Enabling TPM for BitLocker Protection on HP Laptops during OSD with Configuration Manager 2012

Posted: January 30, 2014 in Configuration Manager 2012
Tags: , , , , ,

Recently our organisation decided to enable BitLocker protection for all of our new laptops. The idea was to provision the drive encryption as the laptops were built with our Configuration Manager 2012 R2 environment. The laptop models were the HP EliteBook 850 and the Elitebook 820.

A few steps were required to achieve this and some tweaking of the default steps in my Configuration Manager Task Sequence.

Now before you even start with BitLocker you need to ensure that your Active Directory environment meets a few prerequisites, for the purposes of this blog I’m assuming that this has been checked and is in place. Some documentation on this can be found here:

http://technet.microsoft.com/en-us/library/cc766015(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/jj592683.aspx
http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx

Step 1 – Enable the TPM

In order to enable BitLocker during a Configuration Manager Task Sequence we first need to enable the TPM (Trusted Platform Module) in the BIOS. Its worth noting that a lot of the newer devices such as Surface Pro’s come with UEFI where the TPM is already enabled, again my blog is dealing with BIOS as our new laptops don’t come out of the box with UEFI enabled.

To enable the TPM in the BIOS we also need to set a password and tweak a few of the other security settings associated with the TPM. Luckily there is a HP BIOS Configuration Utility which we can use as part of a Task Sequence that will set these options for us automatically! I’m using version 2.14.0.8 of the HP BIOS Configuration Utility which you can download from ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.exe.

Extract the contents of sp49507 and create a package in your Config Manager instance. No program is required just the files as the Task Sequence is going to execute the utility.

2014-01-30_100153

We now need to create a file for the utility to use which contains the settings we want to change inside the BIOS. I have done this by copying the BiosConfigUtility.exe to my target laptop, then launching a command prompt as an administrator and executing the below command. You can then modify the text file to contain only the required settings to enable the TPM for your particular laptop. For my laptops these settings are shown as per below. Once you have the file trimmed down to what you require, rename it to .REPSET and copy it to your HP Bios Configuration Utility package source folder and update your distribution points.

2014-01-30_101157

2014-01-30_100749

Now we can update our Task Sequence with a step which executes the utility, this should be formatted as:

BiosConfigUtility.exe /SetConfig:%YOURSETTINGS.REPSET% /NewAdminPassword:%YOURPASSWORD%

I have created a group in my TS and have restricted the group to run only if the device is a laptop using the IsLaptop variable and have then created a step for each type of laptop model as each model has its own REPSET file with the settings required to activate the TPM.

2014-01-30_103332

2014-01-30_103647

2014-01-30_103742

Step 2 – Set BitLocker Steps in your Task Sequence

Now that we have turned on the TPM using the config utility provided by HP we can turn our attention to the BitLocker steps. I have modified mine slightly as I have used the integrated MDT Task Sequence and prefer the Configuration Manager Enable BitLocker step rather than the MDT step that is provided in the default TS. Why? It just seems to work better 🙂

Disable the default MDT ‘Enable BitLocker’ step and then add the standard SCCM Enable BitLocker step. I have renamed mine to ‘Enable BitLocker for Laptops’ and moved my new step down the TS so that its one of the last to be actioned. I have done this as personally I have had performance issues with the hardware once encryption has started which slows down the TS steps.

2014-01-30_104813

Again I have restricted this step from running by using the IsLaptop variable. Your BitLocker drive encryption options will vary depending on how you are implementing it in your organisation. We have  just enabled the TPM and encrypted the drive, storing the recovery key in AD.

2014-01-30_105417

Step 3 – Test Your Task Sequence!

Now that we have our TPM being enabled automatically and our BitLocker steps in our Task Sequence as required, we can test everything to ensure it works.

I had to make one adjustment to my Active Directory permissions so that Configuration Manager could write the recovery key information, however this may not be required in other environments. Here is the blog about how to fix this should you run into the issue:

http://blogs.technet.com/b/bitlocker/archive/2010/09/14/access-denied-error-0x80070005-message-when-initializing-tpm-for-bitlocker.aspx

Happy BitLockering!

Damon

Advertisements
Comments
  1. NIGHTCD says:

    have seen that you have other HP models in Your environment.. du you have the REPSET file for those too ? (we are on the same quest as you)

    • Damon Johns says:

      I only have two REPSET files in operation – 1 for my older HP laptops and the other which works on all my newer models so in theory the REPSET file on the blog should work with a large number of models – doing a BIOS utility config dump and then looking at all the TPM / Security related settings is how I built mine up and verified that the settings were the same across each of my models. However I chose to implement a REPSET file for each of my models just in case I needed to alter a setting. Here are the two REPSET files that I use:

      Older Laptops:
      English
      Activate Embedded Security On Next Boot
      *Enable
      Embedded Security Device Availability
      *Available
      Embedded Security Activation Policy
      *No prompts
      F1 to Boot
      Allow user to reject
      Always Prompt for HP SpareKey Enrollment
      *Disable
      Enable

      Newer Laptops
      English
      Activate TPM On Next Boot
      Disable
      *Enable
      TPM Activation Policy
      F1 to Boot
      Allow user to reject
      *No prompts
      OS Management of TPM
      *Enable
      Disable
      Reset of TPM from OS
      Disable
      *Enable
      TPM Device
      Hidden
      *Available

      Apologies for the late reply, I wasn’t checking the email address attached to my blog. Its been updated now.

  2. rory says:

    Hi, thank you for a great post! I ran into a problem with Bitlocker key not saving in AD and your post really helped a lot!

    However, where is the TPM Owner Password stored when Bitlocker is enabled via this method? My AD environment is setup properly to store both TPM Owner Password and Bitlocker Key which I verified to work when I manually enabled Bitlocker from Win7 OS.

    Is it possible to have the TPM Owner Password saved to AD from the MDT Task Sequence?

    From what I read and experienced, saving the TPM Owner Password is not quite critical as its primary use is to remotely change, delete, and/or clear the TPM. If I expect to have physical access to the laptops then it’s not important?

    When I was testing MBAM, the TPM Owner Password could ONLY be stored in the MBAM database when the MBAM client takes ownership after the OS is deployed. It could not do it while in WinPE environment or one of the Task Sequence steps.

    • Damon Johns says:

      Firstly, I must apologise for the late reply as I haven’t been checking my blog or the email account attached to it.

      I haven’t done a lot of reading on the TPM or how the password is managed but I there is documentation on Technet here http://technet.microsoft.com/en-us/library/cc732542.aspx and here http://technet.microsoft.com/en-us/library/cc770660.aspx

      I was able to look up a laptop in ADSI edit on one of my DC’s and could see the password stored in the msTPM-OwnerInformation attribute of the computer object.

      • rory says:

        Hi Dammon,

        I actually got it working where the msTPM-OwnerInformation hash is stored in Active Directory Attribute. It turned out that I was using MDT integrated with SCCM Task Sequence and was using UDI bitlocker page. If I use the method in this post, I should not enable the bitlocker option in the UDI wizard at all, otherwise, it would pre-provision bitlocker in WinPE (taking TPM ownership) and thus cannot send that info to AD.

        Anyway, there are a lot of confusing information out there. One needs to make a distinction or keep in mind between 3 different methods for OS Deployment, MDT by itself, MDT integrated with SCCM, or SCCM Task Sequence only.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s