ENGL Imaging Toolkit™ 6 Windows 7 system partitioning and BitLocker Jamie Glendinning [email protected].
Download ReportTranscript ENGL Imaging Toolkit™ 6 Windows 7 system partitioning and BitLocker Jamie Glendinning [email protected].
Slide 1
ENGL Imaging Toolkit™ 6
Windows 7 system partitioning and BitLocker
Jamie Glendinning
[email protected]
Slide 2
Agenda
Introduction
Configuring a system partition
Additional partitions
BitLocker
2
Copyright © Expert Networking Group Limited
Slide 3
Introduction
3
Copyright © Expert Networking Group Limited
Slide 4
Introduction
Level
Intermediate
Duration
30
minutes
Assumptions
An
4
understanding of the ENGL build process
Copyright © Expert Networking Group Limited
Slide 5
Configuring a system partition
5
Copyright © Expert Networking Group Limited
Slide 6
System Partition
When Windows 7 is installed direct from media the
install process sets up a 100MB system partition.
The system partition contains the hardware related files
that tell a computer where to look to start Windows.
A boot partition is a partition that contains the Windows
operating system files, which are located in the
Windows file folder.
Usually, these are the same partition, especially if you
have only one operating system installed on your
computer.
6
Copyright © Expert Networking Group Limited
Slide 7
System Partition
You can use system partitions to:
Manage
and load other partitions. If there are multiple
operating systems, for example, Windows 7 and Windows
Vista®, the computer displays a list of operating systems. The
user can then select which operating system to use.
Use
security tools, such as Windows® BitLocker Drive
Encryption.
Use
recovery tools, such as Windows Recovery Environment
(Windows RE).
7
Copyright © Expert Networking Group Limited
Slide 8
System Partition
Basic system partition requirements are:
•Must
have at least 100 megabytes (MB) of hard drive space.
•Must
have enough free space to create shadow copies of the
partition.
•If
the partition is less than 500 MB, it must have at least 50 MB of free
space.
•If
the partition is 500 MB or larger, it must have at least 320 MB of free
space.
•If
the partition is larger than 1 gigabyte (GB), the partition should have at
least 1 GB free.
8
•Must
be configured as the active partition.
•Must
not be an encrypted partition.
•Must
be formatted as NTFS for BIOS based systems.
Copyright © Expert Networking Group Limited
Slide 9
System Partition
Additional requirements for Advanced Format
Generation One (4KBpersector) drives:
The
minimum size of the system partition on an Advanced
Format Generation One drive is 260 MB.
9
Copyright © Expert Networking Group Limited
Slide 10
System Partition
A Windows 7 base image that is created by the ENGL
Deployment wizard does not have this system partition
configured as a separate partition. The files are
included in the OS partition.
It is possible to configure the base image creation files
so that a system partition is created.
10
Copyright © Expert Networking Group Limited
Slide 11
System Partition
Requirements
Text
editor
Build
11
Console
Windows
7 Project
Unattend
folder created by Deployment Wizard
Copyright © Expert Networking Group Limited
Slide 12
System Partition
Assumptions
Machine
400MB
12
will have system partition and c:\ drive only
system partition
Copyright © Expert Networking Group Limited
Slide 13
System Partition
Update unattend files
Review existing autounattend.xml file.
This can be found in
\unattend\ autounattend\
Note: The following example is a truncated version of
the autounattend.xml file
13
Copyright © Expert Networking Group Limited
Slide 14
System Partition
Update unattend files
false
1
Primary
20000
true
0
true
false
NTFS
C
1
1
OnError
14
Copyright © Expert Networking Group Limited
Slide 15
System Partition
Update unattend files
Updated “CreatePartitions” section
false
1
Primary
400
2
Primary
false
20000
15
Copyright © Expert Networking Group Limited
Slide 16
System Partition
Update unattend files
Update “ModifyPartitions” Section
false
1
1
NTFS
true
2
2
C
NTFS
false
OnError
16
Copyright © Expert Networking Group Limited
Slide 17
System Partition
Update unattend files
Save the changes to the autounattend.xml file.
Update the sysprep.xml file with the same changes.
The sysprep.xml file can be found:
\unattend\ autounattend\ $OEM$\$1\Ztoolkit\sysprep\sysprep.xml
Note: The sysprep file does not need to be updated
but is done to avoid future confusion.
17
Copyright © Expert Networking Group Limited
Slide 18
System Partition
Review base image
Using your preferred unattended installation method
create a new Windows 7 image.
The new base image will contain two partitions.
Opening it with image explorer it should look like:
18
Copyright © Expert Networking Group Limited
Slide 19
System Partition
Update Project settings
When restoring the base image – the system partition
may be configured by Windows with a drive letter even
though it is a system partition and this was not
configured in the base image.
To workaround this issue a diskpart script can be used
to remove the drive letter.
19
Copyright © Expert Networking Group Limited
Slide 20
System Partition
Update Project settings
Create
a diskpart.txt file containing:
Select disk 0
detail disk
select volume 1
Remove
exit
Add this file to the project custom files folder
Update
phase1-before.vbs script to add a command to run the
diskpart script
' Add custom script here...
utils.appendlog "Configuring disk partitions"
diskpart_status = utils.run ("diskpart.exe -s c:\ztoolkit\diskpart.txt",0,true)
utils.appendlog "diskpart script status: " & diskpart_status
Create
a new Ztoolkit image and copy to ZENworks imaging
server
20
Copyright © Expert Networking Group Limited
Slide 21
System Partition
Restoring Images
The new base image can be restored as normal and
will replace both partitions each time it is restored.
The command line option to restore the add-on images
must be modified to ensure that the files are restored
into the second (OS) partition instead of partition 1
i.e. –ap=a1:p2
21
Copyright © Expert Networking Group Limited
Slide 22
System Partition
Restoring Images
Update zim.cfg file:
Dialog:Popup,"Restoring
ENGL
Smart
Windows
build
process,
please
wait...",green
Dialog:Popup,"Restoring
ENGL
Smart
Windows
build
process,
please
wait...",green
Pause:3
Pause:3
File:Run,"img
%imgrestorecmd%%project_image_path%/%base_image%",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%base_image%",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/hotfixes.zmg
–ap=a1:p2",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/hotfixes.zmg",verbose
If:Var,machine_type,eq,"tablet"
If:Var,machine_type,eq,"tablet"
File:Run,"img
%imgrestorecmd%%project_image_path%/tablet.zmg
–ap=a1:p2 ",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/tablet.zmg",verbose
End:
End:
File:Run,"img
%imgrestorecmd%%project_image_path%/%project_novcomp%
–ap=a1:p2 ",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%project_novcomp%",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%project_ztoolkit%
–ap=a1:p2 ",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%project_ztoolkit%",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%drivers_image%
–ap=a1:p2 ",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%drivers_image%",verbose
Pause:2
Pause:2
Dialog:Popupclose
Dialog:Popupclose
22
Copyright © Expert Networking Group Limited
Slide 23
System Partition
Testing build process
Once all the files have been updated they need to be
tested.
PXE
boot an appropriate workstation
Restore
images via the Zim menu
Workstation
23
will build successfully
Copyright © Expert Networking Group Limited
Slide 24
System Partition
Testing build process
Review the partition structure on the machine once the
machine has built.
It should look something like this:
24
Copyright © Expert Networking Group Limited
Slide 25
Additional partitions
25
Copyright © Expert Networking Group Limited
Slide 26
Additional partitions
In the scenario covered so far the base image was
restored and included two partitions.
Sysprep mini-setup then extended the OS partition to fill
the disk to give the built machine access to the full hard
disk.
If a different partition structure is required then there are
several problems that need to be overcome.
26
Copyright © Expert Networking Group Limited
Slide 27
Additional partitions
Scenario - Laptops
400MB
40GB
System partition
OS Partition
Remainder
of disk as D:\ drive
Scenario - Desktops
400MB
OS
27
System partition
Partition – fill the disk
Copyright © Expert Networking Group Limited
Slide 28
Additional partitions
In order to meet the requirements of this scenario the
partitions need to be configured first – then images
restored into partitions (standard img functionality)
This can be achieved using the
–ap=a1:p2
command line option
The base image created earlier has two partitions, a
400MB partition and a 20GB partition.
28
Copyright © Expert Networking Group Limited
Slide 29
Additional partitions
If the following restore commands are run:
img –r –p techbite-bitlocker/win7-ent-x64-postsp.zmg –ap=a1:p1
img –r –p techbite-bitlocker/win7-ent-x64-postsp.zmg –ap=a2:p2
Then the first command will restore the system partition
into partition 1 onto the file system.
It will then process the second 20GB partition but will
skip the actual restoration of the files.
This results in the above commands taking twice as
long as the basic restore:
img –r –p techbite-bitlocker/win7-ent-x64-postsp.zmg
29
Copyright © Expert Networking Group Limited
Slide 30
Additional partitions
Solution:
Create
individual images instead of one large image containing
multiple partitions
Configure
Zim to partition the disk
Configure
Zim to restore individual images into appropriate
partitions
30
Copyright © Expert Networking Group Limited
Slide 31
Additional partitions
Image creation
Create individual images instead of one large image
containing multiple partitions
Follow
normal steps to create a Windows 7 base image (using
configuration changes as detailed earlier)
PXE
At
boot machine to ZENworks Imaging Environment
Zim menu
Select
Maintenance Menu
Select
Exit to Prompt
At
the bash prompt run these commands to create images
img –m –p/systempartition.zmg –x=2
img –m –p/win7-ent-x86-postsp.zmg –x=1
31
Copyright © Expert Networking Group Limited
Slide 32
Additional partitions
Image Creation
32
Copyright © Expert Networking Group Limited
Slide 33
Additional partitions
Image creation
Create ddrive.zmg file
Boot
a machine using Windows PE media
Launch
diskpart
diskpart
Run
diskpart commands
Select disk 0
clean
Create partition primary size=400
format fs=ntfs quick
exit
33
Copyright © Expert Networking Group Limited
Slide 34
Additional partitions
Image creation
PXE
At
boot machine to ZENworks Imaging Environment
Zim menu
Select
Maintenance Menu
Select
Exit to Prompt
At
the bash prompt run these commands to create images
img –m –p/ddrive.zmg
34
Copyright © Expert Networking Group Limited
Slide 35
Additional partitions
Image creation
35
Copyright © Expert Networking Group Limited
Slide 36
Additional partitions
Image creation
36
Copyright © Expert Networking Group Limited
Slide 37
System Partition
Update Project settings
When restoring the base image – the system partition
may be configured by Windows with a drive letter even
though it is a system partition and this was not
configured in the base image.
If the System partition is assigned to D:\ then the data
partition will be assigned E:\ .
To workaround this issue a diskpart script can be used
to remove the drive letter from the system partition and
reassign the E:\ drive letter to the data partition.
37
Copyright © Expert Networking Group Limited
Slide 38
System Partition
Update Project settings
Create
a diskpart.txt file containing:
Select
detail
select
Remove
select
assign
exit
disk 0
disk
volume 1
volume 3
letter=d
Add this file to the project – custom files folder
Update
phase1-before.vbs script to add a command to run the
diskpart script
' Add custom script here...
utils.appendlog "Configuring disk partitions"
diskpart_status = utils.run ("diskpart.exe -s c:\ztoolkit\diskpart.txt",0,true)
utils.appendlog "diskpart script status: " & diskpart_status
Create
a new Ztoolkit image and copy to ZENworks imaging
server
38
Copyright © Expert Networking Group Limited
Slide 39
Additional partitions
Updated
Need
to update Zim.cfg file
create
appropriate partitions
restore
39
image files have now been created.
appropriate images into partitions
Copyright © Expert Networking Group Limited
Slide 40
Additional partitions
Zim.cfg
Zim script - configure default partition actions
; Launch a Form to display detected hardware and select machine type
Form:Start,"info","Hardware Detected","_OkCancel^_Ok",Blue
Form:Item,"Item1",StaticText,"-Manufacturer
: %lookup_section%"
Form:Item,"Item2",StaticText,"-Model
: %lookup_value%"
Form:Item,"Item3",StaticText,"-Hardware Image
: %drivers_image%"
Form:Item,"Item4",StaticText,"-Hardware Type
: %machine_type%"
Form:Item,"Item5",Label,"Computer Name
:"
Form:Item,"Item6",EditBox,"%COMPUTERNAME%“
Form:Item,"Item7",Label,"Auto Restart after imaging:"
Form:Item,"Item8",Radiobuttons,"Yes","Yes,No"
Form:Display,"info"
If:Var,_Form,Eq,"_Cancel"
Menu:Return
End:
Set:Ask_COMPUTERNAME,%_Info_item6%
Set:AutoRestart,%_Info_item8%
If:Var,Ask_COMPUTERNAME,ne,"%COMPUTERNAME%"
Set:COMPUTERNAME,"%Ask_COMPUTERNAME%"
End:
; Default Partitioning actions
if:var,machine_type,eq,"laptop"
Set:partition1_action,"-type=ntfs -size=400"
Set:partition2_action,"-type=ntfs -size=40000"
Set:partition3_action,"-type=ntfs"
else:
Set:partition1_action,"-type=ntfs -size=400"
Set:partition2_action,"-type=ntfs"
Set:partition3_action,""
end:
40
Copyright © Expert Networking Group Limited
Slide 41
Additional partitions
Zim.cfg
Zim.cfg – configuring the partition table :
Dialog:Ask,"", "Warning! All hard disk data on this machine will be erased.\n \nContinue?","_YesNo",red
If:Var,_ask,eq,"_No"
Menu:Return
End:
; configuring partition table.
; check if zisd:vendordataengl exists if it does not - assume this is a new machine and we need to clear all partitions.
; Read zisd:VendorDataENGL
zisd:get,VendorDataENGL,VendorDataENGLSTRING
If:var,VendorDataENGLSTRING,eq,""
set:ask_wipe,"Yes"
End:
41
Copyright © Expert Networking Group Limited
Slide 42
Additional partitions
Zim.cfg
Zim.cfg – configuring the partition table :
Dialog:Popup,"Configuring Partitions, please wait...",green
;Clear all partitions
if:var,ask_wipe,eq,"Yes“
; delete existing partitions
file:run,"img -pd 4",verbose
File:Run,"cat imglogr
file:run,"img -pd 3",verbose
File:Run,"cat imglogr
file:run,"img -pd 2",verbose
File:Run,"cat imglogr
file:run,"img -pd 1",verbose
File:Run,"cat imglogr
>> /zimbin/zim.log",verbose
>> /zimbin/zim.log",verbose
>> /zimbin/zim.log",verbose
>> /zimbin/zim.log",verbose
;Create new partition structure
if:var,partition3_action,ne,""
; we need to create 3 partitions
file:run,"img -pc 1 %partition1_action%",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
file:run,"img -pc 2 %partition2_action%",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
file:run,"img -pc 3 %partition3_action%",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
; restore d-drive.zmg file
File:Run,"img %imgrestorecmd%%project_image_path%/d-drive.zmg -ap=a1:p3",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
else:
file:run,"img -pc 1 %partition1_action%",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
file:run,"img -pc 2 %partition2_action%",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
end:
else:
42
Copyright © Expert Networking Group Limited
Slide 43
Additional partitions
Zim.cfg
Zim.cfg – configuring the partition table :
; Machine is being re-imaged - so need to delete partition 1 & 2
file:run,"img -pd 1",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
file:run,"img -pd 2",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
; now need to recreate system and c: drive
file:run,"img -pc 1 %partition1_action%",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
file:run,"img -pc 2 -type=ntfs",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
End:
; set system partition as active
file:run,"img -pa 1",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
Dialog:Popupclose
43
Copyright © Expert Networking Group Limited
Slide 44
Additional partitions
Zim.cfg
Zim.cfg – configuring image restore :
Dialog:Popup,"Restoring ENGL Smart Windows build process, please wait...",green
Pause:3
File:Run,"img %imgrestorecmd%%project_image_path%/%base_image%",verbose
%imgrestorecmd%%project_image_path%/systempartition.zmg -ap=a1:p1",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/hotfixes.zmg",verbose
File:Run,"cat
imglogr >> /zimbin/zim.log",verbose
If:Var,machine_type,eq,"tablet"
File:Run,"img %imgrestorecmd%%project_image_path%/%base_image% -ap=a1:p2",verbose
File:Run,"img
File:Run,"cat %imgrestorecmd%%project_image_path%/tablet.zmg",verbose
imglogr >> /zimbin/zim.log",verbose
End:
File:Run,"img %imgrestorecmd%%project_image_path%/hotfixes.zmg -ap=a1:p2",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%project_novcomp%",verbose
File:Run,"cat
imglogr >> /zimbin/zim.log",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%project_ztoolkit%",verbose
If:Var,machine_type,eq,"tablet"
File:Run,"img
%imgrestorecmd%%project_image_path%/%drivers_image%",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/tablet.zmg -ap=a1:p2",verbose
Pause:2
End:
Dialog:Popupclose
File:Run,"img %imgrestorecmd%%project_image_path%/%project_novcomp% -ap=a1:p2",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
File:Run,"img %imgrestorecmd%%project_image_path%/%project_ztoolkit% -ap=a1:p2",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
File:Run,"img %imgrestorecmd%os/%project_os%/%drivers_image% -ap=a1:p2",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
Pause:2
Dialog:Popupclose
Note: review TID 2011007 “Capture img error codes to
zim.log file” https://www.engl.co.uk/kb/tid-2011007.htm
for more info on using the command line:
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
44
Copyright © Expert Networking Group Limited
Slide 45
Additional partitions
Testing Build Process
Review the partition structure on the machine once the
machine has built.
It should look something like this:
45
Copyright © Expert Networking Group Limited
Slide 46
BitLocker
46
Copyright © Expert Networking Group Limited
Slide 47
BitLocker
Overview
What is BitLocker?
BitLocker Drive Encryption is a data protection feature
available in Windows 7 Enterprise and Windows 7
Ultimate.
BitLocker protects your hard drive from offline attack.
This is the type of attack where a malicious user will
take the hard drive from your mobile machine and
connect it to another machine so they can harvest your
data. BitLocker also protects your data if a malicious
user boots from an alternate Operating System.
With either attack method, BitLocker encrypts the hard
drive so that when someone has physical access to the
drive, the drive is unreadable.
47
Copyright © Expert Networking Group Limited
Slide 48
BitLocker
Requirements
Requirement Description
48
Hardware
configuration
Meet the minimum requirements for Windows 7
Operating
system
Windows 7 Ultimate, Windows 7 Enterprise, or Windows
Server 2008 R2
Hardware
TPM
TPM version 1.2
A TPM is not required for BitLocker; however, only a computer
with a TPM can provide the additional security of pre-startup
system integrity verification and multifactor authentication
BIOS
configuration
A Trusted Computing Group (TCG)-compliant BIOS.
The BIOS must be set to start first from the hard disk, and not
the USB or CD drives.
The BIOS must be able to read from a USB flash drive during
startup
File system
At least two NTFS disk partitions, one for the system drive and
one for the operating system drive. The system drive partition
must be at least 100 megabytes (MB) and set as the active
partition
Copyright © Expert Networking Group Limited
Slide 49
BitLocker
Build Process scenario
Scenario - Laptops
400MB
40GB
System partition
OS Partition
Remainder
At
of disk as D:\ drive
imaging select option to enable BitLocker for OS partition
Scenario - Desktops
400MB
OS
49
System partition
Partition – fill the disk
Copyright © Expert Networking Group Limited
Slide 50
BitLocker
Build Process scenario
Assumptions
TPM
device is present on hardware and is enabled
Recovery
keys to be stored in Active Directory
Windows
7 Enterprise base image
System
partition configured as per previous scenario
Enabling
BitLocker by Using a WMI Script
(EnableBitLocker.vbs) is available
Data
50
drive (D:\) is not encrypted
Copyright © Expert Networking Group Limited
Slide 51
BitLocker
Enable BitLocker by using a WMI Script
Enabling BitLocker by Using a WMI Script
http://technet.microsoft.com/en-gb/library/dd875527%28WS.10%29.aspx
EnableBitLocker.vbs is a fully functional sample
deployment script that uses the publicly available
BitLocker and Trusted Platform Module (TPM) WMI
providers that can be used as is or customized to meet
the needs of your organization.
Download script:
http://go.microsoft.com/fwlink/?LinkID=151997
Download documentation:
http://archive.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?Relea
seId=3206
51
Copyright © Expert Networking Group Limited
Slide 52
BitLocker
Update Zim.cfg
Update information read in from ZISD when Zim loads
; Read zisd:VendorDataENGL
Zisd:Get,VendorDataENGL,VendorDataENGLSTRING
; Read stored information in from VendorDataENGL
Set:zisd_project,GetKeyPairStringValue("%VendorDataENGLSTRING%", "project")
Set:zisd_bit_OS,GetKeyPairStringValue("%VendorDataENGLSTRING%", “bit_OS")
52
Copyright © Expert Networking Group Limited
Slide 53
BitLocker
Update Zim.cfg
Update Zim form
; Launch a Form to display detected hardware and select machine type
Form:Start,"info","Hardware Detected","_OkCancel^_Ok",Blue
Form:Item,"Item1",StaticText,"-Manufacturer
: %lookup_section%"
Form:Item,"Item2",StaticText,"-Model
: %lookup_value%"
Form:Item,"Item3",StaticText,"-Hardware Image
: %drivers_image%"
Form:Item,"Item4",StaticText,"-Hardware Type
: %machine_type%"
Form:Item,"Item5",Label,"Computer Name
:"
Form:Item,"Item6",EditBox,"%COMPUTERNAME%“
Form:Item,"Item7",Label,"Auto Restart after imaging:"
If:var,machine_type,eq,”laptop”
Form:Item,"Item8",Radiobuttons,"Yes","Yes,No"
Form:Item,"Item7",Label,"Encrypt OS Partition:"
Form:Display,"info"
Form:Item,"Item8",Radiobuttons,"%zisd_bit_OS%","No,Yes"
If:Var,_Form,Eq,"_Cancel"
End:
Form:Item,"Item9",Label,"Auto
Menu:Return
Restart after imaging:"
End:
Form:Item,"Item10",Radiobuttons,"Yes","Yes,No"
Set:Ask_COMPUTERNAME,%_Info_item6%
Form:Display,"info"
Set:AutoRestart,%_Info_item8%
If:Var,_Form,Eq,"_Cancel"
If:Var,Ask_COMPUTERNAME,ne,"%COMPUTERNAME%"
Menu:Return
End:
Set:COMPUTERNAME,"%Ask_COMPUTERNAME%"
End:
Set:Ask_COMPUTERNAME,%_Info_item6%
Set:BitLocker_OS,%_Info_item8%
Set:AutoRestart,%_Info_item10%
If:Var,Ask_COMPUTERNAME,ne,"%COMPUTERNAME%"
Set:COMPUTERNAME,"%Ask_COMPUTERNAME%"
End:
53
Copyright © Expert Networking Group Limited
Slide 54
BitLocker
Update Zim.cfg
Update BitLocker information to ZISD
; Update the information in ZISD
Zisd:Put,NetBiosName,%COMPUTERNAME%
; Update VendorDataENGL (sample)
Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","Machine_Type","%machine_type%")
Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","OS","%project_os%")
Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","Project","%lookup_project%“)
Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","Project","%lookup_project%")
Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","bit_OS","%BitLocker_OS%“)
Save changes to zim.cfg file
54
Copyright © Expert Networking Group Limited
Slide 55
BitLocker
Update project files
Add EnableBitLocker.vbs file to the project custom files
55
Copyright © Expert Networking Group Limited
Slide 56
BitLocker
Update project files
Update phase4-before.vbs script to
Check
56
ZISD for BitLocker options
Enable
BitLocker (when required)
Initiate
encryption of OS partition
Copyright © Expert Networking Group Limited
Slide 57
BitLocker
Update project files
Update phase4-before.vbs script
' ENGL Imaging Toolkit 6
' Copyright (C) 1999-2011 Expert Networking Group Limited
' techbite-BitLocker
' Jamie Glendinning
' Custom script template (phase4-before.vbs)
' Custom script template (phase4-before.vbs)
' Attach to ENGL Ztoolkit ActiveX Control
' Attach
ActiveX Control
Set
LDAP to ENGL
= Ztoolkit
CreateObject("ENGL.Ztoolkit.LDAP")
Set Utils
LDAP
= CreateObject("ENGL.Ztoolkit.Utils")
CreateObject("ENGL.Ztoolkit.LDAP")
Utils
CreateObject("ENGL.Ztoolkit.Utils")
Set ZENworks
= CreateObject("ENGL.Ztoolkit.ZENworks")
Set ZENworks
= CreateObject("ENGL.Ztoolkit.ZENworks")
' Set ZISD Version
' Set ZISD Version
ZENworks.ZISDVersion
= 11
ZENworks.ZISDVersion = 11
' Add custom script here...
' Add custom script here...
' Read in ZISD:VendorDataENGL
VendorDataENGLSTRING
= ZENworks.GetZisdAttributeValue("VendorDataENGL")
' Separate strings
zisd_bit_OS
= Utils.GetKeyPairStringValue(VendorDataENGLSTRING, "bit_OS")
If zisd_bit_OS = "Yes" then
' BitLocker needs to be enabled on this machine
utils.appendlog "Enabling BitLocker"
utils.appendlog "Enabling BitLocker on OS Partition"
utils.run "%comspec% /c BdeHdCfg.exe -target default -quiet >> c:\ztoolkit\ztoolkit.log",0,true
bit_status = utils.run ("wscript c:\ztoolkit\EnableBitLocker.vbs /on:tpm /l:c:\ztoolkit\ztoolkit.log",0,true)
utils.appendlog "BitLocker script status: " & bit_status
utils.run "%comspec% /c manage-bde -status >> c:\ztoolkit\ztoolkit.log",0,true
end if
57
Copyright © Expert Networking Group Limited
Slide 58
BitLocker
Testing Build Process
Restore the updated project files
Reboot after images have restored, the workstation will
build successfully
Review the build machine to confirm everything is
working as expected
Ztoolkit.log
Launch
file – this should contain BitLocker information
a command prompt
manage-bde –status
This will give information on current status of the local partitions
Control Panel – launch BitLocker Drive Encryption will
show similar information
Open
58
Copyright © Expert Networking Group Limited
Slide 59
BitLocker
Testing Build Process
Ztoolkit.log file – this should contain
EnableBitLocker.vbs information
...
[03-Aug-11 12:29:44] [Zmainrun-Phase4] Running custom scripts (pre-phase)...
[03-Aug-11 12:29:44] [Zmainrun-Phase4]
Processing 'phase4-before.vbs'...
[03-Aug-11 12:29:44] [Zmainrun-Phase4] [Debug] Running [wscript C:\Ztoolkit\phase4-before.vbs]
[03-Aug-11 12:29:44] [ZtoolkitCtrl] ENGL ZtoolkitCtrl 6.0.5.0 (x86)
[03-Aug-11 12:29:44] [ZtoolkitCtrl] Copyright (C) 1999-2011 Expert Networking Group Limited
[03-Aug-11 12:29:44] [ZtoolkitCtrl] Licensed to: ENGL System Test
[03-Aug-11 12:29:44] [ZtoolkitCtrl] ZENworks.GetZisdAttributeValue() attribute: 'VendorDataENGL'
[03-Aug-11 12:29:44] [ZtoolkitCtrl]
returning [Yes]
[03-Aug-11 12:29:44] [ZtoolkitCtrl] Enabling BitLocker
[03-Aug-11 12:29:44] [ZtoolkitCtrl] Enabling BitLocker on OS Partition
BitLocker Drive Preparation Tool version 6.1.7600
Copyright (C) 2006-2008 Microsoft Corporation.
Script processing started 03/08/2011
12:29:49
Proper number of command line arguments passed to the script
-------------------------------------------------------------------------------------Executing with the following arguments---------------------------------------------------------------------------------------Enable parameters: tpm
Logging location: c:\ztoolkit\ztoolkit.log
...
59
Copyright © Expert Networking Group Limited
Slide 60
BitLocker
Testing Build Process
Ztoolkit.log file – this should contain
manage-bde -status information
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
Size:
74.53 GB
BitLocker Version:
Windows 7
Conversion Status:
Encryption in Progress
Percentage Encrypted: 0%
Encryption Method:
AES 128 with Diffuser
Protection Status:
Protection Off
Lock Status:
Unlocked
Identification Field: None
Key Protectors:
TPM
Numerical Password
Volume D: []
[Data Volume]
Size:
BitLocker Version:
Conversion Status:
Percentage Encrypted:
Encryption Method:
Protection Status:
Lock Status:
Identification Field:
Automatic Unlock:
Key Protectors:
74.13 GB
None
Fully Decrypted
0%
None
Protection Off
Unlocked
None
Disabled
None Found
[03-Aug-11 12:29:55] [Zmainrun-Phase4] [Debug]
60
Copyright © Expert Networking Group Limited
returned 0 (exit code: 0)...
Slide 61
BitLocker
Testing Build Process
Control Panel - BitLocker Drive Encryption
61
Copyright © Expert Networking Group Limited
Slide 62
BitLocker
Testing Build Process
Review the partition structure on the machine once the
machine has built.
It should look something like this:
62
Copyright © Expert Networking Group Limited
Slide 63
Summary
63
Copyright © Expert Networking Group Limited
Slide 64
Summary
Using Imaging Toolkit v6 you can create a universal
Windows 7 build process that includes a system
partition.
It is also possible to automate the encryption of the OS
partition using BitLocker.
The examples given in this TechBite session can be
easily extended to meet individual customer
requirements including encryption of the DATA partition
64
Copyright © Expert Networking Group Limited
Slide 65
Issues
65
Copyright © Expert Networking Group Limited
Slide 66
Issues
If you would like any more information or assistance
with the procedures detailed in this TechBite let us
know!
•Log
an incident via My ENGL
https://www.engl.co.uk/Support.aspx
•Report
an issue via support forum
https://www.engl.co.uk/Support.aspx
•Email
[email protected]
66
Copyright © Expert Networking Group Limited
Slide 67
More information
67
Copyright © Expert Networking Group Limited
Slide 68
More Information
Useful links
Product information and Downloads
https://www.engl.co.uk/Products/ImagingToolkit.aspx
Success Stories
https://www.engl.co.uk/Company/SuccessStories.aspx
Partners
www.engl.co.uk/partners
68
Copyright © Expert Networking Group Limited
Slide 69
More Information
Future Events
Tech Bite sessions
Brainshare
https://www.engl.co.uk/Events.aspx
69
Copyright © Expert Networking Group Limited
Slide 70
www.engl.co.uk
ENGL Imaging Toolkit™ 6
Windows 7 system partitioning and BitLocker
Jamie Glendinning
[email protected]
Slide 2
Agenda
Introduction
Configuring a system partition
Additional partitions
BitLocker
2
Copyright © Expert Networking Group Limited
Slide 3
Introduction
3
Copyright © Expert Networking Group Limited
Slide 4
Introduction
Level
Intermediate
Duration
30
minutes
Assumptions
An
4
understanding of the ENGL build process
Copyright © Expert Networking Group Limited
Slide 5
Configuring a system partition
5
Copyright © Expert Networking Group Limited
Slide 6
System Partition
When Windows 7 is installed direct from media the
install process sets up a 100MB system partition.
The system partition contains the hardware related files
that tell a computer where to look to start Windows.
A boot partition is a partition that contains the Windows
operating system files, which are located in the
Windows file folder.
Usually, these are the same partition, especially if you
have only one operating system installed on your
computer.
6
Copyright © Expert Networking Group Limited
Slide 7
System Partition
You can use system partitions to:
Manage
and load other partitions. If there are multiple
operating systems, for example, Windows 7 and Windows
Vista®, the computer displays a list of operating systems. The
user can then select which operating system to use.
Use
security tools, such as Windows® BitLocker Drive
Encryption.
Use
recovery tools, such as Windows Recovery Environment
(Windows RE).
7
Copyright © Expert Networking Group Limited
Slide 8
System Partition
Basic system partition requirements are:
•Must
have at least 100 megabytes (MB) of hard drive space.
•Must
have enough free space to create shadow copies of the
partition.
•If
the partition is less than 500 MB, it must have at least 50 MB of free
space.
•If
the partition is 500 MB or larger, it must have at least 320 MB of free
space.
•If
the partition is larger than 1 gigabyte (GB), the partition should have at
least 1 GB free.
8
•Must
be configured as the active partition.
•Must
not be an encrypted partition.
•Must
be formatted as NTFS for BIOS based systems.
Copyright © Expert Networking Group Limited
Slide 9
System Partition
Additional requirements for Advanced Format
Generation One (4KBpersector) drives:
The
minimum size of the system partition on an Advanced
Format Generation One drive is 260 MB.
9
Copyright © Expert Networking Group Limited
Slide 10
System Partition
A Windows 7 base image that is created by the ENGL
Deployment wizard does not have this system partition
configured as a separate partition. The files are
included in the OS partition.
It is possible to configure the base image creation files
so that a system partition is created.
10
Copyright © Expert Networking Group Limited
Slide 11
System Partition
Requirements
Text
editor
Build
11
Console
Windows
7 Project
Unattend
folder created by Deployment Wizard
Copyright © Expert Networking Group Limited
Slide 12
System Partition
Assumptions
Machine
400MB
12
will have system partition and c:\ drive only
system partition
Copyright © Expert Networking Group Limited
Slide 13
System Partition
Update unattend files
Review existing autounattend.xml file.
This can be found in
Note: The following example is a truncated version of
the autounattend.xml file
13
Copyright © Expert Networking Group Limited
Slide 14
System Partition
Update unattend files
14
Copyright © Expert Networking Group Limited
Slide 15
System Partition
Update unattend files
Updated “CreatePartitions” section
15
Copyright © Expert Networking Group Limited
Slide 16
System Partition
Update unattend files
Update “ModifyPartitions” Section
16
Copyright © Expert Networking Group Limited
Slide 17
System Partition
Update unattend files
Save the changes to the autounattend.xml file.
Update the sysprep.xml file with the same changes.
The sysprep.xml file can be found:
Note: The sysprep file does not need to be updated
but is done to avoid future confusion.
17
Copyright © Expert Networking Group Limited
Slide 18
System Partition
Review base image
Using your preferred unattended installation method
create a new Windows 7 image.
The new base image will contain two partitions.
Opening it with image explorer it should look like:
18
Copyright © Expert Networking Group Limited
Slide 19
System Partition
Update Project settings
When restoring the base image – the system partition
may be configured by Windows with a drive letter even
though it is a system partition and this was not
configured in the base image.
To workaround this issue a diskpart script can be used
to remove the drive letter.
19
Copyright © Expert Networking Group Limited
Slide 20
System Partition
Update Project settings
Create
a diskpart.txt file containing:
Select disk 0
detail disk
select volume 1
Remove
exit
Add this file to the project custom files folder
Update
phase1-before.vbs script to add a command to run the
diskpart script
' Add custom script here...
utils.appendlog "Configuring disk partitions"
diskpart_status = utils.run ("diskpart.exe -s c:\ztoolkit\diskpart.txt",0,true)
utils.appendlog "diskpart script status: " & diskpart_status
Create
a new Ztoolkit image and copy to ZENworks imaging
server
20
Copyright © Expert Networking Group Limited
Slide 21
System Partition
Restoring Images
The new base image can be restored as normal and
will replace both partitions each time it is restored.
The command line option to restore the add-on images
must be modified to ensure that the files are restored
into the second (OS) partition instead of partition 1
i.e. –ap=a1:p2
21
Copyright © Expert Networking Group Limited
Slide 22
System Partition
Restoring Images
Update zim.cfg file:
Dialog:Popup,"Restoring
ENGL
Smart
Windows
build
process,
please
wait...",green
Dialog:Popup,"Restoring
ENGL
Smart
Windows
build
process,
please
wait...",green
Pause:3
Pause:3
File:Run,"img
%imgrestorecmd%%project_image_path%/%base_image%",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%base_image%",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/hotfixes.zmg
–ap=a1:p2",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/hotfixes.zmg",verbose
If:Var,machine_type,eq,"tablet"
If:Var,machine_type,eq,"tablet"
File:Run,"img
%imgrestorecmd%%project_image_path%/tablet.zmg
–ap=a1:p2 ",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/tablet.zmg",verbose
End:
End:
File:Run,"img
%imgrestorecmd%%project_image_path%/%project_novcomp%
–ap=a1:p2 ",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%project_novcomp%",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%project_ztoolkit%
–ap=a1:p2 ",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%project_ztoolkit%",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%drivers_image%
–ap=a1:p2 ",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%drivers_image%",verbose
Pause:2
Pause:2
Dialog:Popupclose
Dialog:Popupclose
22
Copyright © Expert Networking Group Limited
Slide 23
System Partition
Testing build process
Once all the files have been updated they need to be
tested.
PXE
boot an appropriate workstation
Restore
images via the Zim menu
Workstation
23
will build successfully
Copyright © Expert Networking Group Limited
Slide 24
System Partition
Testing build process
Review the partition structure on the machine once the
machine has built.
It should look something like this:
24
Copyright © Expert Networking Group Limited
Slide 25
Additional partitions
25
Copyright © Expert Networking Group Limited
Slide 26
Additional partitions
In the scenario covered so far the base image was
restored and included two partitions.
Sysprep mini-setup then extended the OS partition to fill
the disk to give the built machine access to the full hard
disk.
If a different partition structure is required then there are
several problems that need to be overcome.
26
Copyright © Expert Networking Group Limited
Slide 27
Additional partitions
Scenario - Laptops
400MB
40GB
System partition
OS Partition
Remainder
of disk as D:\ drive
Scenario - Desktops
400MB
OS
27
System partition
Partition – fill the disk
Copyright © Expert Networking Group Limited
Slide 28
Additional partitions
In order to meet the requirements of this scenario the
partitions need to be configured first – then images
restored into partitions (standard img functionality)
This can be achieved using the
–ap=a1:p2
command line option
The base image created earlier has two partitions, a
400MB partition and a 20GB partition.
28
Copyright © Expert Networking Group Limited
Slide 29
Additional partitions
If the following restore commands are run:
img –r –p techbite-bitlocker/win7-ent-x64-postsp.zmg –ap=a1:p1
img –r –p techbite-bitlocker/win7-ent-x64-postsp.zmg –ap=a2:p2
Then the first command will restore the system partition
into partition 1 onto the file system.
It will then process the second 20GB partition but will
skip the actual restoration of the files.
This results in the above commands taking twice as
long as the basic restore:
img –r –p techbite-bitlocker/win7-ent-x64-postsp.zmg
29
Copyright © Expert Networking Group Limited
Slide 30
Additional partitions
Solution:
Create
individual images instead of one large image containing
multiple partitions
Configure
Zim to partition the disk
Configure
Zim to restore individual images into appropriate
partitions
30
Copyright © Expert Networking Group Limited
Slide 31
Additional partitions
Image creation
Create individual images instead of one large image
containing multiple partitions
Follow
normal steps to create a Windows 7 base image (using
configuration changes as detailed earlier)
PXE
At
boot machine to ZENworks Imaging Environment
Zim menu
Select
Maintenance Menu
Select
Exit to Prompt
At
the bash prompt run these commands to create images
img –m –p
img –m –p
31
Copyright © Expert Networking Group Limited
Slide 32
Additional partitions
Image Creation
32
Copyright © Expert Networking Group Limited
Slide 33
Additional partitions
Image creation
Create ddrive.zmg file
Boot
a machine using Windows PE media
Launch
diskpart
diskpart
Run
diskpart commands
Select disk 0
clean
Create partition primary size=400
format fs=ntfs quick
exit
33
Copyright © Expert Networking Group Limited
Slide 34
Additional partitions
Image creation
PXE
At
boot machine to ZENworks Imaging Environment
Zim menu
Select
Maintenance Menu
Select
Exit to Prompt
At
the bash prompt run these commands to create images
img –m –p
34
Copyright © Expert Networking Group Limited
Slide 35
Additional partitions
Image creation
35
Copyright © Expert Networking Group Limited
Slide 36
Additional partitions
Image creation
36
Copyright © Expert Networking Group Limited
Slide 37
System Partition
Update Project settings
When restoring the base image – the system partition
may be configured by Windows with a drive letter even
though it is a system partition and this was not
configured in the base image.
If the System partition is assigned to D:\ then the data
partition will be assigned E:\ .
To workaround this issue a diskpart script can be used
to remove the drive letter from the system partition and
reassign the E:\ drive letter to the data partition.
37
Copyright © Expert Networking Group Limited
Slide 38
System Partition
Update Project settings
Create
a diskpart.txt file containing:
Select
detail
select
Remove
select
assign
exit
disk 0
disk
volume 1
volume 3
letter=d
Add this file to the project – custom files folder
Update
phase1-before.vbs script to add a command to run the
diskpart script
' Add custom script here...
utils.appendlog "Configuring disk partitions"
diskpart_status = utils.run ("diskpart.exe -s c:\ztoolkit\diskpart.txt",0,true)
utils.appendlog "diskpart script status: " & diskpart_status
Create
a new Ztoolkit image and copy to ZENworks imaging
server
38
Copyright © Expert Networking Group Limited
Slide 39
Additional partitions
Updated
Need
to update Zim.cfg file
create
appropriate partitions
restore
39
image files have now been created.
appropriate images into partitions
Copyright © Expert Networking Group Limited
Slide 40
Additional partitions
Zim.cfg
Zim script - configure default partition actions
; Launch a Form to display detected hardware and select machine type
Form:Start,"info","Hardware Detected","_OkCancel^_Ok",Blue
Form:Item,"Item1",StaticText,"-Manufacturer
: %lookup_section%"
Form:Item,"Item2",StaticText,"-Model
: %lookup_value%"
Form:Item,"Item3",StaticText,"-Hardware Image
: %drivers_image%"
Form:Item,"Item4",StaticText,"-Hardware Type
: %machine_type%"
Form:Item,"Item5",Label,"Computer Name
:"
Form:Item,"Item6",EditBox,"%COMPUTERNAME%“
Form:Item,"Item7",Label,"Auto Restart after imaging:"
Form:Item,"Item8",Radiobuttons,"Yes","Yes,No"
Form:Display,"info"
If:Var,_Form,Eq,"_Cancel"
Menu:Return
End:
Set:Ask_COMPUTERNAME,%_Info_item6%
Set:AutoRestart,%_Info_item8%
If:Var,Ask_COMPUTERNAME,ne,"%COMPUTERNAME%"
Set:COMPUTERNAME,"%Ask_COMPUTERNAME%"
End:
; Default Partitioning actions
if:var,machine_type,eq,"laptop"
Set:partition1_action,"-type=ntfs -size=400"
Set:partition2_action,"-type=ntfs -size=40000"
Set:partition3_action,"-type=ntfs"
else:
Set:partition1_action,"-type=ntfs -size=400"
Set:partition2_action,"-type=ntfs"
Set:partition3_action,""
end:
40
Copyright © Expert Networking Group Limited
Slide 41
Additional partitions
Zim.cfg
Zim.cfg – configuring the partition table :
Dialog:Ask,"", "Warning! All hard disk data on this machine will be erased.\n \nContinue?","_YesNo",red
If:Var,_ask,eq,"_No"
Menu:Return
End:
; configuring partition table.
; check if zisd:vendordataengl exists if it does not - assume this is a new machine and we need to clear all partitions.
; Read zisd:VendorDataENGL
zisd:get,VendorDataENGL,VendorDataENGLSTRING
If:var,VendorDataENGLSTRING,eq,""
set:ask_wipe,"Yes"
End:
41
Copyright © Expert Networking Group Limited
Slide 42
Additional partitions
Zim.cfg
Zim.cfg – configuring the partition table :
Dialog:Popup,"Configuring Partitions, please wait...",green
;Clear all partitions
if:var,ask_wipe,eq,"Yes“
; delete existing partitions
file:run,"img -pd 4",verbose
File:Run,"cat imglogr
file:run,"img -pd 3",verbose
File:Run,"cat imglogr
file:run,"img -pd 2",verbose
File:Run,"cat imglogr
file:run,"img -pd 1",verbose
File:Run,"cat imglogr
>> /zimbin/zim.log",verbose
>> /zimbin/zim.log",verbose
>> /zimbin/zim.log",verbose
>> /zimbin/zim.log",verbose
;Create new partition structure
if:var,partition3_action,ne,""
; we need to create 3 partitions
file:run,"img -pc 1 %partition1_action%",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
file:run,"img -pc 2 %partition2_action%",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
file:run,"img -pc 3 %partition3_action%",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
; restore d-drive.zmg file
File:Run,"img %imgrestorecmd%%project_image_path%/d-drive.zmg -ap=a1:p3",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
else:
file:run,"img -pc 1 %partition1_action%",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
file:run,"img -pc 2 %partition2_action%",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
end:
else:
42
Copyright © Expert Networking Group Limited
Slide 43
Additional partitions
Zim.cfg
Zim.cfg – configuring the partition table :
; Machine is being re-imaged - so need to delete partition 1 & 2
file:run,"img -pd 1",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
file:run,"img -pd 2",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
; now need to recreate system and c: drive
file:run,"img -pc 1 %partition1_action%",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
file:run,"img -pc 2 -type=ntfs",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
End:
; set system partition as active
file:run,"img -pa 1",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
Dialog:Popupclose
43
Copyright © Expert Networking Group Limited
Slide 44
Additional partitions
Zim.cfg
Zim.cfg – configuring image restore :
Dialog:Popup,"Restoring ENGL Smart Windows build process, please wait...",green
Pause:3
File:Run,"img %imgrestorecmd%%project_image_path%/%base_image%",verbose
%imgrestorecmd%%project_image_path%/systempartition.zmg -ap=a1:p1",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/hotfixes.zmg",verbose
File:Run,"cat
imglogr >> /zimbin/zim.log",verbose
If:Var,machine_type,eq,"tablet"
File:Run,"img %imgrestorecmd%%project_image_path%/%base_image% -ap=a1:p2",verbose
File:Run,"img
File:Run,"cat %imgrestorecmd%%project_image_path%/tablet.zmg",verbose
imglogr >> /zimbin/zim.log",verbose
End:
File:Run,"img %imgrestorecmd%%project_image_path%/hotfixes.zmg -ap=a1:p2",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%project_novcomp%",verbose
File:Run,"cat
imglogr >> /zimbin/zim.log",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/%project_ztoolkit%",verbose
If:Var,machine_type,eq,"tablet"
File:Run,"img
%imgrestorecmd%%project_image_path%/%drivers_image%",verbose
File:Run,"img
%imgrestorecmd%%project_image_path%/tablet.zmg -ap=a1:p2",verbose
Pause:2
End:
Dialog:Popupclose
File:Run,"img %imgrestorecmd%%project_image_path%/%project_novcomp% -ap=a1:p2",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
File:Run,"img %imgrestorecmd%%project_image_path%/%project_ztoolkit% -ap=a1:p2",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
File:Run,"img %imgrestorecmd%os/%project_os%/%drivers_image% -ap=a1:p2",verbose
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
Pause:2
Dialog:Popupclose
Note: review TID 2011007 “Capture img error codes to
zim.log file” https://www.engl.co.uk/kb/tid-2011007.htm
for more info on using the command line:
File:Run,"cat imglogr >> /zimbin/zim.log",verbose
44
Copyright © Expert Networking Group Limited
Slide 45
Additional partitions
Testing Build Process
Review the partition structure on the machine once the
machine has built.
It should look something like this:
45
Copyright © Expert Networking Group Limited
Slide 46
BitLocker
46
Copyright © Expert Networking Group Limited
Slide 47
BitLocker
Overview
What is BitLocker?
BitLocker Drive Encryption is a data protection feature
available in Windows 7 Enterprise and Windows 7
Ultimate.
BitLocker protects your hard drive from offline attack.
This is the type of attack where a malicious user will
take the hard drive from your mobile machine and
connect it to another machine so they can harvest your
data. BitLocker also protects your data if a malicious
user boots from an alternate Operating System.
With either attack method, BitLocker encrypts the hard
drive so that when someone has physical access to the
drive, the drive is unreadable.
47
Copyright © Expert Networking Group Limited
Slide 48
BitLocker
Requirements
Requirement Description
48
Hardware
configuration
Meet the minimum requirements for Windows 7
Operating
system
Windows 7 Ultimate, Windows 7 Enterprise, or Windows
Server 2008 R2
Hardware
TPM
TPM version 1.2
A TPM is not required for BitLocker; however, only a computer
with a TPM can provide the additional security of pre-startup
system integrity verification and multifactor authentication
BIOS
configuration
A Trusted Computing Group (TCG)-compliant BIOS.
The BIOS must be set to start first from the hard disk, and not
the USB or CD drives.
The BIOS must be able to read from a USB flash drive during
startup
File system
At least two NTFS disk partitions, one for the system drive and
one for the operating system drive. The system drive partition
must be at least 100 megabytes (MB) and set as the active
partition
Copyright © Expert Networking Group Limited
Slide 49
BitLocker
Build Process scenario
Scenario - Laptops
400MB
40GB
System partition
OS Partition
Remainder
At
of disk as D:\ drive
imaging select option to enable BitLocker for OS partition
Scenario - Desktops
400MB
OS
49
System partition
Partition – fill the disk
Copyright © Expert Networking Group Limited
Slide 50
BitLocker
Build Process scenario
Assumptions
TPM
device is present on hardware and is enabled
Recovery
keys to be stored in Active Directory
Windows
7 Enterprise base image
System
partition configured as per previous scenario
Enabling
BitLocker by Using a WMI Script
(EnableBitLocker.vbs) is available
Data
50
drive (D:\) is not encrypted
Copyright © Expert Networking Group Limited
Slide 51
BitLocker
Enable BitLocker by using a WMI Script
Enabling BitLocker by Using a WMI Script
http://technet.microsoft.com/en-gb/library/dd875527%28WS.10%29.aspx
EnableBitLocker.vbs is a fully functional sample
deployment script that uses the publicly available
BitLocker and Trusted Platform Module (TPM) WMI
providers that can be used as is or customized to meet
the needs of your organization.
Download script:
http://go.microsoft.com/fwlink/?LinkID=151997
Download documentation:
http://archive.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?Relea
seId=3206
51
Copyright © Expert Networking Group Limited
Slide 52
BitLocker
Update Zim.cfg
Update information read in from ZISD when Zim loads
; Read zisd:VendorDataENGL
Zisd:Get,VendorDataENGL,VendorDataENGLSTRING
; Read stored information in from VendorDataENGL
Set:zisd_project,GetKeyPairStringValue("%VendorDataENGLSTRING%", "project")
Set:zisd_bit_OS,GetKeyPairStringValue("%VendorDataENGLSTRING%", “bit_OS")
52
Copyright © Expert Networking Group Limited
Slide 53
BitLocker
Update Zim.cfg
Update Zim form
; Launch a Form to display detected hardware and select machine type
Form:Start,"info","Hardware Detected","_OkCancel^_Ok",Blue
Form:Item,"Item1",StaticText,"-Manufacturer
: %lookup_section%"
Form:Item,"Item2",StaticText,"-Model
: %lookup_value%"
Form:Item,"Item3",StaticText,"-Hardware Image
: %drivers_image%"
Form:Item,"Item4",StaticText,"-Hardware Type
: %machine_type%"
Form:Item,"Item5",Label,"Computer Name
:"
Form:Item,"Item6",EditBox,"%COMPUTERNAME%“
Form:Item,"Item7",Label,"Auto Restart after imaging:"
If:var,machine_type,eq,”laptop”
Form:Item,"Item8",Radiobuttons,"Yes","Yes,No"
Form:Item,"Item7",Label,"Encrypt OS Partition:"
Form:Display,"info"
Form:Item,"Item8",Radiobuttons,"%zisd_bit_OS%","No,Yes"
If:Var,_Form,Eq,"_Cancel"
End:
Form:Item,"Item9",Label,"Auto
Menu:Return
Restart after imaging:"
End:
Form:Item,"Item10",Radiobuttons,"Yes","Yes,No"
Set:Ask_COMPUTERNAME,%_Info_item6%
Form:Display,"info"
Set:AutoRestart,%_Info_item8%
If:Var,_Form,Eq,"_Cancel"
If:Var,Ask_COMPUTERNAME,ne,"%COMPUTERNAME%"
Menu:Return
End:
Set:COMPUTERNAME,"%Ask_COMPUTERNAME%"
End:
Set:Ask_COMPUTERNAME,%_Info_item6%
Set:BitLocker_OS,%_Info_item8%
Set:AutoRestart,%_Info_item10%
If:Var,Ask_COMPUTERNAME,ne,"%COMPUTERNAME%"
Set:COMPUTERNAME,"%Ask_COMPUTERNAME%"
End:
53
Copyright © Expert Networking Group Limited
Slide 54
BitLocker
Update Zim.cfg
Update BitLocker information to ZISD
; Update the information in ZISD
Zisd:Put,NetBiosName,%COMPUTERNAME%
; Update VendorDataENGL (sample)
Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","Machine_Type","%machine_type%")
Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","OS","%project_os%")
Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","Project","%lookup_project%“)
Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","Project","%lookup_project%")
Set:VendorDataENGLSTRING,PutKeyPairStringValue("%VendorDataENGLSTRING%","bit_OS","%BitLocker_OS%“)
Save changes to zim.cfg file
54
Copyright © Expert Networking Group Limited
Slide 55
BitLocker
Update project files
Add EnableBitLocker.vbs file to the project custom files
55
Copyright © Expert Networking Group Limited
Slide 56
BitLocker
Update project files
Update phase4-before.vbs script to
Check
56
ZISD for BitLocker options
Enable
BitLocker (when required)
Initiate
encryption of OS partition
Copyright © Expert Networking Group Limited
Slide 57
BitLocker
Update project files
Update phase4-before.vbs script
' ENGL Imaging Toolkit 6
' Copyright (C) 1999-2011 Expert Networking Group Limited
' techbite-BitLocker
' Jamie Glendinning
' Custom script template (phase4-before.vbs)
' Custom script template (phase4-before.vbs)
' Attach to ENGL Ztoolkit ActiveX Control
' Attach
ActiveX Control
Set
LDAP to ENGL
= Ztoolkit
CreateObject("ENGL.Ztoolkit.LDAP")
Set Utils
LDAP
= CreateObject("ENGL.Ztoolkit.Utils")
CreateObject("ENGL.Ztoolkit.LDAP")
Utils
CreateObject("ENGL.Ztoolkit.Utils")
Set ZENworks
= CreateObject("ENGL.Ztoolkit.ZENworks")
Set ZENworks
= CreateObject("ENGL.Ztoolkit.ZENworks")
' Set ZISD Version
' Set ZISD Version
ZENworks.ZISDVersion
= 11
ZENworks.ZISDVersion = 11
' Add custom script here...
' Add custom script here...
' Read in ZISD:VendorDataENGL
VendorDataENGLSTRING
= ZENworks.GetZisdAttributeValue("VendorDataENGL")
' Separate strings
zisd_bit_OS
= Utils.GetKeyPairStringValue(VendorDataENGLSTRING, "bit_OS")
If zisd_bit_OS = "Yes" then
' BitLocker needs to be enabled on this machine
utils.appendlog "Enabling BitLocker"
utils.appendlog "Enabling BitLocker on OS Partition"
utils.run "%comspec% /c BdeHdCfg.exe -target default -quiet >> c:\ztoolkit\ztoolkit.log",0,true
bit_status = utils.run ("wscript c:\ztoolkit\EnableBitLocker.vbs /on:tpm /l:c:\ztoolkit\ztoolkit.log",0,true)
utils.appendlog "BitLocker script status: " & bit_status
utils.run "%comspec% /c manage-bde -status >> c:\ztoolkit\ztoolkit.log",0,true
end if
57
Copyright © Expert Networking Group Limited
Slide 58
BitLocker
Testing Build Process
Restore the updated project files
Reboot after images have restored, the workstation will
build successfully
Review the build machine to confirm everything is
working as expected
Ztoolkit.log
Launch
file – this should contain BitLocker information
a command prompt
manage-bde –status
This will give information on current status of the local partitions
Control Panel – launch BitLocker Drive Encryption will
show similar information
Open
58
Copyright © Expert Networking Group Limited
Slide 59
BitLocker
Testing Build Process
Ztoolkit.log file – this should contain
EnableBitLocker.vbs information
...
[03-Aug-11 12:29:44] [Zmainrun-Phase4] Running custom scripts (pre-phase)...
[03-Aug-11 12:29:44] [Zmainrun-Phase4]
Processing 'phase4-before.vbs'...
[03-Aug-11 12:29:44] [Zmainrun-Phase4] [Debug] Running [wscript C:\Ztoolkit\phase4-before.vbs]
[03-Aug-11 12:29:44] [ZtoolkitCtrl] ENGL ZtoolkitCtrl 6.0.5.0 (x86)
[03-Aug-11 12:29:44] [ZtoolkitCtrl] Copyright (C) 1999-2011 Expert Networking Group Limited
[03-Aug-11 12:29:44] [ZtoolkitCtrl] Licensed to: ENGL System Test
[03-Aug-11 12:29:44] [ZtoolkitCtrl] ZENworks.GetZisdAttributeValue() attribute: 'VendorDataENGL'
[03-Aug-11 12:29:44] [ZtoolkitCtrl]
returning [Yes]
[03-Aug-11 12:29:44] [ZtoolkitCtrl] Enabling BitLocker
[03-Aug-11 12:29:44] [ZtoolkitCtrl] Enabling BitLocker on OS Partition
BitLocker Drive Preparation Tool version 6.1.7600
Copyright (C) 2006-2008 Microsoft Corporation.
Script processing started 03/08/2011
12:29:49
Proper number of command line arguments passed to the script
-------------------------------------------------------------------------------------Executing with the following arguments---------------------------------------------------------------------------------------Enable parameters: tpm
Logging location: c:\ztoolkit\ztoolkit.log
...
59
Copyright © Expert Networking Group Limited
Slide 60
BitLocker
Testing Build Process
Ztoolkit.log file – this should contain
manage-bde -status information
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
Size:
74.53 GB
BitLocker Version:
Windows 7
Conversion Status:
Encryption in Progress
Percentage Encrypted: 0%
Encryption Method:
AES 128 with Diffuser
Protection Status:
Protection Off
Lock Status:
Unlocked
Identification Field: None
Key Protectors:
TPM
Numerical Password
Volume D: []
[Data Volume]
Size:
BitLocker Version:
Conversion Status:
Percentage Encrypted:
Encryption Method:
Protection Status:
Lock Status:
Identification Field:
Automatic Unlock:
Key Protectors:
74.13 GB
None
Fully Decrypted
0%
None
Protection Off
Unlocked
None
Disabled
None Found
[03-Aug-11 12:29:55] [Zmainrun-Phase4] [Debug]
60
Copyright © Expert Networking Group Limited
returned 0 (exit code: 0)...
Slide 61
BitLocker
Testing Build Process
Control Panel - BitLocker Drive Encryption
61
Copyright © Expert Networking Group Limited
Slide 62
BitLocker
Testing Build Process
Review the partition structure on the machine once the
machine has built.
It should look something like this:
62
Copyright © Expert Networking Group Limited
Slide 63
Summary
63
Copyright © Expert Networking Group Limited
Slide 64
Summary
Using Imaging Toolkit v6 you can create a universal
Windows 7 build process that includes a system
partition.
It is also possible to automate the encryption of the OS
partition using BitLocker.
The examples given in this TechBite session can be
easily extended to meet individual customer
requirements including encryption of the DATA partition
64
Copyright © Expert Networking Group Limited
Slide 65
Issues
65
Copyright © Expert Networking Group Limited
Slide 66
Issues
If you would like any more information or assistance
with the procedures detailed in this TechBite let us
know!
•Log
an incident via My ENGL
https://www.engl.co.uk/Support.aspx
•Report
an issue via support forum
https://www.engl.co.uk/Support.aspx
[email protected]
66
Copyright © Expert Networking Group Limited
Slide 67
More information
67
Copyright © Expert Networking Group Limited
Slide 68
More Information
Useful links
Product information and Downloads
https://www.engl.co.uk/Products/ImagingToolkit.aspx
Success Stories
https://www.engl.co.uk/Company/SuccessStories.aspx
Partners
www.engl.co.uk/partners
68
Copyright © Expert Networking Group Limited
Slide 69
More Information
Future Events
Tech Bite sessions
Brainshare
https://www.engl.co.uk/Events.aspx
69
Copyright © Expert Networking Group Limited
Slide 70
www.engl.co.uk