you are back in business on the test machine.

Go to the MBAM Server console, click Drive Recovery and enter the eight-character Recovery Key ID, then click Submit.

If the MBAM agent worked properly, the drive recovery key is displayed in the console:

This verifies the MBAM agent successfully stored the driver recovery key in the MBAM database.

Summary

Part 5 of this multipart post covered the following:

How the MBAM agent installation and drive encryption look from the client side
The steps the user must take to set the BitLocker PIN
How to verify the MBAM Agent was installed (and verify the Group Policy to hide BitLocker Drive Encryption applet in Control Panel is working)
How to verify drive C: is encrypted.
How to use the MBAM Server console to verify the TPM Owner password file was pushed by the MBAM agent to the MBAM Server.
How to use a SQL query to verify the MBAM Agent pushed the TPM Owner password file to the MBAM Server
How to use the Event viewer on the client to verify the MBAM group policy has been applied and that the MBAM Agent has successfully communicated the drive encryption status to the MBAM Server.
How to use the BitLocker Recovery console and the MBAM Server console to verify the MBAM Agent has stored the drive Recovery Key in the MBAM database.

Part 6 of this multipart post will cover common MBAM deployment issues and resolutions.

Credit Where Credit is Due Department

“If I have seen further it is by standing on the shoulders of giants”

This multipart post references material found at the following websites:

Enable TPM in task sequence with SCCM and CCTK
Joachim Nässlander
http://nullsession.com/2010/12/enable-tpm-in-task-sequence-with-sccm-and-cctk/

Check to see if the TPM is enabled
Tim Mintner
http://blogs.technet.com/b/deploymentguys/archive/2010/12/22/check-to-see-if-the-tpm-is-enabled.aspx

BitLocker/MBAM–Endorsement Keys and TPM Ownership
Dustin Hedges
http://myitforum.com/myitforumwp/2011/11/14/bitlockermbamendorsement-keys-and-tpm-ownership/

Customising Windows 7 deployments – part 5
Niall Brady
http://www.windows-noob.com/forums/index.php?/topic/3875-customising-windows-7-deployments-part-5/

This posting is provided “AS IS” with no warranties and confers no rights.

SCCM 2012 + MBAM Start to Finish – Part 4

Leave a reply

In Part 3 of this multipart post, we covered the required packages and programs to automated MBAM client distribution and OS partition encryption. Three packages\programs were covered:

1. BIOS Configuration Utility (CCTK) files package. The program associated with this package simply copies the package files and folder hierarchy to a permanent location on the OS partition.

2. MBAM Client (agent) installer package. The program associated with this package performs a silent install of the MBAM agent.

3. StartMBAMEncryption script package. The program associated with this package runs the StartMBAMEncryption.wsf script.

In the fourth part of this multipart post, I will cover the tasks included in the task sequence. I will not cover in detail those tasks which are part of the OS installation – there are many fine posts on that subject. I include these tasks so readers can determine the order of tasks and which tasks are prerequisite to MBAM agent configuration. I will concentrate on those tasks which are critical to MBAM agent installation and configuration.

Note: This OSD task sequence assumes the target is a new or re-purposed machine. There is no User State data to migrate.

Objectives:

A quick recap of the objectives never hurts:
· Provision a laptop with a Windows 7 operating system using SCCM OSD
· Using an automated BIOS configuration utility, place the Trusted Protection Module (TPM) in the proper state for MBAM to take ownership.
· Install the MBAM agent and configure the agent to communicate with the MBAM server.
· Instruct the MBAM agent to take ownership of the TPM.
· Instruct the MBAM agent to encrypt the OS partition using BItLocker.
· At first logon, the laptop user should be prompted to enter a BitLocker PIN.

Note: This environment uses Dell laptops as test machines. CCTK.exe, the BIOS configuration utility used in this example, is specific to Dell hardware.

Task Sequence Prerequisites

If the test workstation has used BitLocker previously:

1. Run TPM.msc. Click Clear TPM

NOTE: You need to do this only if your disk is already encrypted with BitLocker.

2. At the Clear the TPM security hardware prompt, select I do not have the TPM owner password

3. This requires a reboot. When prompted, clear the TPM. In this example, press F12.

4. Use Diskpart to “clean” the disk.
Note: This step requires boot media or boot image with Command Prompt support enabled.

1. Boot the machine with TS boot media, or PXE boot to WinPE

2. Before entering a password, press F8 to open a Command Prompt.

3. Enter the following commands:
X:\sms\bin\x64> diskpart
DISKPART> select disk 0
DISKPART> clean
DISKPART> exit
X:\sms\bin\x64> exit

4. Now enter continue on with your task sequence.

Task Sequence Construction

Installing the OS

Task	Purpose
	This task is standard in SCCM Operating System Deployment task sequences. This task is performed only if the computer is not already in WinPE.
	Partition Disk 0. This task creates the Boot partition and the Operating System partition. Microsoft recommendation at this date is to create a boot partition at 600MB in size. Under normal circumstances, the remainder of disk 0 would become the Operating System partition. In this case, the OS partition is limited to 40GB in order to shorten encryption times during testing.
	Boot partition detail. The partition is assigned a variable (BOOTPART) which can be called from other tasks.
	OS partition detail. Assignment of the variable OSPART is critical to success of this task sequence.Again, under normal circumstances, this partition would be 100% of the remaining disk. 40GB size allows for faster testing of the task sequence.
	Apply Operating System. This task downloads the WIM file containing the operating system image. In this example, image 1 of 1 is being applied to the partition assigned the variable OSPART.
	Apply Windows Settings. This task applies the settings defined, such as the product key, time zone and administrator account password. These values apply to every computer that uses this task sequence for OS installation.
	Set Task Sequence Variable. This task was necessary in my lab environment, since I did not have the use of DHCP. Under normal circumstances, an OSD task sequence does not need this variable defined.
	Apply Network Settings. This task joins the computer to the domain, identifies the account configured to join computers to the domain and identifies the target OU for the computer account in Active Directory. In this example, the network adapter is assigned a static IP address – a limitation of the lab environment. Under normal circumstances, DHCP is used to acquire addresses and there is no need to assign static addresses.
	Apply Device Drivers.
	Setup Windows and Configuration Manager. This task performs device detection and OOB setup. This task actually applies those items configured in the Apply Windows Settings and Apply Network Settings tasks. This task automatically reboots the computer.
	Install Intel Display Driver. Self-explanatory.
	The Display Driver installation program requires that the system restart before any other changes can be made. It is better to let ConfigMgr control the restart. Be sure to reboot to the currently installed default operating system.

Modifying the TPM State

All tasks up to this point are associated with an ordinary operating system deployment. The next set of tasks modifies the state of the TPM to ensure the MBAM Agent can take ownership of the TPM. This process was explained in detail in Part 1. To recap, the tasks associated with the TPM have to accomplish the following:

1. Set the BIOS setup password. Some operations of the CCTK utility require that a BIOS password be set. This exercise assumes no BIOS password is set on the test machine.

2. Enable the TPM.

3. Reboot the machine – Note: this reboot is not required by all Dell BIOS versions.

4. Activate the TPM

5. Reboot the machine

6. Clear the BIOS setup password, returning the BIOS password to its original state

Note: this exercise assumes there is no BIOS setup password configured on the target workstation. If a standard BIOS setup password is used, disable or delete the Set BIOS Password and Clear BIOS Password tasks.

Task	Purpose
	Copy CCTK. This task installs a package that runs a batch file. This is a workaround, since a direct copy requires a user context in which to run. To avoid this, the package files are downloaded to the CCMCache folder. One of the files is the Copy Files batch, which copies the CCTK files and scripts to a permanent folder: c:\windows\cctk.
	Set BIOS Password. This task uses the CCTK to set a BIOS password, allowing subsequent configuration commands to be automated. (BIOS configuration modification is always password protected.)Note: This task must be run in the security context of a local administrator.
	Enable TPM. This task enables the TPM module.Note: This task must be run in the security context of a local administrator.
	Restart Computer. A computer is required after enabling the TPM module.
	Activate TPM. This task activates the TPM module.Note: This task must be run in the security context of a local administrator.
	Restart Computer. TPM activation requires a reboot.
	Clear BIOS Password. This task uses the CCTK to clear the BIOS password, returning the password configuration to its original state.Note: This task must be run in the security context of a local administrator.
	Install MBAM. This task copies the MBAM installer package to the CCMCache and installs the agent using msiexec.exe (the Windows installer).
	Install StartMBAMEncryption. This tasks copies two vbscript files and two support files to the CCMCache, then runs the StartMBAMEncryption.vbs file. This file instructs the MBAM agent to initialize (take ownership) of the TPM and push the TPM owner file to the MBAM server. After the TPM is initialized, the script instructs the MBAM agent to encrypt the OS drive.

Summary

In Part 4 of this multipart post, we covered the tasks used in the task sequence that accomplishes the following:
· Partition the hard disk
· Copy the Windows 7 image to the drive
· Install device drivers
· Join the computer to the domain
· Copy the CCTK executables to c:\windows\cctk
· Set the BIOS setup password
· Enable the TPM
· Activate the TPM
· Reboot the computer
· Clear the BIOS setup password
· Install the MBAM Agent
· Encrypt the OS partition using the MBAM agent

Part 5 of this multipart post will cover the steps to verify communication with the MBAM server and drive encryption.

Credit Where Credit is Due Department

“If I have seen further it is by standing on the shoulders of giants”

This multipart post references material found at the following websites:

Enable TPM in task sequence with SCCM and CCTK
Joachim Nässlander
http://nullsession.com/2010/12/enable-tpm-in-task-sequence-with-sccm-and-cctk/

Check to see if the TPM is enabled
Tim Mintner
http://blogs.technet.com/b/deploymentguys/archive/2010/12/22/check-to-see-if-the-tpm-is-enabled.aspx

BitLocker/MBAM–Endorsement Keys and TPM Ownership
Dustin Hedges
http://myitforum.com/myitforumwp/2011/11/14/bitlockermbamendorsement-keys-and-tpm-ownership/

Customising Windows 7 deployments – part 5
Niall Brady
http://www.windows-noob.com/forums/index.php?/topic/3875-customising-windows-7-deployments-part-5/

This posting is provided “AS IS” with no warranties and confers no rights.

SCCM 2012 + MBAM Start to Finish – Part 3

2 Replies

Objectives:

Note: This environment uses Dell laptops as test machines. CCTK.exe, the BIOS configuration utility used in this example, is specific to Dell hardware.

Task Sequence Package Requirements

NOTE: This post refers to the software sources share. This is a generic label for a simple file share that the SCCM packages use as the source for software imported into the Content Library. In the test lab, this share is located on the SCCM server. There is nothing preventing locating this share on another server with file services.

In the following configuration documentation, if a configuration setting is not called out, it was left at its default value or unconfigured if that setting has no default value.

MBAM Agent

Microsoft recommends creating only one package for MBAM Agent deployment. The MBAM Client installation software should be stored in two subfolders, x86 and x64 (I changed the name of the x64 folder to amd64 to match other dual-bitness packages in my environment). Theoretically, two separate packages, each with one program would work, but Microsoft recommends one package with two programs. In my example, I created the software package with the two subfolders. Since I did not test 32-bit clients, I created only the program for 64-bit clients.

Configuration	Notes
	Here are the source files for the MBAM Client (agent) in my lab environment. I copied these from the MDOP 2011 R2 distribution media.
	Use a name that fits conventions used in the target environment. In this example, the name is simply MBAM Client.
	Configure the package as having source files. Set the source to point to the empty parent folder of both 32-bit and 64-bit versions.
	Distribute the package to at least one distribution point.
	Create a program for the MBAM Client package. In this example, the package has one program, MBAM Agent. The program command line is: msiexec.exe /i MBAMCLient-64bit.msi /qIn this example, this program starts in the amd64 subfolder of the package file structure.
	In the test environment, the program was limited to running on Windows 7 64-bit machines only.
	The program is configured to run whether or not a user is logged on.
	Be sure to configure the program to allow installation within a Task Sequence without the package being deployed.Note: SCCM 2012 Deployments are similar to Advertisements in SCCM 2007.

Start MBAM Encryption

This package contains four files

StartMBAMEncryption.wsf	Script that stops and starts the MBAM Agent, imports registry entries and starts OS partition encryption. This script can be downloaded from:http://blogs.technet.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-03-48-21-05/StartMBAMEncryption.zip
ZTIUtility.vbs	Called by StartMBAMEncryption.wsf. This script is part of the MDT. Assuming MDT 2012 was installed on the SCCM 2012, copy this file from <installation drive letter>:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Scripts to the software source folder for the package.
AddMBAMRegEntries.reg	Registry settings file created in Part 1 of this post. The file should be copied to the software sources folder for the package.
RemoveMBAMRegEntries.reg	Registry settings file created in Part 1 of this post. The file should be copied to the software sources folder for the package.

Configuration	Notes
	There are four source files to include in the package. StartMBAMEncryption.wsf is script available for download from http://blogs.technet.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-03-48-21-05/StartMBAMEncryption.zipThe two reg files are the two files created in the last section of the Part 1 of this multipart post. ZTIUtility.vbs is part of the MDT, which should be installed on the SCCM server. In the lab environment, this file was located in C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Scripts.
	Use a package name that fits conventions used in the target environment. In this example, the name is MBAM Encryption Script.
	Configure the package to have source files. Set the source folder to the folder in the software source share where the four files mentioned above are copied.
	Distribute the package content to at least on Distribution Point.
	Create a program for the MBAM Encryption Script package. In this example, the program is named StartEncryption. The command line used by the program is cscript.exe StartMBAMEncryption.wsf /addRegFile:AddMBAMRegEntries.reg /removeRegFile:RemoveMBAMRegEntries.reg
	This program is configured to run on Windows 7 64-bit machines only.
	The program is configured to run whether or not a user is logged on.
	Be sure to configure the program to allow installation within a Task Sequence without the package being deployed.Note: SCCM 2012 Deployments are similar to Advertisements in SCCM 2007.

CCTK

The Dell Client Configuration Tool Kit (CCTK) is the utility used to automate BIOS changes, i.e., changing the configuration of the Trusted Protection Module (TPM). This example uses version 2.1 for Windows, and can be downloaded from here:

http://en.community.dell.com/techcenter/systems-management/w/wiki/1952.dell-client-configuration-toolkit.aspx

What the CCTK does in this exercise was discussed in detail in Part 1 of this multipart post. Suffice to say, the CCTK places the TPM in the correct state that allows the MBAM agent to take ownership of the TPM.

Unlike the other packages that install and run some type of executable, this package simply copies the content of the package to a permanent location on the workstation’s hard drive. The CCTK is actually called by other tasks. The package’s single program runs CopyFiles.cmd. This batch copies the package content to the \Windows\cctk folder. The batch copies a text file to the CCM\Logs folder in order to troubleshoot execution problems, i.e., if the file success.txt is in the CCM\Logs folder, the CCTK files were copied to the local hard drive correctly.

CopyFiles.cmd

md \windows\cctk
xcopy . \windows\cctk /s/e
copy \windows\cctk\success.txt \windows\ccm\logs\cctk-success.txt

Configuration	Notes
	The package source files include executables, scripts and dlls. The CCTK BIOS utility is hardware specific. In this example a Dell Lattitude E6320 is used as a test machine.
	Use a package name that fits conventions used in the target environment. In this example, the name is Dell CCTK.
	Configure the package to have source files. Set the source folder to the folder in the software source share where the files mentioned in the overview above are copied.
	Distribute the package content to at least on Distribution Point.
	Create a program for the Dell CCTK package. In this example, the program is named Copy files The command line used by the program is copyfiles.cmd
	This program is configured to run on Windows 7 64-bit machines only.
	The program is configured to run whether or not a user is logged on.
	Be sure to configure the program to allow installation within a Task Sequence without the package being deployed.Note: SCCM 2012 Deployments are similar to Advertisements in SCCM 2007.

Summary

In Part 3 of this multipart post, we covered the required packages and programs to automated MBAM client distribution and OS partition encryption. Three packages\programs were covered:

1. BIOS Configuration Utility (CCTK) files package. The program associated with this package simply copies the package files and folder hierarchy to a permanent location on the OS partition.

2. MBAM Client (agent) installer package. The program associated with this package performs a silent install of the MBAM agent.

3. StartMBAMEncryption script package. The program associated with this package runs the StartMBAMEncryption.wsf script.

Part 4 will detail the tasks used in the task sequence.