This will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
To configure your environment for BitLocker, you will need to do the following:
Configure Active Directory for BitLocker.
Download the various BitLocker scripts and tools.
Configure the rules (CustomSettings.ini) for BitLocker.
Configure Active Directory for BitLocker
To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.
Add the BitLocker Drive Encryption Administration Utilities
The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):
On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
On the Before you begin page, click Next.
On the Select installation type page, select Role-based or feature-based installation, and click Next.
On the Select destination server page, select DC01.contoso.com and click Next.
On the Select server roles page, click Next.
On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
Enable the Turn on TPM backup to Active Directory Domain Services policy.
(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)
Set permissions in Active Directory for BitLocker
In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.
On DC01, start an elevated PowerShell prompt (run as Administrator).
Configure the permissions by running the following command:
Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.
Add BIOS configuration tools from Dell, HP, and Lenovo
If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.
Add tools from Dell
The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:
cctk.exe --tpm=on --valsetuppwd=Password1234
Add tools from HP
The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
And the sample content of the TPMEnable.REPSET file:
Activate Embedded Security On Next Boot
Embedded Security Activation Policy
F1 to Boot
Allow user to reject
Embedded Security Device Availability
Add tools from Lenovo
The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:
DC1; MDT01 and DHCPServer all in Subnet1. (IP Helper is set for DHCPServer for DHCP and for DC01 & MDT01 for DHCP and BootP – I checked serveral times if everything is right here) UEFI Client and BIOS Client in Subnet2.
Situation1 — Using no DHCP Options and WDS running (IP HELPER-ADDRESS): UEFI Client – Boots perfectly (contacting Server MDT01) BIOS Client – Boots perfectly (contacting Server MDT01)
Situaion2 — Using no DHCP Options and WDS just running on MDT01: UEFI Client – Does not boot (no error information is provided) BIOS Client – Does not boot (no Bootfilename recieved)
Situation3 — Using DHCP Options(Option 66=”IP of MDT01″ Option 67=”\x86\wdsnbp.com”) and WDS just running on MDT01: UEFI Client – Does not boot (no error information is provided) BIOS Client – Boots perfectly (contacting Server DP1)
Situation4 — Using DHCP Options(Option 60=”PXEClient” Option 66=”IP of MDT01″ Option 67=”\x86\wdsnbp.com”) and WDS just running on MDT01: UEFI Client – Boots perfectly (contacting Server DP1) BIOS Client – Does not boot (taking hours to recieve dhcp options..)
On most switches you can configure ip helper-addresses. This is most time al ready configured for the use of DHCP.
Add the IP of the MDT server als ip helper-address:
interface Vlan100 description GEBRUIKERS VLAN ip address 192.168.101.254 255.255.254.0 show ip helper-address 192.168.25.6 (DC01) ip helper-address 192.168.25.7 (DC02) ip helper-address 192.168.25.30 (MDT01) end