SCCM - Bitlocker with DaRT
In this post I will demonstrate how to include a DaRT 7 recovery image in the same partition of BitLocker.
First install DaRT 7.
Now run the DaRT Recovery Image Wizard. Click on Next.
Specify the source of the Windows installation source files. It can be local or a network location. Click on Next.
click on Next again to extract the files.
Now select the tools you don't want the local user to have access to. Note that when the Service Desk connect remotely all tools will be available. Click on Next.
Tick the Allow remote connections, specify a port number if required or a random port will be assigned. Type a welcome message if required. Click on Next.
Select to locate the Debugging Tools on the system that you are repairing or download the debugging tool and use the first option. Click on Next.
Select the appropriate option for you and click on Next.
Add network drivers for all your computer models and click on Next.
Click on Next again. Specify where to save the image file and click on Next.
Untick Burn the image and click on Next. click on Finish.
Now open the recently created ISO file using WinZip or WinRar, browse to the sources folder and extract the boot.wim to a temporary folder. Rename it to WinRE.wim
Now let's create 2 files to automate the process. The first one we will name DaRT.bat and the second Diskpart.txt
That's the content of the DaRT.bat:
reagentc.exe /disable
md R:\Recovery\WinRE
copy %~dp0WinRE.wim R:\Recovery\WinRE
reagentc.exe /setreimage /path R:\Recovery\WinRE /target C:\Windows /bootkey 3e00
reagentc.exe /enable
diskpart /s %~dp0diskpart.txt
Note: The /bootkey 3e00 will let us boot the Dart image using the F4 key.
That's the content of the Diskpart.txt:
sel vol 1
remove letter=R
exit
Now put these 2 files and the WinRE.wim in the same folder and create a SCCM Package with this folder as the source. The DaRT.bat will be the program.
Make sure you select to allow this package to run in a Task Sequence.
Now in your Task Sequence we have to create 2 steps. One Run Command Line to create the BitLocker partition and one Install Software to run that batch file which will copy the boot image and remove the drive letter.
These steps must run any time after the Windows is installed.
The Include DART Recovery will be the package we have created before.
In my case I have BitLocker enabled only for laptops. So I create a condition in each step to run only if the variable ISLaptop equals TRUE.
Now after the computer is reimaged you will be able to boot the computer to the Windows Recovery pressing the F4 key.
Once the boot file is loaded you will be prompted if you would like to initialize the netword connectivity. Click on Yes.
Now you will be prompted for the BitLocker Recovery password. You can retrieve it from AD.
Enter a local username and password. I recommend that you create a local user in your base image. This way you don't need the users to know the password for the administrator account.
Now you can click on Microsoft Diagnostic and Recovery Toolset to see the DaRT tools.
To initialize a remote connection you can click on Remote Connection and pass the info to the Service Desk person which will do the connection. Note the Waiting for connection...
The Service Desk person would use the DaRT Remote Connection Viewer and use the info provided by the user to establish the connection.
Now the waiting for connection has changed to Help Desk connected.
First install DaRT 7.
Now run the DaRT Recovery Image Wizard. Click on Next.
Specify the source of the Windows installation source files. It can be local or a network location. Click on Next.
click on Next again to extract the files.
Now select the tools you don't want the local user to have access to. Note that when the Service Desk connect remotely all tools will be available. Click on Next.
Tick the Allow remote connections, specify a port number if required or a random port will be assigned. Type a welcome message if required. Click on Next.
Select to locate the Debugging Tools on the system that you are repairing or download the debugging tool and use the first option. Click on Next.
Select the appropriate option for you and click on Next.
Add network drivers for all your computer models and click on Next.
Click on Next again. Specify where to save the image file and click on Next.
Untick Burn the image and click on Next. click on Finish.
Now open the recently created ISO file using WinZip or WinRar, browse to the sources folder and extract the boot.wim to a temporary folder. Rename it to WinRE.wim
Now let's create 2 files to automate the process. The first one we will name DaRT.bat and the second Diskpart.txt
That's the content of the DaRT.bat:
reagentc.exe /disable
md R:\Recovery\WinRE
copy %~dp0WinRE.wim R:\Recovery\WinRE
reagentc.exe /setreimage /path R:\Recovery\WinRE /target C:\Windows /bootkey 3e00
reagentc.exe /enable
diskpart /s %~dp0diskpart.txt
Note: The /bootkey 3e00 will let us boot the Dart image using the F4 key.
That's the content of the Diskpart.txt:
sel vol 1
remove letter=R
exit
Now put these 2 files and the WinRE.wim in the same folder and create a SCCM Package with this folder as the source. The DaRT.bat will be the program.
Make sure you select to allow this package to run in a Task Sequence.
Now in your Task Sequence we have to create 2 steps. One Run Command Line to create the BitLocker partition and one Install Software to run that batch file which will copy the boot image and remove the drive letter.
These steps must run any time after the Windows is installed.
The Create BitLocker Partition will have the command line:
bdehdcfg.exe -target C: shrink -newdriveletter R: -size 600 -quiet
Make sure you select the Disable 64-bit file system redirection.
The Include DART Recovery will be the package we have created before.
In my case I have BitLocker enabled only for laptops. So I create a condition in each step to run only if the variable ISLaptop equals TRUE.
Once the boot file is loaded you will be prompted if you would like to initialize the netword connectivity. Click on Yes.
Click on Yes or No depending on your requirements.
Click on Yes or No depending on your requirements.
Now you will be prompted for the BitLocker Recovery password. You can retrieve it from AD.
Enter a local username and password. I recommend that you create a local user in your base image. This way you don't need the users to know the password for the administrator account.
Now you can click on Microsoft Diagnostic and Recovery Toolset to see the DaRT tools.
To initialize a remote connection you can click on Remote Connection and pass the info to the Service Desk person which will do the connection. Note the Waiting for connection...
The Service Desk person would use the DaRT Remote Connection Viewer and use the info provided by the user to establish the connection.
Now the waiting for connection has changed to Help Desk connected.
No comments:
Post a Comment