This blog covers the settings and changes needed to be done in order to achieve a single image of Windows XP deployment both for Encrypted hard drives and Un-encrypted ones with a single image. Interestingly enough this has been one of the most requested blog posts that I have ever written. And altough the blog covers good ol' Operating Systems like Windows 2000 and Windows XP, the same logic applies to new operating systems. These days the manufacturers have fancy tools to do most of the changes documented below, but the logical steps pretty much applies today, even for Microsoft Bitlocker. The steps that are involved is:
- Disable any bios/uefi encryption logon screen for allowing automation (also named Pre Boot Authentication or PBA for short)
- Ensure that WinPE has the encryption drivers so it can read/write to the encrypter HD
- Run some command before booting to WinPE to ensure that WinPE can auto enable encryption and boot to WinPE from the HD and also read the HD from WinPE
- Ensure that the right things happen in WinPE, often poking the registry of the new OS from within WinPE
- As the last step, re-enable PBA's or run commands to make sure that the encryption tools runs as it should.
I know it's complicated, but it will save a lot of time since the laptop is good to go once the imaging process is completed, encrypted and ready for the road! Here is the old post, in all its glory, hope it helps:
Prerequisites
In order to understand this document, a good understanding of the BDD2007 or Microsoft Deployment product is needed, as well as a good understanding on how the Windows boot process works.
Changes to Customsettings.ini
At this customer we added a section to the BDD 2007 workflow that stopped the computer refresh process the hardware was detected to be a laptop. This was done to avoid End User Support personnel to accidently destroy computers as the process then did not handle the Utimaco SafeGuard Easy product. In order the allow refresh builds of laoptops this line has to be removed from the CustomSettings.ini file. The line that disables builds on laptops is a line under Laptop-%True% section, or subsection, which sets the Value OSINSTALL to zero (false). This will make the process halt and the OSD process will return an error. In order to allow installation this has to be set to 1 (true), which is set in the default section.
WinPE Filter Drivers
In order for WinPE to actually read an encrypted hard drive, special Utimaco drivers will have to be added to the WinPE boot image.
Reading an encrypted drive is only possible if there is a valid installation of BootSector code, i.e. the Utimaco F2 prompt during boot is displayed. Booting to WinPE must happen after the manual or automatic logon to with the PBA is done.
If no active BootSector Utimaco code is found the filter drivers will not engage and all reading and writing to the disk will be unencrypted. This will be the case in a bare metal situation, although it is possible to boot to PXE after the PBA login, allowing the process to be modified to ensure that even bare metal builds are encrypted from start. This would minimize the time it takes to encrypt a hard drive after a bare metal build, this is out of scope of this document.
Utimaco SafeGuard Version 4.2
The installation of Utimaco 4.2 Drivers are documented by Utimaco. Even though this document covers the installation of drivers into BartPE the process is exactly the same.
Please note that drivers for Safeguard 4.2 CANNOT read a hard drive encrypted by 4.3, this is likely to be caused by version mismatch of the BootSector code.
Utimaco SafeGuard Version 4.3
Adding the filter drivers to version 4.3 is exactly the same as for 4.2, if needed these drivers can be lifted from an existing 4.3 installation. This is achieved by copying all SafeGuard 4.3 drivers from System32\Drivers folder and copying them to the System32\Drivers folder of the WinPE image.
Update Reference Image
The reference Image will have to be updated with the appropriate version of Utimaco SafeGuard. Both version 4.2 and 4.3 can be installed in the reference image. Please ensure that encryption of the virtual machine running the Reference Image is completely encrypted before capturing the image.
Filter Driver for WinPE Capture ISO
The WinPE .iso file that is used for capturing the reference image has to be updated with the correct version of Utimaco drivers. If a reference image is created with Utimaco Safeguard 4.3 then the 4.3 filter drivers must be added to the capture .iso file.
Configuring Utimaco Safeguard Easy
Utimaco provides several methods of configuring the software. In this document we will cover two of them, one based on the use of configuration files, the other based on scripting using the Utimaco automation object.
Other ways of configuring these settings could potentially be used, please refer to the Utimaco documentation for a thorough description of these methods.
Creation of configuration files
Utimaco provides a tool to create configuration files for Utimaco, these configuration files can then be used to change any of the settings using a command line. The exact process of creating these configuration files is documented in the Utimaco SafeGuard help files.
Automation Object
The automation object could potentially be used to configure Utimaco Safeguard as it provides a more flexible way of changing and determining settings. Currently there is no need to use this automation object as the objectives can be achieved with configuration files. However, in a multi setting environment where several machines are to be configured independently this will likely be the best solution. The automation object is documented in the Automation.chm located in the "Tools" folder of the Utimaco SafeGuard Easy 4.2 CD.
Handling PBA
The PBA does not have to be disabled during an OS refresh, however since the OSD process contains several reboots it is necessary to do so in order to automate the entire process. Since this customer does not use PBA, testing has simply been done by turning on PBA without single user logon. Additional testing would have to be made if PBA with single sign on is encountered anywhere.
Utimaco Secure Wake on Lan
Even though you could potentially use this feature to bypass the PBA at boot time it might not be practical to do so. The WOL setting is detected by the Microsoft and Utimaco Safeguard Graphical Identification and Authentication (GINA) and logon to the computer is disabled. Depending on the process that is chosen for PBA enabled machines this could potentially be used as it solves issues with Single Logon.
Disable PBA
The PBA is temporarily disabled during the migration by running the Utimaco SafeGuard Easy "Execcfg.exe" executable, located in the installation directory of Utimaco SafeGuard. By creating a configuration file that disables the PBA, allowing Autologon with the PBA. This is then either done prior to the deployment process, or as a part of the imaging process. The benefit of doing this outside of the process is that imaging can be pushed from SMS outside working hours with the use of WOL, to limit implication to the end user. However, if the PBA is not disabled before the machine is powered up the computer would then halt at the PBA screen.
Depending on the PBA, Single Logon features configured and other unknown requirements the appropriate actions would have to be taken.
Re-Enabling PBA
After the computer installation has succeded the PBA can be enabled again by using the same process as above. This process would then have to be decided depending on the Post deployment process. The most likely option is to enable PBA when the OSD process is completed.
Enabling OS refresh with Utimaco
In order to do an OS refresh with a computer that has Utimaco SafeGuard Easy installed from the start there are no additional steps. The BootSector code will already be installed and activated. This means that the computer is encrypted from the beginning to end.
Re-Adding Utimaco Boot Sector Code for Bare Metal Laptops
In order to complete the Utimaco SafeGuard Easy installation on a computer that has been build using the bare metal scenario the preboot code must be installed. This is done by executing the "execcfg.exe" executable and pointing it to the configuration file used for the full install.
Disabling Utimaco
There are several steps required in order to disable Utimaco after the image has been applied, there is no requirement to do so, the computer works fine even though these steps are not taken. An error message is appearing during boot time but this does not stop or hinder the boot process. The removals of these drivers are purely esthetical.
Enabling a dormant Utimaco Install
The Utimaco SafeGuard easy install can be re-enabled later down the line with the use of the following commands. The Production.cfg file mentioned below is the same used for a new install.
Please not that there are no line breaks in the command below.
| REG.EXE ADD HKLM\System\CurrentControlSet\Services\AES-256 /v Start /t REG_DWORD /d 0 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\SGEFLT /v Start /t REG_DWORD /d 0 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\SGECTL /v Start /t REG_DWORD /d 2 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Services\SGLogPlayer /v Start /t REG_DWORD /d 2 /f
REG.EXE ADD HKLM\System\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318} /v UpperFilters /t REG_MULTI_SZ /d SgeFltPartMgr /f
REG.EXE ADD HKLM\System\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318} /v UpperFilters /t REG_MULTI_SZ /d SgeFlt /f
REG.EXE ADD HKLM\System\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F} /v UpperFilters /t REG_MULTI_SZ /d SgeFltVolSnap /f
"%PROGRAMFILES%\SafeGuard\Safeguard Easy\execcfg.exe" /f:"%~dp0Production.cfg"
|
OSD Task Sequence Steps
The following steps have been added to the deployment sequence in order to achieve zero touch deployments in the customers environment. These steps are likely to change in the production environment but provides all commands necessary to automate the process.
Please note that there are no line breaks in the command lines below.
| Phase |
Group |
Task Name |
Description |
Command Line |
| Validation |
Non Replace/Disable Computer |
Disable PBA |
This command line disables the PBA, using a configuration file. This could potentially be done via scripting directly using the Utimaco Automation object. |
%programfiles%\SafeGuard\SafeGuard Easy\execcfg.exe /f:"%SCRIPTROOT%\DISABLEPBA.CFG" |
| PostInstall |
Utimaco Configuration |
Load System Hive |
This loads the system hive of the applied image so that it can be modified. |
%SCRIPTROOT%\REG.EXE load HKLM\UtimacoSave %OSDTARGETDRIVE%Windows\System32\Config\system |
| PostInstall |
Utimaco Configuration |
Copy Volume Information |
This copies the Volume information that has been automatically populated by WinPE to the mounted system hive. This ensures that Utimaco will not blusceen with the new image. |
%SCRIPTROOT%\REG.EXE COPY HKLM\System\CurrentControlSet\Enum\STORAGE\Volume HKLM\UtimacoSave\ControlSet001\Enum\STORAGE\Volume /s /f |
| PostInstall |
Utimaco Configuration |
Set Sysprep Bootdisk Signature |
This script sets the required key for Sysprep to be able to run when Utimaco is enabled. |
cscript.exe "%SCRIPTROOT%\ListDisk.vbs" |
| PostInstall |
Utimaco Configuration/Disable Utimaco on Desktops |
Disable AES Driver |
This disables the AES encryption driver. |
%SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Services\AES-256 /v Start /t REG_DWORD /d 4 /f |
| PostInstall |
Utimaco Configuration/Disable Utimaco on Desktops |
Disable SGE Filter Driver |
This disables the filter driver from loading, with out this disable the computer will bluescreen. |
%SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Services\SGEFLT /v Start /t REG_DWORD /d 4 /f |
| PostInstall |
Utimaco Configuration/Disable Utimaco on Desktops |
Disable SGE Control Driver |
This disables the SGE Control Driver. |
%SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Services\SGECTL /v Start /t REG_DWORD /d 4 /f |
| PostInstall |
Utimaco Configuration/Disable Utimaco on Desktops |
Disable SGE Log Player |
This disables the SGE Log player driver. |
%SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Services\SGLogPlayer /v Start /t REG_DWORD /d 4 /f |
| PostInstall |
Utimaco Configuration/Disable Utimaco on Desktops |
Delete Disk Drive Upper Filter |
This removes the Utimaco filter drivers from the list of valid filter drivers, if this is not done the machine will bluescrren. Normally the only valid filter driver is PartMgr but this could potentially change with AV etc. |
%SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318} /v UpperFilters /t REG_MULTI_SZ /d PartMgr /f |
| PostInstall |
Utimaco Configuration/Disable Utimaco on Desktops |
Delete Floppy Disk Upper Filter |
Same as above, but floppy drivers normally dont have any known filter drivers by default. |
%SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318} /v UpperFilters /t REG_MULTI_SZ /d "" /f |
| PostInstall |
Utimaco Configuration/Disable Utimaco on Desktops |
Delete Storage Volume Upper Filter |
Same as above, but instead of Partmgr we have to default to VolSnap which is the default filter driver for volumes. The GUIDs used in these commands are generic MS deaults, so they should not change. |
%SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F} /v UpperFilters /t REG_MULTI_SZ /d VolSnap /f |
| PostInstall |
Utimaco Configuration |
Apply Utimaco Production Settings |
Adds a line to cmdlines.txt so that injection of Utimaco data will be added to OS disk after sysprep |
cmd.exe /c echo ""%programfiles%\SafeGuard\SafeGuard Easy\execcfg.exe" /f:"%SCRIPTROOT%\Production.CFG"">>%OSDTARGETDRIVE%Windows\Source\i386\$OEM$\Cmdlines.txt |
| PostInstall |
Utimaco Configuration |
Unload System Hive |
This saves and unloads the system hive that have been modified. |
%SCRIPTROOT%\REG.EXE unload HKLM\UtimacoSave |
| StateRestore |
N/A |
Hide Utimaco Shortcuts |
Hides the Utimaco Shortcuts if Utimaco is not used. |
attrib.exe +H "%ALLUSERSPROFILE%\Start Menu\Utimaco\*" /S /D |
| StateRestore |
N/A |
Disable PBA |
This task can be used to enable PBA if needed. |
%programfiles%\SafeGuard\SafeGuard Easy\execcfg.exe /f:"%SCRIPTROOT%\ENABLEPBA.CFG" |
ListDisk.vbs
This script is used to set correct disk signature for Sysprep.
| On Error Resume Next
strComputer = "."
Set oshell = CreateObject("WScript.Shell")
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_DiskDrive",,48)
For Each objItem in colItems
Wscript.Echo "Index: " & objItem.Index
Wscript.Echo "Partitions: " & objItem.Partitions
Wscript.Echo "Signature: " & hex(objItem.Signature)
oShell.RegWrite "HKEY_LOCAL_MACHINE\UtimacoSave\Setup\BootDiskSig", objItem.Signature, "REG_DWORD"
Next
|
Doris The Bot..