Recently our organisation decided to enable BitLocker protection for all of our new laptops. The idea was to provision the drive encryption as the laptops were built with our Configuration Manager 2012 R2 environment. The laptop models were the HP EliteBook 850 and the Elitebook 820.
A few steps were required to achieve this and some tweaking of the default steps in my Configuration Manager Task Sequence.
Now before you even start with BitLocker you need to ensure that your Active Directory environment meets a few prerequisites, for the purposes of this blog I’m assuming that this has been checked and is in place. Some documentation on this can be found here:
Step 1 – Enable the TPM
In order to enable BitLocker during a Configuration Manager Task Sequence we first need to enable the TPM (Trusted Platform Module) in the BIOS. Its worth noting that a lot of the newer devices such as Surface Pro’s come with UEFI where the TPM is already enabled, again my blog is dealing with BIOS as our new laptops don’t come out of the box with UEFI enabled.
To enable the TPM in the BIOS we also need to set a password and tweak a few of the other security settings associated with the TPM. Luckily there is a HP BIOS Configuration Utility which we can use as part of a Task Sequence that will set these options for us automatically! I’m using version 18.104.22.168 of the HP BIOS Configuration Utility which you can download from ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.exe.
Extract the contents of sp49507 and create a package in your Config Manager instance. No program is required just the files as the Task Sequence is going to execute the utility.
We now need to create a file for the utility to use which contains the settings we want to change inside the BIOS. I have done this by copying the BiosConfigUtility.exe to my target laptop, then launching a command prompt as an administrator and executing the below command. You can then modify the text file to contain only the required settings to enable the TPM for your particular laptop. For my laptops these settings are shown as per below. Once you have the file trimmed down to what you require, rename it to .REPSET and copy it to your HP Bios Configuration Utility package source folder and update your distribution points.
Now we can update our Task Sequence with a step which executes the utility, this should be formatted as:
BiosConfigUtility.exe /SetConfig:%YOURSETTINGS.REPSET% /NewAdminPassword:%YOURPASSWORD%
I have created a group in my TS and have restricted the group to run only if the device is a laptop using the IsLaptop variable and have then created a step for each type of laptop model as each model has its own REPSET file with the settings required to activate the TPM.
Now that we have turned on the TPM using the config utility provided by HP we can turn our attention to the BitLocker steps. I have modified mine slightly as I have used the integrated MDT Task Sequence and prefer the Configuration Manager Enable BitLocker step rather than the MDT step that is provided in the default TS. Why? It just seems to work better 🙂
Disable the default MDT ‘Enable BitLocker’ step and then add the standard SCCM Enable BitLocker step. I have renamed mine to ‘Enable BitLocker for Laptops’ and moved my new step down the TS so that its one of the last to be actioned. I have done this as personally I have had performance issues with the hardware once encryption has started which slows down the TS steps.
Again I have restricted this step from running by using the IsLaptop variable. Your BitLocker drive encryption options will vary depending on how you are implementing it in your organisation. We have just enabled the TPM and encrypted the drive, storing the recovery key in AD.
Step 3 – Test Your Task Sequence!
Now that we have our TPM being enabled automatically and our BitLocker steps in our Task Sequence as required, we can test everything to ensure it works.
I had to make one adjustment to my Active Directory permissions so that Configuration Manager could write the recovery key information, however this may not be required in other environments. Here is the blog about how to fix this should you run into the issue: