{"id":1287,"date":"2014-01-26T20:47:10","date_gmt":"2014-01-26T19:47:10","guid":{"rendered":"http:\/\/sccmfaq.wordpress.com\/?p=1287"},"modified":"2014-01-26T20:47:10","modified_gmt":"2014-01-26T19:47:10","slug":"sccm-2012-r2-byod-with-windows-to-go-and-bitlocker-in-enterprise","status":"publish","type":"post","link":"https:\/\/blog.hosebei.ch\/?p=1287","title":{"rendered":"SCCM 2012 R2 – BYOD with Windows To Go and Bitlocker in Enterprise"},"content":{"rendered":"

Hi there, here’s Martin again.<\/p>\n

My last Blog Post was about to create a Windows 8.1 To Go deployment with System Center 2012 Configuration Manager R2, and which configurations are required or are nice to set. In this Blog post, I tell you about how I expand the Task Sequence with enabling Bitlocker for the Windows ToGo and how to set a computername.<\/p>\n

First, this process is also described on TechNet: http:\/\/technet.microsoft.com\/en-us\/library\/jj651035.aspx
\nNote that the Task Sequence Variable “OSDBitLockerPIN” has to be set.<\/p>\n

Your first step in the process of enabling Bitlocker for Windows To Go depends, on where would you like to save the recovery Password. I would suggest you to save them in Active Directory. For all questions about Bitlocker and recovery Password, please refer to the appropriate TechNet articles depending on your needs.<\/p>\n

You have then to create a package, which includes the Windows To Go Bitlocker tool for enabling the encryption. Navigate to the following folder below your SCCM Installation Directory:
\n$InstallDirectoryOSDToolsWTGBitLocker
\nCopy the entire Content to your package Location and create a new package. When creating the Bitlocker ToGo package, there is no need to create a program, do not forget to distribute the package on a Distribution Point!
\nWhen this is done, open your Task Sequence and add a “Run Command Line” step to your Task Sequence:
\n\"BitlockerToGo01\"<\/a>
\nIn the example of the TechNet article, the x86 Version of the program is used. My Windows 8.1 is a x64 Version, so my command line ist:
\nx64osdbitlocker_wtg.exe \/Enable \/pwd:AD<\/code>
\nThe switch \/pwd:AD does requires the process to store the bitlocker recovery key to Active Directory. As package, choose your bitlocker Togo package, which you have created before.
\nImportant: Set the following Option, that this step will only be run in a Windows To Go Environment:
\nTask Sequence Variable “_SMSTSWTG” equals “True”:
\n\"Run<\/a><\/p>\n

Your Task Sequence is done, you could create your prestage media. But wait, think about how to set your variable OSDBitLockerPIN, which is necessary to enable Bitlocker To Go! This Pin Code has to be 8 digit long for minimum and 64 digit in maximum. If characters are allowed depends on your Group Policy Setting, the option enhanced Pin Codes is to check.
\nWhile on testing, I added this variable hardcoded to the variable while creating the prestage media as defined variable. But since I already added this simple script for prestart command to get a TS start delay and set an appropriate computername:
\nwscript.sleep(45000)
\nstrComputerName = InputBox(\"Enter computername\")
\nSet env = CreateObject(\"Microsoft.SMS.TSEnvironment\")
\nenv(\"OSDComputerName\") = strComputerName
\n<\/code>
\nI added some lines to also ask for the bitlocker key. I also added a check, if the Computer Name is valid, and if the bitlocker pin code is valid. A missing Point is the check against the Active Directory, because if you choose a computername which is already in use, the TS will overwrite this one. You will find the script copy \/pasted at the end of the blog post, and also under this link: https:\/\/skydrive.live.com\/redir?resid=65440BAA507106AD%21700<\/p>\n

The Script has 3 variables, that are to set by you:
\niBootDelay = 45\t\t\t\t\t'Time in second the TS waits before start, important to get network up and running
\nbBitLockerEnabled = \"True\"\t\t'If set to True, script will ask for BitlockerPin
\nvTSDeploymentID = \"S01000C4\"\t'Has to be set to your deployment on the unkown computer collection<\/code>
\nSelf-explanatory I hope \ud83d\ude42<\/p>\n

For the script, just create a new package or use an existing, and then add the package with the script to the prestart command wizard:
\n\"Script<\/a><\/p>\n

If there are enough comments for AD integrated computername check, I will update the Script and blogpost.
\nAny other suggestions to the script and other ideas are warmly welcome.<\/p>\n

Two ideas I already got is:
\n-User Primary device
\n-Language Selection<\/p>\n

But as stated above, only when some People are asking for it.<\/p>\n

————–Script————–
\n' Region Description
\n'
\n' Name: prestage1.0.vbs
\n' Author: martin w\u00fcthrich
\n' Version: 1.0
\n' Description: Used for Windows ToGo deployments
\n'
\n'
\n' EndRegion<\/p>\n

Option Explicit<\/p>\n

Dim iBootDelay
\nDim bComputerNameOK, bBitLockerEnabled
\nDim vComputername, vTSDeploymentID
\nDim oTSenvironment<\/p>\n

'User defined variables
\niBootDelay = 45\t\t\t\t\t'Time in second the TS waits before start, important to get network up and running
\nbBitLockerEnabled = \"True\"\t\t'If set to True, script will ask for BitlockerPin
\nvTSDeploymentID = \"S01000C4\"\t'Has to be set to your deployment on the unkown computer collection<\/p>\n

'------------------------------------
\n'Main Script<\/p>\n

'Sleep before start
\nWScript.sleep(iBootDelay * 1000)<\/p>\n

'Set Task Sequence environment object
\nSet oTSenvironment = CreateObject(\"Microsoft.SMS.TSEnvironment\")
\n'Set TS Deployment ID
\noTSenvironment(\"SMSTSPreferredAdvertID\") = vTSDeploymentID<\/p>\n

'------------------------------------
\n'ask For computername
\nDo While bComputerNameOK \"OK\"
\n\tvComputername = InputBox(\"Enter computername (allowed chars [Aa-Zz], [0-9]; max 14 chars)\")
\n\tbComputerNameOK = fCheckComputername(vComputername)<\/p>\n

\t'Check Against AD
\n\t'probably in future release... :)<\/p>\n

Loop
\n'Set TS Variable
\noTSenvironment(\"OSDComputerName\") = vComputername<\/p>\n

'------------------------------------
\n'Ask For Bitlocker Pin Code
\nIf bBitLockerEnabled = \"True\" Then
\n\tDim vBitlockerCode
\n\tDim bBitlockerCode
\n\tDo While bBitlockerCode \"OK\"
\n\t\tvBitlockerCode = InputBox(\"Enter BitlockerPin ((allowed chars [0-9]; min 8 chars max 64 chars)\")
\n\t\tbBitlockerCode = fBitlockerCode(vBitlockerCode)<\/p>\n

\tLoop
\n\t'Set TS Variable
\n\toTSenvironment(\"OSDBitLockerPIN\") = vBitlockerCode<\/p>\n

End If<\/p>\n

'Functions
\nFunction fCheckComputername(vComputernameCheck)
\n\tDim iCheckNumber, sChar
\n\tfCheckComputername = \"OK\"<\/p>\n

\tFor iCheckNumber = 1 To Len(vComputernameCheck)
\n \tsChar = Mid(vComputernameCheck,iCheckNumber,1)
\n \tIf (Asc(sChar) > 96 And Asc(sChar) 47 And Asc(sChar) 14 Then
\n\t\tfCheckComputername = \"NotOK\"
\n\tEnd If<\/p>\n

End Function<\/p>\n

Function fBitlockerCode(vPinCodeCheck)<\/p>\n

\tDim iCheckNumber, sChar
\n\tfBitlockerCode = \"OK\"<\/p>\n

\tFor iCheckNumber = 1 To Len(vPinCodeCheck)
\n\t\tsChar = Mid(vPinCodeCheck,iCheckNumber,1)
\n \tIf sChar = 0 Or sChar = 1 Or sChar = 2 Or sChar = 3 Or sChar = 4 Or sChar = 5 Or sChar = 6 Or sChar = 7 Or sChar = 8 Or sChar = 9 Then
\n \t' Do nothing with Chars [0-9]
\n \tElse
\n\t\t\tfBitlockerCode = \"NotOK\"
\n\t\t\tExit For
\n\t\tEnd If
\n\tNext<\/p>\n

\tIf Len(vPinCodeCheck) >= 8 And Len(vPinCodeCheck) <= 64 Then
\n\t\t'Pin is OK
\n\tElse
\n\t\tfBitlockerCode = "NotOK"<\/p>\n

\tEnd If<\/p>\n

End Function<\/p>\n

<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"

Hi there, here’s Martin again. My last Blog Post was about to create a Windows 8.1 To Go deployment with System Center 2012 Configuration Manager R2, and which configurations are required or are nice to set. In this Blog post, I tell you about how I expand the Task Sequence with enabling Bitlocker for the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,10,27],"tags":[],"class_list":["post-1287","post","type-post","status-publish","format-standard","hentry","category-bitlocker","category-byod","category-operating-system-deployment"],"_links":{"self":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts\/1287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1287"}],"version-history":[{"count":0,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts\/1287\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}