Friday, 28 June 2013

Enabling Bitlocker on a Windows 2 Go Device

When you try to turn on BitLocker on the Windows 2 Go device you created in the previous post  you'll possibly see the following message:

This device can't use a Trusted Platform Module.  Your administrator must set the "Allow BitLocker without a compatible TRP" option in the "Require additional authentication at startup" policy for OS volumes.


1. "Windows+R" to start the Run command .

2. Type "gpedit.msc" and click OK.

3. A new window will open.

4. Click on Administrative Templates under Computer Configuration

5. Double Click on Windows Components (right window pane).

6. Double Click on BitLocker Drive Encryption.

7. Double Click on Operating System Drives.

8. Double Click on Require Additional Authentication at Startup

9. A new window will be opened.

10. Click "Enabled"

11. Click OK and close the window.


  • Load gpedit.msc
  • Local computer policy\Administrative Templates\Windows Components\Bit Locker Encryption
  • Turn on the following :
o   ‘Store BitLocker recovery information in AD DS’
  • Local computer policy\Administrative Templates\Windows Components\Bit Locker Encryption\Fix data drives

o   ‘Choose how bitlocker-protected fix drives can be recovered’

  • Local computer policy\Administrative Templates\Windows Components\Bit Locker Encryption\Operating System Drives
o   ‘Choose how Bitlocker-protected OS drives can be recovered’
  • Local computer policy\Administrative Templates\Systems\Trusted Platform Module services

o   ‘Turn on TPM backup to AD DS’

  • Open CMD
  • Type ‘manage-bde -protectors -get c:’
  • You should get a similar return
o    BitLocker Drive Encryption: Configuration Tool version 6.1.7601
o    Copyright (C) Microsoft Corporation. All rights reserved.
o    Volume C: [OSDisk]
o    All Key Protectors
o    TPM:      ID: {1B86C47C-B81E-4F1A-A8C2-598B9F54C99C}
o    Numerical Password:  ID: {FE3311F0-0ED2-419D-8455-B10D3A104887}
o    Password:  551463-589820-493438-138534-340098-388795-215589-457996
  • Then type ‘manage-bde -protectors -adbackup c: -id {Numerical Password}’
                                 you should get:
o    BitLocker Drive Encryption: Configuration Tool version 6.1.7601
o    Copyright (C) Microsoft Corporation. All rights reserved.

o    Recovery information was successfully backed up to Active Directory.

Copy the following into a VBS script and run it to pull the information over to  AD

' This script demonstrates the addition of an Access Control Entry (ACE)
' to allow computers to write Trusted Platform Module (TPM)
' recovery information to Active Directory.
' This script creates a SELF ACE on the top-level domain object, and
' assumes that inheritance of ACL's from the top-level domain object to
' down-level computer objects are enabled.
' Last Updated: 07/01/2006
' Last Reviewed: 09/19/2009
' Microsoft Corporation
' Disclaimer
' The sample scripts are not supported under any Microsoft standard support program
' or service. The sample scripts are provided AS IS without warranty of any kind.
' Microsoft further disclaims all implied warranties including, without limitation,
' any implied warranties of merchantability or of fitness for a particular purpose.
' The entire risk arising out of the use or performance of the sample scripts and
' documentation remains with you. In no event shall Microsoft, its authors, or
' anyone else involved in the creation, production, or delivery of the scripts be
' liable for any damages whatsoever (including, without limitation, damages for loss
' of business profits, business interruption, loss of business information, or
' other pecuniary loss) arising out of the use of or inability to use the sample
' scripts or documentation, even if Microsoft has been advised of the possibility
' of such damages.
' Version 1.0.1 - Tested and re-released for Windows 7 and Windows Server 2008 R2


' --------------------------------------------------------------------------------
' Access Control Entry (ACE) constants
' --------------------------------------------------------------------------------

'- From the ADS_ACETYPE_ENUM enumeration
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT      = &H5   'Allows an object to do something

'- From the ADS_ACEFLAG_ENUM enumeration
Const ADS_ACEFLAG_INHERIT_ACE                = &H2   'ACE can be inherited to child objects
Const ADS_ACEFLAG_INHERIT_ONLY_ACE           = &H8   'ACE does NOT apply to target (parent) object

'- From the ADS_RIGHTS_ENUM enumeration
Const ADS_RIGHT_DS_WRITE_PROP                = &H20  'The right to write object properties
Const ADS_RIGHT_DS_CREATE_CHILD              = &H1   'The right to create child objects

'- From the ADS_FLAGTYPE_ENUM enumeration
Const ADS_FLAG_OBJECT_TYPE_PRESENT           = &H1   'Target object type is present in the ACE
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2   'Target inherited object type is present in the ACE

' --------------------------------------------------------------------------------
' TPM and FVE schema object GUID's
' --------------------------------------------------------------------------------

'- ms-TPM-OwnerInformation attribute

'- ms-FVE-RecoveryInformation object

'- Computer object
SCHEMA_GUID_COMPUTER = "{BF967A86-0DE6-11D0-A285-00AA003049E2}"

'Reference: "Platform SDK: Active Directory Schema"

' --------------------------------------------------------------------------------
' Set up the ACE to allow write of TPM owner information
' --------------------------------------------------------------------------------

Set objAce1 = createObject("AccessControlEntry")


objAce1.Trustee = "SELF"
objAce1.AccessMask = ADS_RIGHT_DS_WRITE_PROP
objAce1.InheritedObjectType = SCHEMA_GUID_COMPUTER

' --------------------------------------------------------------------------------
' NOTE: BY default, the "SELF" computer account can create
' BitLocker recovery information objects and write BitLocker recovery properties
' No additional ACE's are needed.
' --------------------------------------------------------------------------------

' --------------------------------------------------------------------------------
' Connect to Discretional ACL (DACL) for domain object
' --------------------------------------------------------------------------------

Set objRootLDAP = GetObject("LDAP://rootDSE")
strPathToDomain = "LDAP://" & objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com

Set objDomain = GetObject(strPathToDomain)

WScript.Echo "Accessing object: " + objDomain.Get("distinguishedName")

Set objDescriptor = objDomain.Get("ntSecurityDescriptor")
Set objDacl = objDescriptor.DiscretionaryAcl

' --------------------------------------------------------------------------------
' Add the ACEs to the Discretionary ACL (DACL) and set the DACL
' --------------------------------------------------------------------------------

objDacl.AddAce objAce1

objDescriptor.DiscretionaryAcl = objDacl
objDomain.Put "ntSecurityDescriptor", Array(objDescriptor)

WScript.Echo "SUCCESS!"

Wednesday, 26 June 2013

Creating a Windows 2 Go USB device

So our IT Director managed to break his Windows 2 Go (W2G) pen I created for him a few months back.  I kicked myself that I hadn't blogged the steps back then so as I've had to recreate it I'm taking the opportunity to blog it now.

The Windows 8 W2G GUI didn't let me see my .wim - I'm guessing this is due to the size of it.  I opted to build it via Powershell which worked a charm.

I used a Windows8 wim that I'd captured from our corporate build - I already have this so this is one of my assumptions that you will have it too.

I also have an approved Windows 2 Go USB pen (Kingston DataTraveler Workspace 32GB)

These are the devices currently supported by Microsoft:

Also you will need to change your BIOS boot order to boot to USB first.


  • You already have Windows 8 image (.wim) file - OOTB or captured.
  • You have an approved USB device from the list above.
1. From a Windows 8 machine fire up an elevated Powershell prompt.
2. The following commands will prepare your USB device to be used with W2G.  Type them in the Powershell window:

#The following command will set $Disk to all USB drives with >20 GB of storage

$Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }

#Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with ‘New-Partition…) Validate that this is the correct disk that you want to completely erase.


# To skip the confirmation prompt, append –confirm:$False

Clear-Disk –InputObject $Disk[0] -RemoveData

# This command initializes a new MBR disk

Initialize-Disk –InputObject $Disk[0] -PartitionStyle MBR

# This command creates a 350 MB system partition

$SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive

# This formats the volume with a FAT32 Filesystem

# To skip the confirmation dialog, append –Confirm:$False

Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 `

-Partition $SystemPartition

# This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage.

$OSPartition = New-Partition –InputObject $Disk[0] -UseMaximumSize

Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS `

-Partition $OSPartition

# This command assigns drive letters to the new drive, the drive letters chosen should not already be in use.

Set-Partition -InputObject $SystemPartition -NewDriveLetter "S"

Set-Partition -InputObject $OSPartition -NewDriveLetter "W"

# This command toggles the NODEFAULTDRIVELETTER flag on the partition which

prevents drive letters being assigned to either partition when inserted into a different machine.

Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE

3. Now we need that Windows 8 image.  For the sake of this example we'll say the image is on C:\ and it's called windows8.wim.
We will use DISM (Deployment Image Servicing Management) to aplpy the image to the USB drive - it could take 30 mins or longer so time to sti back and enjoy a brew...

dism /apply-image /imagefile:c:\windows8.wim /index:1 /applydir:W:\

4. Now we will use BCDBOOT to move the boot componants to the sys partition.

W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:

5. To prevent the native HDD from being fired up whilst within W2G we need a policy in place.  Here's one I prepared earlier - copy the san_policy.xml file to the root of your USB device:

6. Apply the policy file we just created by running this command:

Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml

7. Create an answer file (unattend.xml) that disables the use of Windows Recovery Environment with Windows To Go. You can use the code from the sample here to create a new answer file or you can paste it into an existing answer file (or just use the file itself):

8. Once the answer file has been saved, copy unattend.xml into the sysprep folder on the Windows To Go drive (for example, W:\Windows\System32\sysprep\)
Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the %systemroot%\panther folder which is the first location that setup will check for installation information.  You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used.

Now boot to your new shiney Windows2Go boot device :)


Tuesday, 25 June 2013

SCCM Client Center

The new version ( of this invaluable tool by Roger Zander is now available for download from here.