Monday, June 4, 2012

SCCM and Bitlocker TPM Real Life




Allright, I felt for blogging some more about getting TPM Activated on Dell, HP and Lenovo. 
To get the Bitlocker in action.



Common Steps I use:
  1. DC - Prepare Active Directory
  2. SCCM - Prepare a 350MB Bitlocker partition in TS
  3. SCCM - Update BIOS
  4. SCCM - Reboot
  5. SCCM - Enable/Activate TPM and Set BootSequence
  6. SCCM - Reboot
  7. SCCM - Enable Bitlocker and place it as the last step in the TS
  8. SCCM - Add Disable Bitlocker on the Top of the TS
  9. SCCM - Use DCM in 2007 or Settings Management in 2012 to monitor that you Clients are secured with Bitlocker.

The tricky part is the step 4, each vendor has its own way of turning on features in BIOS. And as this is a Security Device, you may have trouble setting this configuration if it has a Admin passord etc. and you may Lock Your self out. Ohh and yes, the BIOS Update can be a bit tricky too, Ive blogged about that before.


With Configmgr 2012 SP1 you can add Preprovision Bitlocker step to Your Task Sequence that will start encryption of the disk right before applying the Image step.
This way it will almost be Complete when finished the OSD. And without very little overhead.
Cool feature!


1. Do the required steps to prepare you Active Directory first and Set Group Policys.
http://technet.microsoft.com/en-us/library/dd875529(WS.10).aspx

Then before you add the Enable Bitlocker step in the SCCM Task Sequence, you need to get the TPM chip activated on the Client computers prior to this step.
So here we go.

It's all very easy when you know how, right :-)

You can test the command lines manually, but remember to run the cmd as Administrator.


Dell
You need to get Your hands on the Dell CCTK:
The latest version of CCTK is 2.1.
http://downloads.dell.com/folder00480000m/2/Sys-Man_Application_H1TD3_WN32_2.1_A00.EXE

The CCTK, gives you ability to turn on TPM chip, set password, BIOS setting etc..
You can eiter inject it to the Boot image, or just use it like a Application package, and run commands.
The second option is the easyest.
Dell TPM Bios - SCCM Task Sequence example
http://www.delltechcenter.com/page/How+to%3A+Enable+Trusted+Platform+Module+Using+a+ConfigMgr+2007+Task+Sequence


Remember the checkbox Disable 64-bit file system redirection on the 64bit TaskSequence step.






HP
The REPSET file is the clue here..
First, Download the utility needed:
http://h20331.www2.hp.com/hpsub/cache/284133-0-0-225-121.html?jumpid=ex_R2845_vanityim/gossm/ka011106

You need to create a TPMEnable.REPSET file.
This is what I've created:


It's listed in txt here:
English
Reset of TPM from OS
 *Disable
 Enable
OS Management of TPM
 Disable
 *Enable
Activate Embedded Security On Next Boot
 Disable
 *Enable
Embedded Security Device Availability
 *Available
 Hidden
Embedded Security Activation Policy
 F1 to Boot
 Allow user to reject
 *No prompts
Power-On Authentication Support
 *Disable
 Enable
Password Minimum Length
 8
At least one symbol required
 Yes
 *No
At least one number required
 Yes
 *No
At least one upper case character required
 Yes
 *No
At least one lower case character required
 Yes
 *No
HP SpareKey
 *Disable
 Enable
Always Prompt for HP SpareKey Enrollment
 *Disable
 Enable
Are spaces allowed in password
 Yes
 *No
Boot Order
 Hard Drive(C:)
 Network Controller


Now for the SCCM The Command line is:
BiosConfigUtility.exe /setConfig:TPMEnable.REPSET /NewAdminPassword:Nicolai1!

Yes, HP you have to set a Admin password, just like Dell.

But what if you already have a Password?
Then Run this:
BiosConfigUtility.exe /setconfig:TPMEnable.REPSET /cspwd:"Passord" /nspwd:"Passord"

---
Its very often smart to do some testing of the commands manually if its not working for you as expected:


Now, this is the status you want in the TPM Management in Windows:
The computer is now ready for the Enable Bitlocker step in the Task Sequence.




Lenovo
Lenovo made it very easy actually. It's all about WMI. :-)
Download the Script and put it in a Package.
Sample Scripts for BIOS Deployment Guide
http://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles_pdf/script.zip
BIOS Setup using Windows Management Instrumentation Deployment Guide - English
http://download.lenovo.com/ibmdl/pub/pc/pccbbs/thinkcentre_pdf/crdeploy_en.pdf
But, somehow Lenovo made different names in the BIOS for enableing TPM depending on if its a Laptop or Desktop.     SecurityChip and TCG

So the command for:
Laptops:
Cscript.exe SetConfig.vbs SecurityChip Active

Desktops:
Cscript.exe SetConfig.vbs "TCG Security Feature" Active 

You can list the Bios settings with this command:
cscript.exe ListAll.vbs

Set the Boot Order to HDD first.
Because the way TPM secures the encryption keys is by ensuring that the way your system boots up or starts is always the same as it was at the time you enabled BitLocker.  This means if you are encrypting your system drive (C:) it is important that you set the boot order so that the Hard Drive is always first.

It therefore important that the boot order is not changed after Bitlocker is enabled.

If you need to do changes, like BIOS Update etc.. Pause/Disable the Bitlocker in Windows.


And if you just want BitLocker on Laptops, its easy to do it With Task Sequence Variable and MDT Toolkit. The variable is then IsLaptop Equals True.



8. SCCM - Add Disable Bitlocker on the Top of the Task Sequence

To be able to refresh a Computer you need to turn off Bitlocker on the Partition C:\
This is done very simple by adding Disable Bitlocker on Top of Your Task Sequence:
With the Task Sequence Variable:_SMSTSinWinPE Equals "false"
Because you only want to run the step when not in WinPE mode.




9. SCCM - Use DCM in 2007 or Settings Management in 2012 to monitor that you Clients are secured with Bitlocker.

Setting up Settings Management in SCCM 2012

Name it Bitlocker Active
Namespace:  Root\CIMV2\Security\MicrosoftVolumeEncryption
Class:  Win32_EncryptableVolume
Property:  DriveLetter








  • On the Compliance Rules
  • Operator:  Equals
  • Value:  C:
  • Severity:  Critical



  • Monitoring ... where to look?...







    View also my good friend Lars Vegar Halvorsen's blogpost about TPM.
    It’s not always the TPM chip is not activated or the password is not set.
    What happens then is the script/TS step fail.
    He has written a PowerShell script to help you with this logic.
    http://www.configmgr.no/2013/02/03/tpm-and-bitlocker-in-real-life/




    Have a look at this BIOS Update Script as well:
    https://garytown.com/dell-bios-update-winpe-model-independent-from-internet

    2 comments:


    1. Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.

      123 HP Setup 6968

      ReplyDelete
      Replies
      1. Very good! :) hope it’s usefull. Have s great day

        Delete