SCCM, Windows 7 and Bitlocker - Part 2

by , 28th January 2011 at 04:37 PM (9837 Views)
Hello again everyone! So, back again with Part 2 of my wee guide on getting SCCM, Windows 7 and Bitlocker all done together...

3. Make sure you clear and or activate the TPM on your device.
Sounds simple doesnt it... if the TPM isnt active on your machine, or if it is previously owned - your build will fail! You have been warned - and my techies know that they have to pay into the "fails" pot for any dense mitstakes - this being one!!

We have Toshiba Tecra A10s - 160 of them to be precise. In those, the BIOS has the TPM enable/disable option, as well as clear the owner (only there when the TPM is enabled).

4. Get ready to deploy the image you captured in Part 1 onto your device.
Best place to get the info on this... well rather than writing it all here, Im just going to credit the resource that got me up and running.

Read, and re-read the guide to get it set up. DO NOT skip any steps. To keep you on the right track, again I have attached my Task Sequence. You will see it has all my software setout for deployment also. You might think this takes a long time - total time is actually 30mins.

5. The "fancy stuff" - getting Bitlocker enabled and all the autorestarting stuff.
Right, I need to explain what the actual sequence above does...

1. Drops the image onto the machine
2. Sets owner on the TPM
3. Installs all the software
4. Sets a load of Bitlocker related Reg keys (in case Group Policy is a bit slow)
5. Enables the Bitlocker Protection
6. Auto logs in and runs a load of first use stuff for my techies.

The Reg stuff - force AD recovery keys, enable advanced pins (alphanumeric), sets minimum length, enables pin and tpm as authentication method.

Autologin stuff - run SetupSNK to add our WPA2 protected WLAN, run SCCM Client Configuration Control Panel applet, run SCCM Client Run Advertised Programs Control Panel applet, and presents a CMD window showing Bitlocker Status and then presenting the change pin screen (we set a default as part of the scripting).

Part 3 will deal with all the scripts and fandango used once the build has finished...
