Thursday, August 7, 2014

Managing BitLocker Computers in your Organization the easy way...

A couple of days ago my manager came to me asking for a more unified way to manage our TPM enabled computers and to bring up our compliant rate for BitLocker encryption. Now for those of you dealing with multiple vendors as I am this raises large issues as there is very little standardization in the market regarding Bios settings access from within the Operating System. 

Challenges to face...

First and foremost what we need to consider is the inconsistency between different Operating Systems and how they control the Trusted Module Platform. As well their are differences in commands and in the BitLocker architecture that we need to account for. In this script I have accounted for Microsoft Windows 7 and up.

Operating System
Language
Microsoft Windows 7
Batch
Microsoft Windows 8
PowerShell
Microsoft Windows 8.1
PowerShell
Secondly we need to account for various manufacturers and how they interact with the Bios and their individual WMI structure. This script accounts for the bellow Manufacturers and enables the TPM in the Bios without and user interaction.

Manufacturer
Solution
Toshiba
TPM.vbs
Lenovo
TPM.vbs
Dell
Dell Client Configuration Toolkit
Hewlett Packard
TPM.vbs

Stages

In order to activate the TPM and Encrypt your machines we have the four stages...

Stage
Purpose
Enable TPM in Bios
Assuming the TPM is disabled in the bios it is required to enable it.
Initialize the TPM
Windows requires us to initialize the TPM making it’s features available to Windows
Take Ownership
Provide Ownership or permissions on the TPM to the user currently running the script or in this case all Administrators on the machine
Encrypt the Hard Disk
Encryption of the Hard Disk

Due to these various stages there are also three required reboots, but we will let the Task Sequence manage these reboots and the rerunning of the script.

Add the Package 

  1. Copy the Files to a temporary location
  2. Open the Deployment Workbench 
  3. Navigate to the Applications Node 
  4. Create an appropriate folder if you do not have one already 
  5. Right click on your folder and choose new application 
  6. Choose Application with Source Files and click Next 
  7. Specify the Details for this Application
  8. Enter a Source Directory (Your Temp Location) and click Next 
  9. Click Next 
  10. Enter the Name of the Batch 
  11. Click Next 
  12. Click Finish 
  13. Right clikfc on your application and choose properties 
  14. Check the hide this application and click apply 


Changes to the Task Sequence

  1. Navigate to the Task Sequences Node 
  2. Right click on the relevant Task Sequence and choose properties 
  3. Choose the Task Sequence Tab 
  4. Scroll Down toward the end of your Task Sequence after the Install Applications Task and click Add and choose Create a New Group if you do not already possess a an appropriate one
     
  5. Click on your group and return to the Add button and choose General-> Install Application 
  6. Choose Install a single Application 
  7. Click Browse and Navigate to the TPM Universal Application and click OK 
  8. Copy and paste from Application to Install to Name 
  9. Click on the Options Tab 
  10. Click on Add and Choose If Statement 
  11. Choose Any Conditions 
  12. Click on Add Choose Query WMI 
  13. Change WMI namespace to root\WMI
  14. WQL Query: SELECT * FROM BiosSetting WHERE TPM = "Enable" 
  15. Click on Add Choose Query WMI 
  16. Change WMI namespace to root\WMI
  17. WQL Query: SELECT * FROM BiosSetting WHERE TPM  = "Disable"
  18. Click on Add WMI Query
  19. Change WMI namespace to root\WMI 
  20. WQL Query: SELECT * FROM SELECT * FROM Lenovo_SetBiosSetting WHERE SecurityChip = "Active" 
  21. Click on Add WMI Query 
  22. Change WMI namespace to root\WMI 
  23. WQL Query: SELECT * FROM SELECT * FROM Lenovo_SetBiosSetting WHERE SecurityChip = "Inactive" 
  24. Click on Add WMI Query 
  25. Change WMI namespace to root\WMI 
  26. WQL Query: SELECT * FROM SELECT * FROM Lenovo_SetBiosSetting WHERE SecurityChip = "Disable" 
  27. Click on Add WMI Query Change WMI namespace to
    Root\HP\InstrumentedBios 
  28. WQL Query: SELECT * FROM SELECT * FROM HP_BIOSSettingInterface WHERE "TPM Device" Like "%%" 
  29. Click on Add WMI Query 
  30. WQL Query: SELECT * FROM SELECT * FROM Win32_ComputerSystem WHERE "Manufacturer" = "Dell" 
  31. Check the Check Box Continue on Error and Click Apply 
  32. Click on Add -> General -> Restart the Computer 
  33. Repeat Steps 7-11 to account for all scenarios in the script and click Apply when finished
  34. Repeat Steps 11-30 for all six steps in your Task Sequence
  35. When you are finished your Task Sequence should appear like this 

That's it standardization in TPM and BitLocker management the easy way!

Of course as usual all Script and otherwise free content is available from my Google Drive at the following address Script Location 

I hope you enjoyed this Blog entry and usual I fully encourage you too share your comments, questions and or thoughts.    

Tuesday, August 5, 2014

Image Building the easy way...

So recently at a client I was asked to review their images and try and come up with a more adaptive solution, one that could flow with the changes with the company. The primary cause for this review was that the IT manager wanted to replace the existing Microsoft Office 2010 standard with Microsoft Office 2013, the local IT had informed that this would be an arduous task, I was asked to come up with a simpler solution.


This brings us to a very basic question thick or thin images, that is the question that we all come to eventually when designing our deployment infrastructure. 

So a little background, a thick image would be exactly how I want my computer to look and operate when all is set and done. In the old days this would have included drivers and updates. Please see my previous blog on dynamically updated your images with updates http://jeremyblass.blogspot.co.il/2014/04/managing-updates-in-microsoft.html?view=magazine or managing drivers the easy way, http://jeremyblass.blogspot.co.il/2014/04/managing-drivers-easy-way.html?view=magazine. As opposed to thin images which include nothing other than my base image. 

My recommendation is always to keep your images as light as possible. I know this requires a lot more work initially but the payoff down the line is incredible. I was working at client about a year ago when the manager came up to me and described the following scenario. Over the next couple of weeks two new companies are being bought out by us we need to find a way to deploy them our standard environment with a few extra applications, so what do I do. 

Task Sequences

Task Sequences are a much underrated aspect of the MDT and SCCM. In my opinion they are one of the key fundamental aspects of both these deployment solutions. These unheralded heroes are the topic of today's blog.
Above you will see a snapshot of my standard Microsoft Windows 8.1 x64 Task Sequence.

By virtue of the utilization of a Task Sequence there is virtually nothing I need to do in order to maintain my image, as you can see I am using the install.wim that came when I imported the ISO into my deployment share.

Now that I have reduced my day to day effort let's talk about the rest of my Task Sequence, I inject drivers of course based on my Selection Profiles, the same ones I use for Microsoft Windows 7, Microsoft Windows Server 2008R2, 2012, and 2012 R2 thus all my 64 bit OSes use the same Selection Profile thus reducing my overhead once again. 

Finally the applications, as we mentioned previously not only is it a pain in the neck to maintain these bloated images with all of my applications but additionally, when it comes to deploying to new environments or rolling with the dynamic nature of the Enterprise environment today it can become cumbersome very quickly. Maintaining this multitude of images and building the new one for my bosses request is already far too much headache. Now the keeping it easy, I can simply continue using my existing Task Sequence but add the applications with silent installs to the MDT Application Database. 

  • Click on the Applications Node 
  • For the purpose of Application management I recommend using folders, so right click on the applications node and choose New Folder
  • Enter a name for the new folder and click Next 
  • Click Next 

  • Click Finish 
  • Right Click on our newly created folder and choose New Application 
  • Bear in mind that the location that you provide in the next stage will be permanent if you delete the files from that location the application will fail to install
  • o   The first option and my preferred one as it removes much of the guess work, Application with Source Files, this option copies the source files to a folder that it creates in the %DeploymentShare%\Applications Directory.
    o   Application without source files or elsewhere on the network, choose this option to prevent duplication of installation files. (This from my experience can cause some latency.)
    o   Application Bundle is the final option and not the focus of this blog entry, I will discuss this entry in a few weeks at that time I will add a link here. 
  • For a clean and well organizes application database I recommend using each of the text boxes the more information the better.
  • Enter the Source Location and click Next 
  • Although MDT will generate a name for you, you are not beholden to that name 
  • Enter a command line to install your application or the name a script located in the same folder that will install the application silently 
  • Click Next 
  • Click Finish 

Now that we have completed the application creation process let's create that Task Sequence.

Task Sequence Creation 

  • Right click on Task Sequences and choose New Folder 
  • Enter a name for the folder and click Next 
  • Click Next 
  • Click Finish 
  • Right Click on the new folder that you created and choose New Task Sequence 
  • New Task Sequence Wizard 
  • Click Next 
  • Choose an Operating System or as I recommend a "Thin Image" 
  • Specify a Product Key 
o   Do Not Specify a Product Key: Use this option if you wish to add your Product Key to your unattended file, if you are using Volume Activation Management Tool from Microsoft or if you are using a KMS server for activation.
o   Specify a Multiple Activation Key (MAK key) for activating this Operating System: If your organization uses MAK keys
o   Specify the product Key for this Operating System: This is only for retail keys
  • OS Settings 

o   Full Name: Your Organizations IT Department
o   Organization:  The name of your organization
o   Internet Explorer Home Page: Your organization Internet Explorer Home Page
  • Enter the Local Admin Password of your Choosing 
  • Click Next 
  • Click Finish 

Edit the Task Sequence 

  • Right Click on your Task Sequence and choose Properties 
  • Add the Check Hide this Task Sequence in the Deployment Wizard and click Apply to prevent someone from accidentally trying to deploy it 
  • Choose the Task Sequence Tab 
  • Click on Add and choose New Group 
  • Enter a name for the new group and click Apply 
  • Click on Applications 
  • Click on Add -> General -> Install Application 
  • Choose Install a Single Application 
  • Browse for the name of the application that you created previously and click OK
  • For the name of the application please Insert the name of your application 
  • Choose the Options Tab 
  • Check the Continue on error check box 
  •  Click Apply 
  • Choose the General Tab 
  • Remove the Check from Hide this Task Sequence in the Deployment Wizard and click Apply 

That's it your done, now you should see your Task Sequence in the Task Sequence Chooser Wizard. Feel free to customize your Task Sequence to your hearts content remember the Task Sequence can be changed at any time as opposed to your image which is pretty static. Task Sequences the easy way.