Prerequisites:
Windows ADK for Windows 10
https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx
Dell K2000 Media Manager
http://YOUR-k2000/utils/kmediamanager.msi
Dell KBE Manipulator (3.7.1.8)
http://www.itninja.com/question/kbe-manipulator
Microsoft BitLocker Administration and Monitoring - Client Deployment Scripts
https://www.microsoft.com/en-us/download/details.aspx?id=48698
Dell Command | Configure
http://en.community.dell.com/techcenter/enterprise-client/w/wiki/7532.dell-command-configure
VMware Workstation (For RSA)
https://www.vmware.com/products/workstation
Get/Set ComputerName
http://www.itninja.com/blog/view/get-set-computername
(Optional) Windows Server 2012 R2 (NIC Teaming)
https://www.microsoft.com/en-us/server-cloud/products/windows-server-2012-r2/
Assumptions:
Golden Image made and sysprep'd
BitLocker enabled in your Active Directory environment but want a way to automate this process
Microsoft BitLocker Administration and Monitoring 2.5 SP1 setup in your environment (Not 100% needed but used for PowerShell script)
Dell K2000 is in place and setup with latest version
Dell K2000 RSA is in place and setup with latest version
Dell K2000 samba share is enabled
Dell Laptop/Desktop are used in your environment
Before we Begin:
I will take you through the steps to getting BitLocker automated using the K2000 appliance. The process I am writing took a lot of time and effort to perfect. If you have a better way to improve this
process please let post as I am always looking for a way to improve this process. Also this is my first post/blog so try not to troll me to much :-)
Let's take it from the top:
- Setting up Windows 2012 R2 for NIC Teaming
- Login to your Windows 2012 R2 Server (I recommend to login locally or via iDRAC)
- Open the "Server Manager" dashboard (if it hasn't already opened on login)
- Go to Configure this local server--> NIC Teaming Disabled
- The "NIC Teaming" dashboard will open
- Under "ADAPTERS AND INTERFACES" right click the 2 NICS you want to team--> Add to New Team
- Team Name: "ENTER YOUR CUSTOM NAME"
- Make sure both NICS are checked and click the drop down "Additional properties"
- Teaming mode: Switch Independent
- Load balancing mode: Dynamic
- Standby adapter: None (all adapters Active)
- Click "OK"
- Installing VMware Workstation and Importing Dell K2000 RSA
- Download VMware Workstation and run through the installation
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Deployments--> Remote Sites--> Choose Action--> Download OVF--> Download
- Once the install is complete open VMware Workstation
- Go to Edit--> Virtual Network Editor…
- Select all VMnet networks except for the "Bridged" Type Network (Mine is VMnet0)
- Click "OK"
- Extract your Dell K2000 RSA
- Navigate to where you just extracted your Dell K2000 RSA OVF and double click to begin the import
- Don't bring up the VM just yet we need to remove the flex NIC and add the e1000 NIC
- Setting up your Dell K2000 RSA for MAX performance
- With VMware Workstation still open click on the VM you just imported
- Click Upgrade Hardware Version--> Alter this VM--> Select latest version available--> OK
- Right click you Dell K2000 RSA--> Settings
- Memory: 4GB
- Processors: 2
- Remove Floppy Drive
- Remove Network Adapter
- Add CD/DVD drive
- Click the "Options" Tab
- Guest operating system: FreeBSD (64-bit)
- Click OK
- Right click you Dell K2000 RSA--> Settings
- Add Network Adapter
- Click OK
- Right click you Dell K2000 RSA--> Settings
- Click the "Options" Tab
- Guest operating system: FreeBSD (32-bit)
- Click OK
- Power on your VM!
- Once the VM is up login with konfig
- IP address: 10.0.0.1 (Make it a bogus IP address)
- Network Speed: 1000Mbps (IMPORTANT)
- Save
- After the VM is back up again login with konfig
- IP address: X.X.X.X (Make it the IP address you want now)
- Network Speed: Auto-negotiate
- Save
- Creating a custom WinPE 10 KBE and upload to Dell K2000
- Open K2000 Media Manager
- Enter your "K2000 hostname" and "Samba Share Password"
- Click the "Create K2000 Boot Environment" Tab
- Name: TEMPKBE
- Architecture: 64-bit (x64)
- Path: C:\Program Files (x86)\Windows Kits\10 (This should already be selected for you)
- Click "Start Upload"
- Close once it has created the media and uploaded to the K2000
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Deployments--> Boot Environments--> TEMPKBE
- Click "Download bootable ISO for this Boot Environment"
- Save to your Downloads or somewhere you know to get to it
- Mount the ISO
- Copy the BOOT.WIM file to a location on your computer
- Let's mount the WIM image with DISM
- Open a command prompt and Run as Administrator
- mkdir C:\KBE
- Dism /Mount-Image /ImageFile:C:\TEMPKBE.wim /index:1 /MountDir:C:\KBE
- Add Dell Command | Configure
- mkdir C:\KBE\CCTK
- mkdir C:\KBE\CCTK\AMD64
- mkdir C:\KBE\CCTK\X86
- copy "C:\Program Files (x86)\Dell\Command Configure\X86_64" C:\KBE\CCTK\AMD64
- copy "C:\Program Files (x86)\Dell\Command Configure\X86" C:\KBE\CCTK\X86
- Add custom features using DISM
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab"
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-NetFx.cab"
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-HTA.cab"
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureStartup.cab"
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-StorageWMI.cab"
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-PowerShell.cab"
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-Scripting.cab"
- Add custom features locale using DISM
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WMI_en-us.cab"
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-NetFx_en-us.cab"
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-HTA_en-us.cab"
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-SecureStartup_en-us.cab"
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-StorageWMI_en-us.cab"
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-PowerShell_en-us.cab"
- Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab"
- Commit changes to your image and unmount
- Dism /unmount-image /mountdir:C:\KBE /commit
- Open KBE Manipulator and upload your custom KBE
- File--> Choose .wim to upload
- Select the WIM file location
- Enter your "K2000 Information"
- Name to assign the KBE: WinPE 10 KBE
- KBE Architecture: x64
- Click "Create KBE"
- Set Default K2000 Boot Environment
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Settings--> Control Panel--> Default K2000 Boot Environments
- Windows x64: WinPE 10 KBE
- Click Save
- Creating your Pre-Installation System Image Tasks
- Create a zip called TPMActivateCheck.zip and the following to it
- Open notepad and save the following as TPMActivateCheck.ps1:
$TPM = X:\CCTK\AMD64\cctk.exe --tpm
$TPMActivated = X:\CCTK\AMD64\cctk.exe --tpmactivation
If($TPM -eq "tpm=off" -And $TPMActivated -eq "tpmactivation=deactivated"){
X:\CCTK\AMD64\cctk.exe --setuppwd=password
X:\CCTK\AMD64\cctk.exe --tpm=on --tpmactivation=activate --valsetuppwd=password
X:\CCTK\AMD64\cctk.exe --setuppwd= --valsetuppwd=password
Write-Host "TPM has been ENABLED and ACTIVATED"
Write-Host "The computer will now need to reboot and the image process to be restarted."
Write-Host "Reboot in 1 minute"
Start-Sleep -s 60
Restart-Computer
}
If($TPM -eq "tpm=on" -And $TPMActivated -eq "tpmactivation=deactivated"){
Write-Host "Please boot into the BIOS and Load Defaults and"
Write-Host "remove the ADMIN password in the BIOS to image this computer"
Write-Host "The computer will now need to reboot and the image process to be restarted."
Write-Host "Reboot in 1 minute"
Start-Sleep -s 60
Restart-Computer
}
If ($TPM -eq "tpm=off" -Or $TPMActivated -eq "tpmactivation=deactivated"){
Write-Host "TPM has been ENABLED and ACTIVATED"
Write-Host "The computer will now need to reboot and the image process to be restarted."
Write-Host "Reboot in 1 minute"
Start-Sleep -s 60
Restart-Computer
}
- Open notepad and save the following as TPMActivateCheck.bat:
X:
cd X:\Windows\System32\WindowsPowerShell\v1.0
powershell.exe -nologo -executionpolicy bypass -noprofile -file Y:\preinstall\XXX\contents\TPMActivateCheck.ps1
exit
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Library--> Pre-installation Tasks--> Choose Action--> Add Application…
- Name: **TPM REBOOT CHECK**
- Runtime Environment: K2000 Boot Environment (Windows)
- Upload File: TPMActivateCheck.zip
- Parameter: cmd /k TPMActivateCheck.bat
- Click Save
- Go to Library--> Pre-installation Tasks
- Hover your mouse over **TPM REBOOT CHECK** and take note of the id=
- Replace id number in TPMActivateCheck.bat from XXX to the number noted
- Replace the file in the TPMActivateCheck.zip and replace in that task
- Windows- Create two partitions
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Library--> Pre-installation Tasks--> Choose Action--> DISKPART Script
- Name: Windows- Create Two Partitions
- DISKPART Script:
select volume 0
remove all noerr
select disk 0
clean
create partition primary size=200
assign letter="C"
active
create partition primary
assign letter="D"
Exit
- Click Save
- Windows- Format Disks
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Library--> Pre-installation Tasks--> Choose Action--> BAT Script
- Name: Windows- Format Disks
- BAT Script:
format /q /y /fs:ntfs /v:Boot C:
bootsect.exe /NT60 C:
format /q /y /fs:ntfs /v:Windows D:
bootsect.exe /NT60 D:
- Click Save
- Dell Command | Configure
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Library--> Pre-installation Tasks--> Choose Action--> BAT Script
- Name: Dell CCTK
- BAT Script:
start /wait x:\cctk\amd64\cctk.exe --setuppwd=password
start /wait x:\cctk\amd64\cctk.exe --wakeonlan=enable --usbpowershare=enable --wakeonlan=lanorwlan --fastboot=minimal --embnic1=on --valsetuppwd=password
start /wait x:\cctk\amd64\cctk.exe bootorder --sequence=hdd --valsetuppwd=password
- Click Save
- BitLocker WinPE Encryption
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Library--> Pre-installation Tasks--> Choose Action--> BAT Script
- Name: BitLocker WinPE Encryption
- BAT Script: manage-bde -on D: -UsedSpaceOnly -em aes256
- Click Save
- Creating your Mid-Level and Post-Installation Tasks
- Create Activate TPM EXE package using Dell Command | Configure
- Open Dell Command | Configure Wizard
- In Search box type: tpmactivation
- tpm: on
- tpmactivation: activate
- Export .EXE
- Use the password information below (use the password you set as the Dell CCTK task)
- Click OK
- Save file as tpm_sce.exe
- Set Computer Name
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Library--> Post-installation Tasks--> Choose Action--> Add Application…
- Name: Set Computer Name
- Runtime Environment: K2000 Boot Environment (Windows)
- Upload File: SetComputerName_x64.exe
- Parameter: SetComputerName_x64.exe /name:$Serial
- Click Save
- Bitlocker Save TPM Owner
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Library--> Post-installation Tasks--> Choose Action--> Add Application…
- Name: Bitlocker Save TPM Owner
- Runtime Environment: K2000 Boot Environment (Windows)
- Upload File: SaveWinPETpmOwnerAuth.wsf
- Parameter: cscript.exe SaveWinPETpmOwnerAuth.wsf
- Click Save
- TPM CCTK Activation
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Library--> Post-installation Tasks--> Choose Action--> Add Application…
- Name: TPM CCTK Activation
- Runtime Environment: Windows
- Upload File: tpm_sce.exe
- Parameter: tpm_sce.exe /nolog
- Click Save
- Reboot (Needed to disable UAC and auto login)
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Library--> Post-installation Tasks--> Choose Action--> Add BAT Script…
- Name: Reboot
- Runtime Environment: Windows
- Bat Script:
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 1 /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DisableCAD /d 1 /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v ForceAutoLogon /d 1 /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoLogonCount /t REG_DWORD /d 1 /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultDomainName /d %computername% /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName /d USERNAME /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassWord /d PASSWORD /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /d 0 /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
- Click Save
- Install MBAM 2.5 SP1
- Create zip named MBAMClientSetup.zip
- Copy MBAMClientSetup.msi into the zip
- Create a batch file named MBAMClientSetup.bat
msiexec /i MBAMClientSetup.msi /q ALLUSERS=1 OPTIN_FOR_MICROSOFT_UPDATES=1
- Copy the MBAMClientSetup.bat into the zip
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Library--> Post-installation Tasks--> Choose Action--> Add Application…
- Name: Install MBAM 2.5 SP1
- Runtime Environment: Windows
- Upload File: MBAMClientSetup.zip
- Parameter: MBAMClientSetup.bat
- Click Save
- TPM CCTK Activation
- Open Internet Explorer or your favorite browser
- Navigate to http://YOUR-K2000/ and login
- Go to Library--> Post-installation Tasks--> Choose Action--> Add Application…
- Name: TPM CCTK Activation
- Runtime Environment: Windows
- Upload File: tpm_sce.exe
- Parameter: tpm_sce.exe /nolog
- Click Save
- Domain Join
- For this step join the domain and if you enable UAC via GPO make sure to add these entries to the batch file. This will work because the batch file is still elevated once it joins the domain.
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 1 /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DisableCAD /d 1 /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v ForceAutoLogon /d 1 /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoLogonCount /t REG_DWORD /d 1 /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultDomainName /d DOMAIN /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName /d USERNAME /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassWord /d PASSWORD /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /d 0 /f
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
- Bitlocker Encryption
- Create zip named MBAMencrypt.zip
- Copy BDEAdBackup.vbs into the zip
- Copy Invoke-MbamClientDeployment.ps1 into the zip
- Create a batch file named MBAMencrypt.bat
powershell.exe -nologo -executionpolicy bypass -noprofile -file Invoke-MbamClientDeployment.ps1 -RecoveryServiceEndpoint http://MBAM-SERVER:80/MBAMRecoveryAndHardwareService/CoreService.svc -StatusReportingServiceEndpoint http://MBAM-SERVER:80/MBAMComplianceStatusService/StatusReportingService.svc -IgnoreEscrowOwnerAuthFailure
cscript BDEAdBackup.vbs
manage-bde -protectors -enable C:
- Copy MBAMencrypt.bat into the zip
- Navigate to http://YOUR-K2000/ and login
- Go to Library--> Post-installation Tasks--> Choose Action--> Add Application…
- Name: Bitlocker Encryption
- Runtime Environment: Windows
- Upload File: MBAMencrypt.zip
- Parameter: MBAMencrypt.bat
- Click Save
- Installation Plan Layout
Answers to the Why's:
- Setting up Windows 2012 R2 for NIC Teaming
So in my testing when we get the K2000 RSA changed from the flex NIC to the e1000 NIC the speed jumped from 20-30Mbps to 60Mbps. Great right? But we should be able to saturate our Gigabit NIC on our server and reach a theoretical speed of about ~90Mbps or similar to a file transfer on the network to another computer. Anyways when you team the NIC's we are able to jump from 60Mbps to 90Mbps! There are also other benefits for teaming the NICs that I don't cover here.
Credit where Credit is due:
Enable TPM in a Task Sequence (DELL)
How to create a Dell Command-Configure Package in ConfigMgr
17 Steps to Installing MBAM 2.5 SP1 In a 5 Tier Setup
Change VMWare Server NIC to e1000 (111351)
MBAM 2.5 SP1 SCCM OS Deployment
TPM activation using CCTK SCE in an SCCM environment
MBAM key recovery backup if machine already encrypted
How to Pre-Provision BitLocker on Windows 7
Bypass MBAM policy check when running Invoke-MbamClientDeployment.ps1
I´m also working on a way to get bitlocker to work automatically via K2000. I setup my machines not with system images but with scripted installations. In my opinion, your pre-, mid- and post-installations tasks should work also with scripted installation. What do you think?
Anyway, again thank you for this article!
Philipp - superhero2k 8 years ago
1. Make sure you download the following scripts (you mentioned it, but did not see it. Just to make sure :)): Microsoft BitLocker Administration and Monitoring - Client Deployment Scripts
https://www.microsoft.com/en-us/download/details.aspx?id=48698
2. At step 6 you should add a D after /q. So it will be: msiexec /i MBAMClientSetup.msi /qd ALLUSERS=1 OPTIN_FOR_MICROSOFT_UPDATES=1
3. Step 5: No need to use reboot scripts and disable UAC in scripted installation *KACE already does it for you.
4. Step 7 is not needed and is double
5. Step 9. Executing the script you will need to put powershell instead of powershell.exe. So it would be: powershell -nologo -executionpolicy bypass -noprofile -file Invoke-MbamClientDeployment.ps1 -RecoveryServiceEndpoint http://MBAM-SERVER:80/MBAMRecoveryAndHardwareService/CoreService.svc -StatusReportingServiceEndpoint http://MBAM-SERVER:80/MBAMComplianceStatusService/StatusReportingService.svc -IgnoreEscrowOwnerAuthFailure
The BDEBAdBackup.vbs script is missing in the download. You can download it from:
https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/telligent.evolution.components.attachments/01/5975/00/00/03/32/34/22/BDEAdBackup.vbs
Article: https://blogs.technet.microsoft.com/askcore/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7/
For the backup to AD script ( BDEAdBackup.vbs): you cannot use it because you probably need domain administrator access to write the AD. Use a K1000 online deployment script afterwards using
administrator credentials
For the TPMactivationScript make sure you have the HAPI drivers in your WIM file. I missed them following the setup above (looking at the code it is most likely my fault). They are located in C:\Program Files (x86)\Dell\Command Configure\X86_64 when installing DELL Command configure. I did not create a new Boot envoirnment and WIM but just added a pre-installation task unzipping the HAPI drivers (zipped the HAPI folder from location above) and calling the InstallHAPI.bat script before starting to check for TPM (meaning putting this installation before step 1.) - BartNL 8 years ago