SCCM 2012 R2: Enabling TPM for BitLocker Protection on HP Laptops during OSD

  • Article

Scenario

Organisation decided to enable BitLocker protection for all of our new laptops. The idea is to provision the drive encryption as the laptops were built with your Configuration Manager 2012 R2 environment. The laptop models in this scenario: the HP EliteBook 850 and the Elitebook 820.

The Solution

A few steps were required to achieve this and some tweaking of the default steps in my Configuration Manager Task Sequence.

Now before you even start with BitLocker you need to ensure that your Active Directory environment meets a few prerequisites, for the purposes of this blog we are assuming that this has been checked and is in place. Some documentation on this can be found here:

Step 1 - Enable the TPM

In order to enable BitLocker during a Configuration Manager Task Sequence we first need to enable the TPM (Trusted Platform Module) in the BIOS. It's worth noting that a lot of the newer devices such as Surface Pro's come with UEFI where the TPM is already enabled, again my blog is dealing with BIOS as our new laptops don't come out of the box with UEFI enabled.

To enable the TPM in the BIOS we also need to set a password and tweak a few of the other security settings associated with the TPM. Luckily there is an HP BIOS Configuration Utility which we can use as part of a Task Sequence that will set these options for us automatically! We are using version 2.14.0.8 of the HP BIOS Configuration Utility which you can download from ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.exe.

Extract the contents of sp49507 and create a package in your Config Manager instance. No program is required just the files as the Task Sequence is going to execute the utility.

http://damonjohns.files.wordpress.com/2014/01/2014-01-30_100153.jpg

We now need to create a file for the utility to use which contains the settings we want to change inside the BIOS. We have done this by copying the BiosConfigUtility.exe to a target laptop, then launching a command prompt as an administrator and executing the below command. You can then modify the text file to contain only the required settings to enable the TPM for your particular laptop. For these laptops, these settings are shown as per below. Once you have the file trimmed down to what you require, rename it to .REPSET and copy it to your HP Bios Configuration Utility package source folder and update your distribution points.

http://damonjohns.files.wordpress.com/2014/01/2014-01-30_101157.jpg

http://damonjohns.files.wordpress.com/2014/01/2014-01-30_100749.jpg

Now we can update our Task Sequence with a step which executes the utility, this should be formatted as:

BiosConfigUtility.exe /SetConfig:%YOURSETTINGS.REPSET% /NewAdminPassword:%YOURPASSWORD%

We have created a group in my TS and have restricted the group to run only if the device is a laptop using the IsLaptop variable and have then created a step for each type of laptop model as each model has its own REPSET file with the settings required to activate the TPM.

http://damonjohns.files.wordpress.com/2014/01/2014-01-30_103332.jpg

http://damonjohns.files.wordpress.com/2014/01/2014-01-30_103647.jpg

http://damonjohns.files.wordpress.com/2014/01/2014-01-30_103742.jpg

Step 2 - Set BitLocker Steps in your Task Sequence

Now that we have turned on the TPM using the config utility provided by HP we can turn our attention to the BitLocker steps. We have modified it slightly as we have used the integrated MDT Task Sequence and prefer the Configuration Manager Enable BitLocker step rather than the MDT step that is provided in the default TS. Why? It just seems to work better :)

Disable the default MDT '**Enable BitLocker' **step and then add the standard SCCM Enable BitLocker step. We have renamed it to 'Enable BitLocker for Laptops' and moved the new step down the TS so that its one of the last to be actioned. We have done this as we have had performance issues with the hardware once encryption has started which slows down the TS steps.

http://damonjohns.files.wordpress.com/2014/01/2014-01-30_1048131.jpg

Again we have restricted this step from running by using the IsLaptop variable. Your BitLocker drive encryption options will vary depending on how you are implementing it in your organisation. We have just enabled the TPM and encrypted the drive, storing the recovery key in AD.

http://damonjohns.files.wordpress.com/2014/01/2014-01-30_105417.jpg

Step 3 - Test Your Task Sequence!

Now that we have our TPM being enabled automatically and our BitLocker steps in our Task Sequence as required, we can test everything to ensure it works.

We had to make one adjustment to Active Directory permissions so that Configuration Manager could write the recovery key information. However, this may not be required in other environments. Here is the blog about how to fix this should you run into the issue: