SCCM 2012 R2 – BYOD with Windows To Go and Bitlocker in Enterprise

Martin Wüthrich Bitlocker, BYOD, Operating System Deployment

Hi there, here’s Martin again.

My last Blog Post was about to create a Windows 8.1 To Go deployment with System Center 2012 Configuration Manager R2, and which configurations are required or are nice to set. In this Blog post, I tell you about how I expand the Task Sequence with enabling Bitlocker for the Windows ToGo and how to set a computername.

First, this process is also described on TechNet: http://technet.microsoft.com/en-us/library/jj651035.aspx
Note that the Task Sequence Variable “OSDBitLockerPIN” has to be set.

Your first step in the process of enabling Bitlocker for Windows To Go depends, on where would you like to save the recovery Password. I would suggest you to save them in Active Directory. For all questions about Bitlocker and recovery Password, please refer to the appropriate TechNet articles depending on your needs.

You have then to create a package, which includes the Windows To Go Bitlocker tool for enabling the encryption. Navigate to the following folder below your SCCM Installation Directory:
$InstallDirectoryOSDToolsWTGBitLocker
Copy the entire Content to your package Location and create a new package. When creating the Bitlocker ToGo package, there is no need to create a program, do not forget to distribute the package on a Distribution Point!
When this is done, open your Task Sequence and add a “Run Command Line” step to your Task Sequence:
BitlockerToGo01
In the example of the TechNet article, the x86 Version of the program is used. My Windows 8.1 is a x64 Version, so my command line ist:
x64osdbitlocker_wtg.exe /Enable /pwd:AD
The switch /pwd:AD does requires the process to store the bitlocker recovery key to Active Directory. As package, choose your bitlocker Togo package, which you have created before.
Important: Set the following Option, that this step will only be run in a Windows To Go Environment:
Task Sequence Variable “_SMSTSWTG” equals “True”:
Run command Line Step option

Your Task Sequence is done, you could create your prestage media. But wait, think about how to set your variable OSDBitLockerPIN, which is necessary to enable Bitlocker To Go! This Pin Code has to be 8 digit long for minimum and 64 digit in maximum. If characters are allowed depends on your Group Policy Setting, the option enhanced Pin Codes is to check.
While on testing, I added this variable hardcoded to the variable while creating the prestage media as defined variable. But since I already added this simple script for prestart command to get a TS start delay and set an appropriate computername:
wscript.sleep(45000)
strComputerName = InputBox("Enter computername")
Set env = CreateObject("Microsoft.SMS.TSEnvironment")
env("OSDComputerName") = strComputerName

I added some lines to also ask for the bitlocker key. I also added a check, if the Computer Name is valid, and if the bitlocker pin code is valid. A missing Point is the check against the Active Directory, because if you choose a computername which is already in use, the TS will overwrite this one. You will find the script copy /pasted at the end of the blog post, and also under this link: https://skydrive.live.com/redir?resid=65440BAA507106AD%21700

The Script has 3 variables, that are to set by you:
iBootDelay = 45 'Time in second the TS waits before start, important to get network up and running
bBitLockerEnabled = "True" 'If set to True, script will ask for BitlockerPin
vTSDeploymentID = "S01000C4" 'Has to be set to your deployment on the unkown computer collection
Self-explanatory I hope 🙂

For the script, just create a new package or use an existing, and then add the package with the script to the prestart command wizard:
Script Usage

If there are enough comments for AD integrated computername check, I will update the Script and blogpost.
Any other suggestions to the script and other ideas are warmly welcome.

Two ideas I already got is:
-User Primary device
-Language Selection

But as stated above, only when some People are asking for it.

————–Script————–
' Region Description
'
' Name: prestage1.0.vbs
' Author: martin wüthrich
' Version: 1.0
' Description: Used for Windows ToGo deployments
'
'
' EndRegion

Option Explicit

Dim iBootDelay
Dim bComputerNameOK, bBitLockerEnabled
Dim vComputername, vTSDeploymentID
Dim oTSenvironment

'User defined variables
iBootDelay = 45 'Time in second the TS waits before start, important to get network up and running
bBitLockerEnabled = "True" 'If set to True, script will ask for BitlockerPin
vTSDeploymentID = "S01000C4" 'Has to be set to your deployment on the unkown computer collection

'------------------------------------
'Main Script

'Sleep before start
WScript.sleep(iBootDelay * 1000)

'Set Task Sequence environment object
Set oTSenvironment = CreateObject("Microsoft.SMS.TSEnvironment")
'Set TS Deployment ID
oTSenvironment("SMSTSPreferredAdvertID") = vTSDeploymentID

'------------------------------------
'ask For computername
Do While bComputerNameOK "OK"
vComputername = InputBox("Enter computername (allowed chars [Aa-Zz], [0-9]; max 14 chars)")
bComputerNameOK = fCheckComputername(vComputername)

'Check Against AD
'probably in future release... :)

Loop
'Set TS Variable
oTSenvironment("OSDComputerName") = vComputername

'------------------------------------
'Ask For Bitlocker Pin Code
If bBitLockerEnabled = "True" Then
Dim vBitlockerCode
Dim bBitlockerCode
Do While bBitlockerCode "OK"
vBitlockerCode = InputBox("Enter BitlockerPin ((allowed chars [0-9]; min 8 chars max 64 chars)")
bBitlockerCode = fBitlockerCode(vBitlockerCode)

Loop
'Set TS Variable
oTSenvironment("OSDBitLockerPIN") = vBitlockerCode

End If

'Functions
Function fCheckComputername(vComputernameCheck)
Dim iCheckNumber, sChar
fCheckComputername = "OK"

For iCheckNumber = 1 To Len(vComputernameCheck)
sChar = Mid(vComputernameCheck,iCheckNumber,1)
If (Asc(sChar) > 96 And Asc(sChar) 47 And Asc(sChar) 14 Then
fCheckComputername = "NotOK"
End If

End Function

Function fBitlockerCode(vPinCodeCheck)

Dim iCheckNumber, sChar
fBitlockerCode = "OK"

For iCheckNumber = 1 To Len(vPinCodeCheck)
sChar = Mid(vPinCodeCheck,iCheckNumber,1)
If sChar = 0 Or sChar = 1 Or sChar = 2 Or sChar = 3 Or sChar = 4 Or sChar = 5 Or sChar = 6 Or sChar = 7 Or sChar = 8 Or sChar = 9 Then
' Do nothing with Chars [0-9]
Else
fBitlockerCode = "NotOK"
Exit For
End If
Next

If Len(vPinCodeCheck) >= 8 And Len(vPinCodeCheck) <= 64 Then
'Pin is OK
Else
fBitlockerCode = "NotOK"

End If

End Function

3 thoughts on “SCCM 2012 R2 – BYOD with Windows To Go and Bitlocker in Enterprise

  1. Hi, awesome tutorial, thank you! But i´ve got a problem with the prestart commands. The task sequence ignores the values filled in the popup windows. do you have any ideas?
    best regards

    Reply

    • Hey, thanks for your Feedback. No sorry, got no clue. But I think, that the script might run itno an error, and thus the variable is not set? Could you try to figure that out?

      Reply

      • The script is working fine. i had defined an empty collection variable named “OSDComputername” on “unknown computers”. After deleting the variable it works! I also added a step for primary users:

        ‘ask For username
        vUsername = InputBox(“Enter username (DomainMax.Mustermann)”)
        ‘Set TS Variable
        oTSenvironment(“SMSTSUDAUsers”) = vUsername

        Thank you!

        Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.