Prerequisites:

Windows ADK for Windows 10

https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx

Dell K2000 Media Manager

http://YOUR-k2000/utils/kmediamanager.msi

Dell KBE Manipulator (3.7.1.8)

http://www.itninja.com/question/kbe-manipulator

Microsoft BitLocker Administration and Monitoring - Client Deployment Scripts

https://www.microsoft.com/en-us/download/details.aspx?id=48698

Dell Command | Configure

http://en.community.dell.com/techcenter/enterprise-client/w/wiki/7532.dell-command-configure

VMware Workstation (For RSA)

https://www.vmware.com/products/workstation

Get/Set ComputerName

http://www.itninja.com/blog/view/get-set-computername

(Optional) Windows Server 2012 R2 (NIC Teaming)

https://www.microsoft.com/en-us/server-cloud/products/windows-server-2012-r2/

 

 

Assumptions:

Golden Image made and sysprep'd

BitLocker enabled in your Active Directory environment but want a way to automate this process

Microsoft BitLocker Administration and Monitoring 2.5 SP1 setup in your environment (Not 100% needed but used for PowerShell script)

Dell K2000 is in place and setup with latest version

Dell K2000 RSA is in place and setup with latest version

Dell K2000 samba share is enabled

Dell Laptop/Desktop are used in your environment

 

Before we Begin:

I will take you through the steps to getting BitLocker automated using the K2000 appliance. The process I am writing took a lot of time and effort to perfect. If you have a better way to improve this 

process please let post as I am always looking for a way to improve this process. Also this is my first post/blog so try not to troll me to much :-)

 

Let's take it from the top:

  1. Setting up Windows 2012 R2 for NIC Teaming
    • Login to your Windows 2012 R2 Server (I recommend to login locally or via iDRAC)
    • Open the "Server Manager" dashboard (if it hasn't already opened on login)
    • Go to Configure this local server--> NIC Teaming Disabled
    • The "NIC Teaming" dashboard will open
      • Under "ADAPTERS AND INTERFACES" right click the 2 NICS you want to team--> Add to New Team
      • Team Name: "ENTER YOUR CUSTOM NAME"
      • Make sure both NICS are checked and click the drop down "Additional properties"
        • Teaming mode: Switch Independent
        • Load balancing mode: Dynamic
        • Standby adapter: None (all adapters Active)
        • Click "OK"

 

  1. Installing VMware Workstation and Importing Dell K2000 RSA
    • Download VMware Workstation and run through the installation
    • Open Internet Explorer or your favorite browser
      • Navigate to http://YOUR-K2000/ and login
      • Go to Deployments--> Remote Sites--> Choose Action--> Download OVF--> Download
    • Once the install is complete open VMware Workstation
      • Go to Edit--> Virtual Network Editor…
      • Select all VMnet networks except for the "Bridged" Type Network (Mine is VMnet0)
      • Click "OK"
    • Extract your Dell K2000 RSA
    • Navigate to where you just extracted your Dell K2000 RSA OVF and double click to begin the import
    • Don't bring up the VM just yet we need to remove the flex NIC and add the e1000 NIC

 

  1. Setting up your Dell K2000 RSA for MAX performance
    • With VMware Workstation still open click on the VM you just imported
    • Click Upgrade Hardware Version--> Alter this VM--> Select latest version available--> OK
    • Right click you Dell K2000 RSA--> Settings
      • Memory: 4GB
      • Processors: 2
      • Remove Floppy Drive
      • Remove Network Adapter
      • Add CD/DVD drive
      • Click the "Options" Tab
        • Guest operating system: FreeBSD (64-bit)
      • Click OK
    • Right click you Dell K2000 RSA--> Settings
      • Add Network Adapter
      • Click OK
    • Right click you Dell K2000 RSA--> Settings
      • Click the "Options" Tab
        • Guest operating system: FreeBSD (32-bit)
      • Click OK
    • Power on your VM!
    • Once the VM is up login with konfig
      • IP address: 10.0.0.1 (Make it a bogus IP address)
      • Network Speed: 1000Mbps (IMPORTANT)
      • Save
    • After the VM is back up again login with konfig
      • IP address: X.X.X.X (Make it the IP address you want now)
      • Network Speed: Auto-negotiate
      • Save

 

  1. Creating a custom WinPE 10 KBE and upload to Dell K2000
    • Open K2000 Media Manager
      • Enter your "K2000 hostname" and "Samba Share Password"
      • Click the "Create K2000 Boot Environment" Tab
      • Name: TEMPKBE
      • Architecture: 64-bit (x64)
      • Path: C:\Program Files (x86)\Windows Kits\10 (This should already be selected for you)
      • Click "Start Upload"
      • Close once it has created the media and uploaded to the K2000
    • Open Internet Explorer or your favorite browser
      • Navigate to http://YOUR-K2000/ and login
      • Go to Deployments--> Boot Environments--> TEMPKBE
      • Click "Download bootable ISO for this Boot Environment"
      • Save to your Downloads or somewhere you know to get to it
    • Mount the ISO
    • Copy the BOOT.WIM file to a location on your computer
    • Let's mount  the WIM image with DISM
      • Open a command prompt and Run as Administrator
      • mkdir C:\KBE
      • Dism /Mount-Image /ImageFile:C:\TEMPKBE.wim /index:1 /MountDir:C:\KBE
    • Add Dell Command | Configure
      • mkdir C:\KBE\CCTK
      • mkdir C:\KBE\CCTK\AMD64
      • mkdir C:\KBE\CCTK\X86
      • copy "C:\Program Files (x86)\Dell\Command Configure\X86_64" C:\KBE\CCTK\AMD64
      • copy "C:\Program Files (x86)\Dell\Command Configure\X86" C:\KBE\CCTK\X86
    • Add custom features using DISM
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab"
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-NetFx.cab"
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-HTA.cab"
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureStartup.cab"
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-StorageWMI.cab"
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-PowerShell.cab"
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-Scripting.cab"
    • Add custom features locale using DISM
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WMI_en-us.cab"
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-NetFx_en-us.cab"
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-HTA_en-us.cab"
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-SecureStartup_en-us.cab"
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-StorageWMI_en-us.cab"
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-PowerShell_en-us.cab"
      • Dism /image:C:\KBE /add-package /packagepath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab"
    • Commit changes to your image and unmount
      • Dism /unmount-image /mountdir:C:\KBE /commit
    • Open KBE Manipulator and upload your custom KBE
      • File--> Choose .wim to upload
      • Select the WIM file location
      • Enter your "K2000 Information"
      • Name to assign the KBE: WinPE 10 KBE
      • KBE Architecture: x64
      • Click "Create KBE"
    • Set Default K2000 Boot Environment
      • Open Internet Explorer or your favorite browser
      • Navigate to http://YOUR-K2000/ and login
      • Go to Settings--> Control Panel--> Default K2000 Boot Environments
      • Windows x64: WinPE 10 KBE
      • Click Save

 

  1. Creating your Pre-Installation System Image Tasks
    1. Create a zip called TPMActivateCheck.zip and the following to it
      • Open notepad and save the following as TPMActivateCheck.ps1:

 

$TPM = X:\CCTK\AMD64\cctk.exe --tpm

$TPMActivated = X:\CCTK\AMD64\cctk.exe --tpmactivation

 

If($TPM -eq "tpm=off" -And $TPMActivated -eq "tpmactivation=deactivated"){

X:\CCTK\AMD64\cctk.exe --setuppwd=password

X:\CCTK\AMD64\cctk.exe --tpm=on --tpmactivation=activate --valsetuppwd=password

X:\CCTK\AMD64\cctk.exe --setuppwd= --valsetuppwd=password

Write-Host "TPM has been ENABLED and ACTIVATED"

Write-Host "The computer will now need to reboot and the image process to be restarted."

Write-Host "Reboot in 1 minute"

Start-Sleep -s 60

Restart-Computer

}

If($TPM -eq "tpm=on" -And $TPMActivated -eq "tpmactivation=deactivated"){

Write-Host "Please boot into the BIOS and Load Defaults and"

Write-Host "remove the ADMIN password in the BIOS to image this computer"

Write-Host "The computer will now need to reboot and the image process to be restarted."

Write-Host "Reboot in 1 minute"

Start-Sleep -s 60

Restart-Computer

}

If ($TPM -eq "tpm=off" -Or $TPMActivated -eq "tpmactivation=deactivated"){

Write-Host "TPM has been ENABLED and ACTIVATED"

Write-Host "The computer will now need to reboot and the image process to be restarted."

Write-Host "Reboot in 1 minute"

Start-Sleep -s 60

Restart-Computer

}

  • Open notepad and save the following as TPMActivateCheck.bat:

 

X:

cd X:\Windows\System32\WindowsPowerShell\v1.0

powershell.exe -nologo -executionpolicy bypass -noprofile -file Y:\preinstall\XXX\contents\TPMActivateCheck.ps1

exit

  • Open Internet Explorer or your favorite browser
  • Navigate to http://YOUR-K2000/ and login
  • Go to Library--> Pre-installation Tasks--> Choose Action--> Add Application…
    • Name: **TPM REBOOT CHECK**
    • Runtime Environment: K2000 Boot Environment (Windows)
    • Upload File: TPMActivateCheck.zip
    • Parameter: cmd /k TPMActivateCheck.bat
    • Click Save
  • Go to Library--> Pre-installation Tasks
    • Hover your mouse over **TPM REBOOT CHECK** and take note of the id=
    • Replace id number in TPMActivateCheck.bat from XXX to the number noted
    • Replace the file in the TPMActivateCheck.zip and replace in that task
  1. Windows- Create two partitions
    • Open Internet Explorer or your favorite browser
    • Navigate to http://YOUR-K2000/ and login
    • Go to Library--> Pre-installation Tasks--> Choose Action--> DISKPART Script
      • Name: Windows- Create Two Partitions
      • DISKPART Script:

select volume 0

remove all noerr

select disk 0

clean

create partition primary size=200

assign letter="C"

active

create partition primary

assign letter="D"

Exit

  • Click Save
  1. Windows- Format Disks
    • Open Internet Explorer or your favorite browser
    • Navigate to http://YOUR-K2000/ and login
    • Go to Library--> Pre-installation Tasks--> Choose Action--> BAT Script
      • Name: Windows- Format Disks
      • BAT Script:

format /q /y /fs:ntfs /v:Boot C:

bootsect.exe /NT60 C:

format /q /y /fs:ntfs /v:Windows D:

bootsect.exe /NT60 D:

  • Click Save
  1. Dell Command | Configure
    • Open Internet Explorer or your favorite browser
    • Navigate to http://YOUR-K2000/ and login
    • Go to Library--> Pre-installation Tasks--> Choose Action--> BAT Script
      • Name: Dell CCTK
      • BAT Script:

start /wait x:\cctk\amd64\cctk.exe --setuppwd=password

start /wait x:\cctk\amd64\cctk.exe --wakeonlan=enable --usbpowershare=enable --wakeonlan=lanorwlan --fastboot=minimal --embnic1=on --valsetuppwd=password

start /wait x:\cctk\amd64\cctk.exe bootorder --sequence=hdd --valsetuppwd=password

  • Click Save
  1. BitLocker WinPE Encryption
    • Open Internet Explorer or your favorite browser
    • Navigate to http://YOUR-K2000/ and login
    • Go to Library--> Pre-installation Tasks--> Choose Action--> BAT Script
      • Name: BitLocker WinPE Encryption
      • BAT Script: manage-bde -on D: -UsedSpaceOnly -em aes256
      • Click Save
  1. Creating your Mid-Level and Post-Installation Tasks
    1. Create Activate TPM EXE package using Dell Command | Configure
      • Open Dell Command | Configure Wizard
        • In Search box type: tpmactivation
        • tpm: on
        • tpmactivation: activate
        • Export .EXE
        • Use the password information below (use the password you set as the Dell CCTK task)
        • Click OK
        • Save file as tpm_sce.exe
    2. Set Computer Name
      • Open Internet Explorer or your favorite browser
      • Navigate to http://YOUR-K2000/ and login
      • Go to Library--> Post-installation Tasks--> Choose Action--> Add Application…
        • Name: Set Computer Name
        • Runtime Environment: K2000 Boot Environment (Windows)
        • Upload File: SetComputerName_x64.exe
        • Parameter: SetComputerName_x64.exe /name:$Serial
        • Click Save
    3. Bitlocker Save TPM Owner
      • Open Internet Explorer or your favorite browser
      • Navigate to http://YOUR-K2000/ and login
      • Go to Library--> Post-installation Tasks--> Choose Action--> Add Application…
        • Name: Bitlocker Save TPM Owner
        • Runtime Environment: K2000 Boot Environment (Windows)
        • Upload File: SaveWinPETpmOwnerAuth.wsf
        • Parameter: cscript.exe SaveWinPETpmOwnerAuth.wsf
        • Click Save
    4. TPM CCTK Activation
      • Open Internet Explorer or your favorite browser
      • Navigate to http://YOUR-K2000/ and login
      • Go to Library--> Post-installation Tasks--> Choose Action--> Add Application…
        • Name: TPM CCTK Activation
        • Runtime Environment: Windows
        • Upload File: tpm_sce.exe
        • Parameter: tpm_sce.exe /nolog
        • Click Save
    5. Reboot (Needed to disable UAC and auto login)
      • Open Internet Explorer or your favorite browser
      • Navigate to http://YOUR-K2000/ and login
      • Go to Library--> Post-installation Tasks--> Choose Action--> Add BAT Script…
        • Name: Reboot
        • Runtime Environment: Windows
        • Bat Script:

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 1  /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DisableCAD /d 1  /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v ForceAutoLogon /d 1  /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoLogonCount /t REG_DWORD /d 1  /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultDomainName /d %computername%  /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName /d USERNAME  /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassWord /d PASSWORD /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /d 0 /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

  • Click Save
  1. Install MBAM 2.5 SP1
    • Create zip named MBAMClientSetup.zip
      • Copy MBAMClientSetup.msi into the zip
      • Create a batch file named MBAMClientSetup.bat

msiexec /i MBAMClientSetup.msi /q ALLUSERS=1 OPTIN_FOR_MICROSOFT_UPDATES=1

  • Copy the MBAMClientSetup.bat into the zip
  • Open Internet Explorer or your favorite browser
  • Navigate to http://YOUR-K2000/ and login
  • Go to Library--> Post-installation Tasks--> Choose Action--> Add Application…
    • Name: Install MBAM 2.5 SP1
    • Runtime Environment: Windows
    • Upload File: MBAMClientSetup.zip
    • Parameter: MBAMClientSetup.bat
    • Click Save
  1. TPM CCTK Activation
    • Open Internet Explorer or your favorite browser
    • Navigate to http://YOUR-K2000/ and login
    • Go to Library--> Post-installation Tasks--> Choose Action--> Add Application…
      • Name: TPM CCTK Activation
      • Runtime Environment: Windows
      • Upload File: tpm_sce.exe
      • Parameter: tpm_sce.exe /nolog
      • Click Save
  2. Domain Join
    • For this step join the domain and if you enable UAC via GPO make sure to add these entries to the batch file. This will work because the batch file is still elevated once it joins the domain.

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 1  /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DisableCAD /d 1  /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v ForceAutoLogon /d 1  /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoLogonCount /t REG_DWORD /d 1  /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultDomainName /d DOMAIN  /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName /d USERNAME  /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassWord /d PASSWORD /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /d 0 /f

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

  1. Bitlocker Encryption
    • Create zip named MBAMencrypt.zip
    • Copy BDEAdBackup.vbs into the zip
    • Copy Invoke-MbamClientDeployment.ps1 into the zip
    • Create a batch file named MBAMencrypt.bat

powershell.exe -nologo -executionpolicy bypass -noprofile -file Invoke-MbamClientDeployment.ps1 -RecoveryServiceEndpoint http://MBAM-SERVER:80/MBAMRecoveryAndHardwareService/CoreService.svc -StatusReportingServiceEndpoint http://MBAM-SERVER:80/MBAMComplianceStatusService/StatusReportingService.svc -IgnoreEscrowOwnerAuthFailure

cscript BDEAdBackup.vbs

manage-bde -protectors -enable C:

  • Copy MBAMencrypt.bat into the zip
  • Navigate to http://YOUR-K2000/ and login
  • Go to Library--> Post-installation Tasks--> Choose Action--> Add Application…
    • Name: Bitlocker Encryption
    • Runtime Environment: Windows
    • Upload File: MBAMencrypt.zip
    • Parameter: MBAMencrypt.bat
    • Click Save

 

  1. Installation Plan Layout
        

 

 

Answers to the Why's:

  1. Setting up Windows 2012 R2 for NIC Teaming

So in my testing when we get the K2000 RSA changed from the flex NIC to the e1000 NIC the speed jumped from 20-30Mbps to 60Mbps. Great right? But we should be able to saturate our Gigabit NIC on our server and reach a theoretical speed of about ~90Mbps or similar to a file transfer on the network to another computer. Anyways when you team the NIC's we are able to jump from 60Mbps to 90Mbps! There are also other benefits for teaming the NICs that I don't cover here.

 

 

Credit where Credit is due:

 

Enable TPM in a Task Sequence (DELL)

 

How can I Pre-Provision BitLocker in WinPE for Windows 8 deployments using Configuration Manager 2012 SP1

 

How to create a Dell Command-Configure Package in ConfigMgr

 

Bitlocker, MDT, Dell and TPM

 

17 Steps to Installing MBAM 2.5 SP1 In a 5 Tier Setup

 

Change VMWare Server NIC to e1000 (111351)

 

K2000 Performance (111769)

 

MBAM 2.5 SP1 SCCM OS Deployment

 

TPM activation using CCTK SCE in an SCCM environment

 

MBAM key recovery backup if machine already encrypted

 

How to Pre-Provision BitLocker on Windows 7

 

Bypass MBAM policy check when running Invoke-MbamClientDeployment.ps1

 

MBAM 2.5 SP1 - Failed to escrow TPM owner-auth