29 January 2016

Update Drivers and BIOS via PowerShell and Dell Command Update

NOTE: I used Sapien's PowerShell Studio to write this script that significantly simplified the process!

During the build process, I execute the Dell Command Update to make sure the latest drivers and BIOS version are installed. I use the script below so that it can disable the BIOS password and execute the dcu-cli.exe in either a 32-bit or 64-bit system. The BIOS password must be disabled if you want the BIOS to be updated. Also, I execute the script in two different task sequences. This allows for the BIOS to be completely updated. There are often interval BIOS updates that have to be installed first before the latest can be installed.

You can download the script from here.


 <#       
      .NOTES  
      ===========================================================================  
       Created with:     SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.99  
       Created on:       1/29/2016 2:59 PM  
       Created by:       Mick Pletcher  
       Organization:         
       Filename:        UpdateAll.ps1  
      ===========================================================================  
      .DESCRIPTION  
           Uses Dell Command | Update to update all drivers and BIOS versions.  
 #>  
   
 Function Set-ConsoleTitle {  
      Param ([String]$Title)  
      $host.ui.RawUI.WindowTitle = $Title  
 }  
   
 Function Get-Architecture {  
      #Declare Local Variables  
      Set-Variable -Name Architecture -Scope Local -Force  
        
      $Architecture = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture  
      $Architecture = $Global:Architecture.OSArchitecture  
      #Returns 32-bit or 64-bit  
      Return $Architecture  
        
      #Cleanup Local Variables  
      Remove-Variable -Name Architecture -Scope Local -Force  
 }  
   
 Function Install-Updates {  
      Param ([String]$DisplayName,  
           [String]$Executable,  
           [String]$Switches)  
        
      #Declare Local Variables  
      Set-Variable -Name ErrCode -Scope Local -Force  
        
      Write-Host "Install"$DisplayName"....." -NoNewline  
      If ((Test-Path $Executable) -eq $true) {  
           $ErrCode = (Start-Process -FilePath $Executable -ArgumentList $Switches -Wait -Passthru).ExitCode  
      } else {  
           $ErrCode = 1  
      }  
      If (($ErrCode -eq 0) -or ($ErrCode -eq 1) -or ($ErrCode -eq 3010)) {  
           Write-Host "Success" -ForegroundColor Yellow  
      } else {  
           Write-Host "Failed with error code "$ErrCode -ForegroundColor Red  
      }  
        
      #Cleanup Local Variables  
      Remove-Variable -Name ErrCode -Scope Local -Force  
 }  
   
   
 Function CCTKSetting {  
      param ($Name,  
           $Option,  
           $Setting,  
           $Drives,  
           $Architecture)  
        
      #Declare Local Variables  
      Set-Variable -Name Argument -Scope Local -Force  
      Set-Variable -Name ErrCode -Scope Local -Force  
      Set-Variable -Name EXE -Scope Local -Force  
        
      If ($Architecture -eq "32-bit") {  
           $EXE = $Env:PROGRAMFILES + "\Dell\Command Configure\X86\cctk.exe"  
      } else {  
           $EXE = ${env:ProgramFiles(x86)} + "\Dell\Command Configure\X86_64\cctk.exe"  
      }  
      If ($Option -ne "bootorder") {  
           $Argument = "--" + $Option + "=" + $Setting  
      } else {  
           $Argument = "bootorder" + [char]32 + "--" + $Setting + "=" + $Drives  
      }  
      Write-Host $Name"....." -NoNewline  
      If ((Test-Path $EXE) -eq $true) {  
           $ErrCode = (Start-Process -FilePath $EXE -ArgumentList $Argument -Wait -Passthru).ExitCode  
      } else {  
           $ErrCode = 1  
      }  
      If (($ErrCode -eq 0) -or ($ErrCode -eq 240) -or ($ErrCode -eq 241)) {  
           If ($Drives -eq "") {  
                Write-Host $Setting -ForegroundColor Yellow  
           } else {  
                Write-Host $Drives -ForegroundColor Yellow  
           }  
      } elseIf ($ErrCode -eq 119) {  
           Write-Host "Unavailable" -ForegroundColor Green  
      } else {  
           Write-Host "Failed with error code "$ErrCode -ForegroundColor Red  
      }  
        
      #Cleanup Local Variables  
      Remove-Variable -Name Argument -Scope Local -Force  
      Remove-Variable -Name ErrCode -Scope Local -Force  
      Remove-Variable -Name EXE -Scope Local -Force  
 }  
   
 #Declare Local Variables  
 Set-Variable -Name Architecture -Scope Local -Force  
 Set-Variable -Name EXE -Scope Local -Force  
   
 cls  
 Set-ConsoleTitle -Title "Dell Client Update"  
 $Architecture = Get-Architecture  
 CCTKSetting -Name "Disable BIOS Password" -Option "valsetuppwd" -Setting "<BIOS Password> --setuppwd=" -Drives "" -Architecture $Architecture  
 If ($Architecture -eq "32-bit") {  
      $EXE = $Env:PROGRAMFILES + "\Dell\CommandUpdate\dcu-cli.exe"  
 } else {  
      $EXE = ${env:ProgramFiles(x86)} + "\Dell\CommandUpdate\dcu-cli.exe"  
 }  
 Install-Updates -DisplayName "Update All Hardware Components" -Executable $EXE -Switches " "  
   
 #Cleanup Local Variables  
 Remove-Variable -Name Architecture -Scope Local -Force  
 Remove-Variable -Name EXE -Scope Local -Force  
   

28 January 2016

Validate TPM Settings at the Beginning of a Build of a Dell machine.

NOTE: I used Sapien's PowerShellStudio to write this script that significantly simplified the process!

I have wrestled with the issue of encrypting a system using Bitlocker during a build. The issue I have had is that not all of the process can be automated. The steps of turning on the TPM, and activating it can be automated. The portion where the TPM is cleared is a forced, manual process. If you put this in the build, then the build is stopped at the when the TPM is cleared upon the reboot waiting for a user to hit F12 to confirm the clearing of the TPM.

To get around this pause in the build, we decided to make the steps of turning on, clearing, and activating the TPM a manual process before the build process is started. I wrote the script below, integrating the BitLockerSAK function written by Stéphane vg, to verify TPM is on, TPM is cleared, and TPM is activated. If it is not, the script pops up a window saying the build failed due to the TPM not being ready. It says to turn on the TPM, clear the TPM, and activate the TPM. When OK is clicked, the build fails. 

The function I wrote uses Dell's CCTK.exe file to check the status of the TPM. I have this executing in WinPE, before the operating system is laid down. To do this, you will need to run three command line tasks. 


The first will map the drive to the folder location of that contains the CCTK.exe. I arbitrarily selected T: as the drive letter to use. You enter:

net use t: \\<network location of CCTK.exe>\ /user:<domain>\username Password

The second task sequence is to install CCTK on the X: drive, which is the drive letter of the WinPE. The following command line should be exactly what you need to copy the files to x:\CCTK\:

 xcopy.exe "t:\*.*" "x:\CCTK\" /E /C /I /H /R /Y /V

The third step is to enable HAPI, which is also present in the X:\CCTK\ directory. The following command line should do this with no issues:

x:\CCTK\HAPI\hapint -i -k C-C-T-K -p X:\CCTK\HAPI\

Of course you will need to limit the task sequences to only machines which need to be bitlockered.

Now is the time to enter another task sequence that will execute the BitlockerSAK_CheckTPM.ps1 file. You will need to specify the executionpolicy since this is being executed in WinPE. The command line for this that I used was the following with the Start in also populated with the location of the script:

powershell.exe -executionpolicy bypass -file BitlockerSAK_CheckTPM.ps1

If the script detects the TPM is not turned on, not activated, and/or is owned, it will return an exit code of 1. This will cause the build to fail. It will also display the following window alerting the technician of the issue:



You can download the script from here.


1:  <#       
2:       .NOTES  
3:       ===========================================================================  
4:        Created with:     SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.99  
5:        Created on:       1/28/2016 1:55 PM  
6:        Created by:       Mick Pletcher  
7:        Organization:         
8:        Filename:         BitlockerSAK_CheckTPM.ps1  
9:       ===========================================================================  
10:       .DESCRIPTION  
11:            This script will test if bitlocker is turned on, cleared, and   
12:            activated. It uses the BitLockerSAK function wirtten by Stéphane vg to  
13:            check the ownership of Bitlocker. It also uses CCTK for testing  
14:            the status of TPM.  
15:  #>  
16:    
17:  Function BitLockerSAK {  
18:  <#  
19:  .SYNOPSIS  
20:       Get and set Bitlocker related information.  
21:      
22:  .DESCRIPTION  
23:       Based on WMI classes, this function can achiev the following tasks :  
24:    
25:    --TPM operations---  
26:      -TPM activation state.  
27:      -If the TPM is enabled or not.  
28:      -If a TPM OwnerShip is Allowed.  
29:      -If the TPM is currently owned.  
30:      -The possibility to take the ownerShip  
31:    
32:    --Encryption possibilities ---  
33:      - Retrieves the current encryption method.  
34:      - Get the current protection status.  
35:      - The current protection state.  
36:      - The possibility to encrypt a Drive.  
37:      - The possibility to Resume an encryption that has been paused.  
38:      - Possibility to return the current protector ID's.  
39:      - Possibility to return the current protector type(s).  
40:      - Retrieves the Volume key protector Passwords  
41:      
42:    
43:  .PARAMETER isTPMActivated  
44:       Returns activation state of the TPM:  
45:    Returns true if activated and false if not.  
46:    
47:  .PARAMETER isTPMEnabled  
48:       Returns the enabled state of the TPM:  
49:    Returns true if activated and false if not.  
50:    
51:  .PARAMETER IsTPMOwnerShipAllowed  
52:    Returns if the TPM ownership is allowed.  
53:    Returns true if allowed, false if not.  
54:    
55:  .PARAMETER ResumeEncryption  
56:    Will resume an paused encryption.  
57:    
58:  .PARAMETER GetEncryptionState  
59:    Returns the current encurrent state in an object as wolled :   
60:    
61:  .PARAMETER GetProtectionStatus  
62:    Returns the current protection status. It will return "Protected" if the drive is 100% encrypted, and "Unprotected" if anything else then "100% encrypted".  
63:    
64:  .PARAMETER Encrypt  
65:    Will encrypt a drive.  
66:    
67:  .PARAMETER TakeTPMOwnerShip  
68:    Returns true if allowed, false if not  
69:    
70:  .PARAMETER pin  
71:    Is needed in order to take the ownership and to encrypt the drive.  
72:    
73:  .PARAMETER IsTPMOwned  
74:    Returns true if owned, false if not  
75:    
76:  .PARAMETER GetKeyProtectorIds  
77:    Returns all the protector id's available on the machine.  
78:    
79:  .PARAMETER GetKeyProtectorType  
80:    Returns the type of protector that is currently in use.  
81:    
82:  .PARAMETER GetEncryptionMethod  
83:    REturns the current encryption method that is in use.  
84:    
85:  .PARAMETER GetKeyProtectorNumericalPassword  
86:    Returns a given numerical password based on a Protector ID value.  
87:    The ProtectorID value is mandatory, and must be passed using the parameter VolumeKeyProtectorID.   
88:    
89:  .PARAMETER VolumeKeyProtectorID  
90:    This parameter will work only in conjunction with GetKeyProtectorNumericalPassword switch.  
91:    It must contain the ProtectorID from which the desired Numerical Password will be returned.  
92:              
93:  .PARAMETER GetKeyProtectorTypeAndID  
94:    The GetKeyProtectorTypeAndID switch will return all the existing key protector ID's and their type of the Keys existing on the machine.  
95:    
96:    
97:  .PARAMETER Whatif  
98:       Permits to launch this script in "draft" mode. This means it will only show the results without really making generating the files.  
99:    
100:  .PARAMETER Verbose  
101:       Allow to run the script in verbose mode for debbuging purposes.  
102:      
103:  .EXAMPLE  
104:    
105:  BitLockerSAK  
106:    
107:  Returns the current status of the drives.  
108:    
109:  IsTPMOwned         : True  
110:  EncryptionMethod      : AES_128  
111:  IsTPMOwnerShipAllowed    : True  
112:  IsTPMActivated       : True  
113:  IsTPMEnabled        : True  
114:  CurrentEncryptionPercentage : 100  
115:  EncryptionState       : FullyEncrypted  
116:  ProtectorIds        : {{FFC19381-6E75-4D1E-94E9-D6E0D3E681FA}, {65AF5A93-9846-47AC-B3B1-D8DE6F06B780}}  
117:  KeyProtectorType      : {Numerical password, Trusted Platform Module (TPM)}  
118:    
119:  .EXAMPLE  
120:     
121:  BitLockerSAK -GetProtectionStatus  
122:    
123:  Returns the current protection status : Protected or unprotected  
124:    
125:  .EXAMPLE  
126:     
127:  BitLockerSAK -GetEncryptionState  
128:    
129:  CurrentEncryptionProgress is express in percentage.   
130:    
131:  CurrentEncryptionProgress EncryptionState                                             
132:  ------------------------- ---------------                                             
133:             100 FullyEncrypted  
134:      
135:  .EXAMPLE  
136:    
137:  Get all the key protectors and their respective ID's and protector types from the current machine.  
138:    
139:  BitLockerSAK -GetKeyProtectorTypeAndID  
140:    
141:  KeyProtectorID                                           KeyProtectorType                                            
142:  --------------                                           ----------------                                            
143:  {AB1535D4-ECB3-49D6-8AB1-E334A4F60579}                               Numerical password                                           
144:  {B1BDF8CD-55F2-4532-A93F-4B1AF4F22B55}                               Trusted Platform Module (TPM)  
145:    
146:  .EXAMPLE  
147:    
148:  Get the numerical password from a specefic Key using the ID.  
149:    
150:  BitLockerSAK -GetKeyProtectorNumericalPassword -VolumeKeyProtectorID "{AB1535D4-ECB3-49D6-8AB1-E334A4F60579}"  
151:    
152:  Message                              KeyProtectorNumericalPassword                   VolumeKeyProtectorID                         
153:  -------                              -----------------------------                   --------------------                         
154:  The method was successful.                     242968-693319-295251-477840-704451-214225-550055-383229      {AB1535D4-ECB3-49D6-8AB1-E334A4F60579}   
155:    
156:  .NOTES  
157:       -Author: Stephane van Gulick  
158:       -Email :   
159:       -CreationDate: 13-01-2014  
160:       -LastModifiedDate: 11.06.2015  
161:       -Version: 1.5  
162:       -History:  
163:    #0.1 : Created function  
164:    #1.1 : 20140901 Added GetProtectorIds  
165:    #1.2 : 20140909 Rewrote function  
166:            Added GetKeyprotectorType  
167:            Added EncryptionMethod  
168:       #1.3 : 20141003 Added TPM conditions.  
169:    #1.4 : Possiblity to select drive letter, added RemoveKeyProtectors.  
170:      --> GetKeyProtectorTypeAndID,  
171:      --> DeleteKeyProtectors,  
172:      --> ProtectorIDs,  
173:      --> DeleteKeyProtector,  
174:      --> PauseEncryption,  
175:      --> PauseDecryption,  
176:      --> Decrytp  
177:    #1.4.1 --> updated help with GetKeyPRotectedID instead of KeyProtectedID parameter  
178:    #1.5 Added GetKeyProtectorNumericalPassword and VolumeKeyProtectorID parameters.  
179:    
180:  .LINK  
181:    www.PowerShellDistrict.com  
182:    
183:  #>  
184:       [cmdletBinding()]  
185:       Param (  
186:            [Switch]$IsTPMActivated,  
187:            [Switch]$IsTPMEnabled,  
188:            [Switch]$IsTPMOwnerShipAllowed,  
189:            [Switch]$ResumeEncryption,  
190:            [Switch]$GetEncryptionState,  
191:            [Switch]$GetProtectionStatus,  
192:            [switch]$Encrypt,  
193:            [Parameter(ParameterSetName = 'OwnerShip')][switch]$TakeTPMOwnerShip,  
194:            [Parameter(ParameterSetName = 'OwnerShip')][int]$pin,  
195:            [switch]$IsTPMOwned,  
196:            [Switch]$GetKeyProtectorIds,  
197:            [switch]$GetEncryptionMethod,  
198:            [ValidateScript({  
199:                 if ($_ -match '^[A-Z]{1}[:]') {  
200:                      return $true  
201:                 } else {  
202:                      Write-Warning 'The drive letter parameter has to respect the following case: DriverLetter+Colomn EG: --> C: --> D: --> E: '  
203:                      return $false  
204:                 }  
205:            })][string]$DriveLetter = 'C:',  
206:            [switch]$GetKeyProtectorTypeAndID,  
207:            [switch]$DeleteKeyProtectors,  
208:            #Acceptvaluefrompipelinebyname  
209:            [String[]]$ProtectorIDs,  
210:            [switch]$DeleteKeyProtector,  
211:            [switch]$PauseEncryption,  
212:            [switch]$PauseDecryption,  
213:            [switch]$Decrytp,  
214:            [Parameter(ParameterSetName = 'NumericalPassword')][Switch]$GetKeyProtectorNumericalPassword,  
215:            [Parameter(ParameterSetName = 'NumericalPassword', Mandatory = $true)][String]$VolumeKeyProtectorID  
216:              
217:       )  
218:       Begin {  
219:            try {  
220:                 $Tpm = Get-WmiObject -Namespace ROOT\CIMV2\Security\MicrosoftTpm -Class Win32_Tpm -ErrorAction Stop  
221:            } catch [System.Management.ManagementException]{  
222:                   
223:                 write-warning 'Could not access the WMI methods. Verify that you run the script with elevated rights and try again.'  
224:                 continue  
225:                   
226:                   
227:            }  
228:       }  
229:       Process {  
230:            ##Add switch to verify if enough place is present on HD (6gig are need, 10 recommended).  
231:              
232:              
233:            switch ($PSBoundParameters.keys) {  
234:                   
235:                 'IsTPMActivated'{ $return = if ($Tpm) { $tpm.IsActivated().isactivated }; break }  
236:                 'IsTPMEnabled'{ $return = if ($Tpm) { $tpm.IsEnabled().isenabled }; break }  
237:                 'IsTPMOwnerShipAllowed'{ $return = if ($Tpm) { $tpm.IsOwnerShipAllowed().IsOwnerShipAllowed }; break }  
238:                 'IsTPMOwned'{ $return = if ($Tpm) { $Tpm.isowned().isowned }; break }  
239:                 'GetEncryptionState'{  
240:                      write-verbose "Getting the encryptionstate of drive $($driveletter)"  
241:                      #http://msdn.microsoft.com/en-us/library/aa376433(VS.85).aspx  
242:                      #We only want to work on the C: drive.  
243:                      $EncryptionData = Get-WmiObject -Namespace ROOT\CIMV2\Security\Microsoftvolumeencryption -Class Win32_encryptablevolume -Filter "DriveLetter = '$DriveLetter'"  
244:                      $protectionState = $EncryptionData.GetConversionStatus()  
245:                      $CurrentEncryptionProgress = $protectionState.EncryptionPercentage  
246:                        
247:                      switch ($ProtectionState.Conversionstatus) {  
248:                             
249:                           '0' {  
250:                                  
251:                                $Properties = @{ 'EncryptionState' = 'FullyDecrypted'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }  
252:                                $Return = New-Object psobject -Property $Properties  
253:                                  
254:                           }  
255:                             
256:                           '1' {  
257:                                  
258:                                $Properties = @{ 'EncryptionState' = 'FullyEncrypted'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }  
259:                                $Return = New-Object psobject -Property $Properties  
260:                                  
261:                           }  
262:                           '2' {  
263:                                  
264:                                $Properties = @{ 'EncryptionState' = 'EncryptionInProgress'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }  
265:                                $Return = New-Object psobject -Property $Properties  
266:                           }  
267:                           '3' {  
268:                                  
269:                                $Properties = @{ 'EncryptionState' = 'DecryptionInProgress'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }  
270:                                $Return = New-Object psobject -Property $Properties  
271:                           }  
272:                           '4' {  
273:                                  
274:                                $Properties = @{ 'EncryptionState' = 'EncryptionPaused'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }  
275:                                $Return = New-Object psobject -Property $Properties  
276:                           }  
277:                           '5' {  
278:                                  
279:                                $Properties = @{ 'EncryptionState' = 'DecryptionPaused'; 'CurrentEncryptionProgress' = $CurrentEncryptionProgress }  
280:                                $Return = New-Object psobject -Property $Properties  
281:                           }  
282:                           default {  
283:                                write-verbose "Couldn't retrieve an encryption state."  
284:                                $Properties = @{ 'EncryptionState' = $false; 'CurrentEncryptionProgress' = $false }  
285:                                $Return = New-Object psobject -Property $Properties  
286:                           }  
287:                      }  
288:                 }  
289:                 'ResumeEncryption'{  
290:                      write-verbose 'Resuming encryption'  
291:                      $ProtectionState = Get-WmiObject -Namespace ROOT\CIMV2\Security\Microsoftvolumeencryption -Class Win32_encryptablevolume -Filter "DriveLetter = '$DriveLetter'"  
292:                        
293:                      $Ret = $protectionState.ResumeConversion()  
294:                      $ReturnCode = $ret.ReturnValue  
295:                        
296:                      switch ($ReturnCode) {  
297:                             
298:                           ('0') { $Message = 'The Method Resume Conversion was called succesfully.' }  
299:                           ('2150694912') { $message = 'The volume is locked' }  
300:                           default { $message = 'The resume operation failed with an uknowned return code.' }  
301:                      }  
302:                        
303:                      $Properties = @{ 'ReturnCode' = $ReturnCode; 'ErrorMessage' = $message }  
304:                      $Return = New-Object psobject -Property $Properties  
305:                 } #EndResumeEncryption    
306:                 'GetProtectionStatus'{  
307:                      #http://msdn.microsoft.com/en-us/library/windows/desktop/aa376448(v=vs.85).aspx  
308:                      $ProtectionState = Get-WmiObject -Namespace ROOT\CIMV2\Security\Microsoftvolumeencryption -Class Win32_encryptablevolume -Filter "DriveLetter = '$DriveLetter'"  
309:                      write-verbose 'Gathering BitLocker protection status infos.'  
310:                        
311:                      switch ($ProtectionState.GetProtectionStatus().protectionStatus) {  
312:                             
313:                           ('0') { $return = 'Unprotected' }  
314:                           ('1') { $return = 'Protected' }  
315:                           ('2') { $return = 'Uknowned' }  
316:                           default { $return = 'NoReturn' }  
317:                      } #EndSwitch  
318:                 } #EndGetProtection  
319:                 'Encrypt'{  
320:                      #http://msdn.microsoft.com/en-us/library/windows/desktop/aa376432(v=vs.85).aspx  
321:                      $ProtectionState = Get-WmiObject -Namespace ROOT\CIMV2\Security\Microsoftvolumeencryption -Class Win32_encryptablevolume -Filter "DriveLetter = '$DriveLetter'"  
322:                      write-verbose 'Launching drive encryption.'  
323:                        
324:                      $ProtectorKey = $protectionState.ProtectKeyWithTPMAndPIN('ProtectKeyWithTPMAndPin', '', $pin)  
325:                      Start-Sleep -Seconds 3  
326:                      $NumericalPasswordReturn = $protectionState.ProtectKeyWithNumericalPassword()  
327:                        
328:                      $Return = $protectionState.Encrypt()  
329:                      $returnCode = $return.returnvalue  
330:                      switch ($ReturnCode) {  
331:                             
332:                           ('0') { $message = 'Operation successfully started.' }  
333:                           ('2147942487') { $message = 'The EncryptionMethod parameter is provided but is not within the known range or does not match the current Group Policy setting.' }  
334:                           ('2150694958') { $message = 'No encryption key exists for the volume' }  
335:                           ('2150694957') { $message = 'The provided encryption method does not match that of the partially or fully encrypted volume.' }  
336:                           ('2150694942') { $message = 'The volume cannot be encrypted because this computer is configured to be part of a server cluster.' }  
337:                           ('2150694956') { $message = 'No key protectors of the type Numerical Password are specified. The Group Policy requires a backup of recovery information to Active Directory Domain Services' }  
338:                           default {  
339:                                $message = 'An unknown status was returned by the Encryption action.'  
340:                                  
341:                           }  
342:                      }  
343:                        
344:                      $Properties = @{ 'ReturnCode' = $ReturnCode; 'ErrorMessage' = $message }  
345:                      $Return = New-Object psobject -Property $Properties  
346:                 }  
347:                 'GetKeyProtectorIds'{  
348:                      $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
349:                      $return = $BitLocker.GetKeyProtectors('0').VolumeKeyProtectorID  
350:                 }  
351:                 'GetEncryptionMethod'{  
352:                      $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
353:                      $EncryptMethod = $BitLocker.GetEncryptionMethod().encryptionmethod  
354:                      switch ($EncryptMethod) {  
355:                           '0'{ $Return = 'None'; break }  
356:                           '1'{ $Return = 'AES_128_WITH_DIFFUSER'; break }  
357:                           '2'{ $Return = 'AES_256_WITH_DIFFUSER'; break }  
358:                           '3'{ $Return = 'AES_128'; break }  
359:                           '4'{ $Return = 'AES_256'; break }  
360:                           '5'{ $Return = 'HARDWARE_ENCRYPTION'; break }  
361:                           default { $Return = 'UNKNOWN'; break }  
362:                      }  
363:                        
364:                 }  
365:                 'GetKeyProtectorTypeAndID'{  
366:                        
367:                      $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
368:                      $ProtectorIds = $BitLocker.GetKeyProtectors('0').volumekeyprotectorID  
369:                        
370:                      $return = @()  
371:                        
372:                      foreach ($ProtectorID in $ProtectorIds) {  
373:                             
374:                           $KeyProtectorType = $BitLocker.GetKeyProtectorType($ProtectorID).KeyProtectorType  
375:                           $keyType = ''  
376:                           switch ($KeyProtectorType) {  
377:                                  
378:                                '0'{ $Keytype = 'Unknown or other protector type'; break }  
379:                                '1'{ $Keytype = 'Trusted Platform Module (TPM)'; break }  
380:                                '2'{ $Keytype = 'External key'; break }  
381:                                '3'{ $Keytype = 'Numerical password'; break }  
382:                                '4'{ $Keytype = 'TPM And PIN'; break }  
383:                                '5'{ $Keytype = 'TPM And Startup Key'; break }  
384:                                '6'{ $Keytype = 'TPM And PIN And Startup Key'; break }  
385:                                '7'{ $Keytype = 'Public Key'; break }  
386:                                '8'{ $Keytype = 'Passphrase'; break }  
387:                                '9'{ $Keytype = 'TPM Certificate'; break }  
388:                                '10'{ $Keytype = 'CryptoAPI Next Generation (CNG) Protector'; break }  
389:                                  
390:                           } #endSwitch  
391:                             
392:                           $Properties = @{ 'KeyProtectorID' = $ProtectorID; 'KeyProtectorType' = $Keytype }  
393:                           $Return += New-Object -TypeName psobject -Property $Properties  
394:                      } #EndForeach  
395:                        
396:                 } #EndGetKeyProtectorType  
397:                 'DeleteKeyProtectors'{  
398:                      $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
399:                      $Return = $BitLocker.DeleteKeyProtectors()  
400:                        
401:                 }  
402:                 'TakeTPMOwnerShip'{  
403:                      $Tpm.takeOwnership()  
404:                 }  
405:                 'DeleteKeyProtector'{  
406:                        
407:                      if ($PSBoundParameters.ContainsKey('ProtectorIDs')) {  
408:                           $Return = @()  
409:                           $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
410:                             
411:                           foreach ($ProtID in $ProtectorIDs) {  
412:                                $Return += $BitLocker.DeleteKeyProtector($ProtID)  
413:                           }  
414:                      } else {  
415:                           write-warning 'Could not delete the key protector. Missing ProtectorID parameter.'  
416:                           $Return = 'Could not delete the key protector. Missing ProtectorID parameter.'  
417:                             
418:                      }  
419:                 }  
420:                 'PauseEncryption'{  
421:                      $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
422:                      $ReturnCode = $BitLocker.PauseConversion()  
423:                        
424:                      switch ($ReturnCode.ReturnValue) {  
425:                           '0'{ $Return = 'Paused sucessfully.'; break }  
426:                           '2150694912'{ $Return = 'The volume is locked.'; Break }  
427:                           default { $Return = 'Uknown return code.'; break }  
428:                      }  
429:                 }  
430:                 'PauseDecryption'{  
431:                      $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
432:                      $ReturnCode = $BitLocker.PauseConversion()  
433:                        
434:                      switch ($ReturnCode.ReturnValue) {  
435:                           '0'{ $Return = 'Paused sucessfully.'; break }  
436:                           '2150694912'{ $Return = 'The volume is locked.'; Break }  
437:                           default { $Return = 'Uknown return code.'; break }  
438:                      }  
439:                 }  
440:                 'Decrytp'{  
441:                      $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
442:                      $ReturnCode = $BitLocker.Decrypt()  
443:                        
444:                      switch ($ReturnCode.ReturnValue) {  
445:                           '0'{ $Return = 'Uncryption started successfully.'; break }  
446:                           '2150694912'{ $Return = 'The volume is locked.'; Break }  
447:                           '2150694953' { $Return = 'This volume cannot be decrypted because keys used to automatically unlock data volumes are available.'; Break }  
448:                           default { $Return = 'Uknown return code.'; break }  
449:                      }  
450:                        
451:                 }  
452:                 'GetKeyProtectorNumericalPassword'{  
453:                      $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
454:                      $Return = @()  
455:                        
456:                        
457:                      $KeyProtectorReturn = $BitLocker.GetKeyProtectorNumericalPassword($VolumeKeyProtectorID)  
458:                        
459:                      switch ($KeyProtectorReturn.ReturnValue) {  
460:                           '0' { $msg = 'The method was successful.' }  
461:                           '2150694912' { $msg = 'The volume is locked.'; Break }  
462:                           '2147942487' { $msg = "The VolumeKeyProtectorID parameter does not refer to a key protector of the type 'Numerical Password'."; Break }  
463:                           '2150694920' { $msg = 'BitLocker is not enabled on the volume. Add a key protector to enable BitLocker.'; Break }  
464:                           default { $msg = "Unknown return value: $($KeyProtectorReturn.ReturnValue)" }  
465:                      } #EndSwitch  
466:                        
467:                      $Properties = @{ 'KeyProtectorNumericalPassword' = $KeyProtectorReturn.NumericalPassword; 'VolumeKeyProtectorID' = $VolumeKeyProtectorID; 'Message' = $msg }  
468:                      $Return += New-Object -TypeName psobject -Property $Properties  
469:                        
470:                        
471:                 }  
472:            } #endSwitch  
473:              
474:              
475:            if ($PSBoundParameters.Keys.Count -eq 0) {  
476:                 #Returning info on all drives.  
477:                 write-verbose 'Returning bitlocker main status'  
478:                 $Tpm = Get-WmiObject -Namespace ROOT\CIMV2\Security\MicrosoftTpm -Class Win32_Tpm  
479:                 $BitLocker = Get-WmiObject -Namespace 'Root\cimv2\Security\MicrosoftVolumeEncryption' -Class 'Win32_EncryptableVolume' -Filter "DriveLetter = '$DriveLetter'"  
480:                   
481:                 #If no TPM module is present  
482:                 if ($tpm) {  
483:                      $TpmActivated = $tpm.IsActivated().isactivated  
484:                      $TPMEnabled = $tpm.IsEnabled().isenabled  
485:                      $TPMOwnerShipAllowed = $Tpm.IsOwnershipAllowed().IsOwnerShipAllowed  
486:                      $TPMOwned = $Tpm.isowned().isowned  
487:                        
488:                 }  
489:                   
490:                 $ProtectorIds = $BitLocker.GetKeyProtectors('0').volumekeyprotectorID  
491:                 $CurrentEncryptionState = BitLockerSAK -GetEncryptionState  
492:                 $EncryptionMethod = BitLockerSAK -GetEncryptionMethod  
493:                 $KeyProtectorTypeAndID = BitLockerSAK -GetKeyProtectorTypeAndID  
494:                   
495:                 $properties = @{  
496:                      'IsTPMActivated' = $TpmActivated;`  
497:                      'IsTPMEnabled' = $TPMEnabled;`  
498:                      'IsTPMOwnerShipAllowed' = $TPMOwnerShipAllowed;`  
499:                      'IsTPMOwned' = $TPMOwned;`  
500:                      'CurrentEncryptionPercentage' = $CurrentEncryptionState.CurrentEncryptionProgress;`  
501:                      'EncryptionState' = $CurrentEncryptionState.encryptionState; `  
502:                      'EncryptionMethod' = $EncryptionMethod;`  
503:                      'KeyProtectorTypesAndIDs' = $KeyProtectorTypeAndID  
504:                 }  
505:                   
506:                 $Return = New-Object psobject -Property $Properties  
507:            }  
508:              
509:       }  
510:       End {  
511:            return $return  
512:       }  
513:         
514:  }  
515:    
516:  function Get-BiosStatus {  
517:       param ([String]$Option)  
518:         
519:       #Declare Local Variables  
520:       Set-Variable -Name Argument -Scope Local -Force  
521:       Set-Variable -Name CCTK -Value "x:\cctk\cctk.exe" -Scope Local -Force  
522:       Set-Variable -Name Output -Scope Local -Force  
523:         
524:       $Argument = "--" + $Option  
525:       $Output = [string] (& $CCTK $Argument)  
526:       $Output = $Output.Split('=')  
527:       Return $Output[1]  
528:         
529:       #Cleanup Local Variables  
530:       Remove-Variable -Name Argument -Scope Local -Force  
531:       Remove-Variable -Name CCTK -Scope Local -Force  
532:       Remove-Variable -Name Output -Scope Local -Force  
533:  }  
534:    
535:  #Declare Local Variables  
536:  Set-Variable -Name oShell -Scope Local -Force  
537:  Set-Variable -Name TPMActivated -Scope Local -Force  
538:  Set-Variable -Name TPMEnabled -Scope Local -Force  
539:  Set-Variable -Name TPMOwned -Scope Local -Force  
540:  Set-Variable -Name TPMOwnershipAllowed -Scope Local -Force  
541:    
542:  cls  
543:    
544:  $TPMEnabled = Get-BiosStatus -Option "tpm"  
545:  Write-Host "TPM Enabled:"$TPMEnabled  
546:  $TPMActivated = Get-BiosStatus -Option "tpmactivation"  
547:  Write-Host "TPM Activated:"$TPMActivated  
548:  $TPMOwnershipAllowed = BitLockerSAK -IsTPMOwnerShipAllowed  
549:  Write-Host "TPM Ownership Allowed:"$TPMOwnershipAllowed  
550:  $TPMOwned = BitLockerSAK -IsTPMOwned  
551:  Write-Host "TPM Owned:"$TPMOwned  
552:  Write-Host  
553:  If (($TPMEnabled -eq "on") -and ($TPMActivated -eq "activate") -and ($TPMOwnershipAllowed -eq $true) -and ($TPMOwned -eq $false)) {  
554:       Write-Host "TPM Ready for Bitlocker"  
555:       Exit 0  
556:  } else {  
557:       Write-Host "TPM Not Ready for Bitlocker"  
558:       $oShell = New-Object -ComObject Wscript.Shell  
559:       $oShell.Popup("TPM Not Ready for Bitlocker." + [char]13 + [char]13 + "Turn On, Clear, and Activate TPM, then restart image.", 0, "TPM Failure", 0x0)  
560:       Exit 1  
561:  }  
562:    
563:  #Cleanup Local Variables  
564:  Remove-Variable -Name oShell -Scope Local -Force  
565:  Remove-Variable -Name TPMActivated -Scope Local -Force  
566:  Remove-Variable -Name TPMEnabled -Scope Local -Force  
567:  Remove-Variable -Name TPMOwned -Scope Local -Force  
568:  Remove-Variable -Name TPMOwnershipAllowed -Scope Local -Force  
569:    

25 January 2016

Fix for A connection to the deployment could not be made

This error is very annoying when running through a build. I Googled and found this fix to it by Kyle Beckman. The trick is delaying the LiteTouch.wsf from trying to execute the next task before network connectivity is available. Kyle's fix is putting a simple timed delay in the LiteTouch.wsf. I decided to enhance this fix by using PowerShell. Instead of having to guess at how long to wait, why not use the Test-Connection commandlet and delay the script until connectivity is available? That is what I did and it has worked perfectly. The first thing was to create the oShell object. Next use oShell.run to execute the powershell command. I used the -command so that it did not have to execute and external script. You will also need to customize the part that says <IP or DNS Address>. I use the fully qualified domain name of our DNS server to test for network connectivity. You can see the code I added in the field below:


           Set oShell = CreateObject("Wscript.shell")  
           oShell.run("powershell.exe -executionpolicy bypass -command Do {$Connectivity = Test-Connection -Destination <IP or DNS Address> -Count 1 -Quiet} while ($Connectivity -eq $false)")  
   

This is what the code looks like as a whole within the LiteTouch.wsf file:

      Function ValidateDeployRootWithRecovery  
   
           Dim sARF  
           Dim sNetworkErrorHint  
           DIm iRetVal  
           Dim sLTISuspend  
   
           'Wait for network connectivity  
           Set oShell = CreateObject("Wscript.shell")  
           oShell.run("powershell.exe -executionpolicy bypass -command Do {$Connectivity = Test-Connection -Destination <IP or DNS Address> -Count 1 -Quiet} while ($Connectivity -eq $false)")  
           If oUtility.ValidateConnectionEx(oEnvironment.Item("DeployRoot"), True) = Success then  
                ValidateDeployRootWithRecovery = SUCCESS  
                exit function  
           End if  
   


NOTE: This will require at least PowerShell version 3. Also, I would highly recommend making a copy of LiteTouch.wsf before making any modifications to it. 

20 January 2016

Configuring Dell BIOS Before the Image is Laid Down

In 2014, I published this blog entry that configured the BIOS during a build process. It used the Dell Command | Configure utility. At the time, I was in a squeeze to get the new build created along with getting all new GPOs and upgrading to a new document management system at the same time. 

I now have had some time to dig in and finally solved through Henk Hoogendoorn's blog on how to set the BIOS settings pre-image. To use this in MDT/SCCM before the image is laid down, you will need to do the following:
  1. Download the Dell Command | Configure from here.
  2. Install the package on your machine.
  3. Go to the %PROGRAMFILES%\Dell\Command Configure\X86 directory. Use the X86_64 if it is a 64-bit WinPE.
  4. Copy the contents of the folder, including the HAPI subfolder to a network share
  5. Go into the task sequence and add a Group named Configure BIOS
  6. I then created a subgroup named Install CCTK to install and run the CCTK during the build process
  7. Under Install CCTK, create a Run Command Line to map a drive letter to the network location that contains the CCTK files you copied over earlier. You will need a specific drive letter to address in the next step. I used the letter t:. The command line I used was net use t: \\Production Applications\Dell\CCTK  /USER:<DOMAIN>\<Username> Password
  8. Create a second Run Command Line that will copy over all of the files from the network share to the X: drive. I named it Install CCTK. The command line I used is:  xcopy.exe "t:\*.*" "x:\CCTK\" /E /C /I /H /R /Y /V
  9. Create a third Run Command Line that will Enable the HAPI. The entry I used was: x:\CCTK\HAPI\hapint -i -k C-C-T-K -p X:\CCTK\HAPI\.
It is now ready to execute the individual CCTK.exe commands to set BIOS settings. You will create an individual command line task entry for each setting you want to change in the BIOS. One example I set is to disable the chassis intrusion. This is what the command line looks like: x:\CCTK\CCTK.exe --chasintrusion=disable. The next thing you need to do for each entry is to add 119 and 240 to the success codes. My success code for each BIOS setting looks like this: 0 119 240 3010. Here is a screenshot of what my task sequence for setting the BIOS looks like. As you can see, I have a subgroup for Install CCTK, All Systems, Desktop, Laptop, and Enable Bitlocker. There are specific BIOS settings for desktops and laptops. I include a task sequence variable IsDesktop equals TRUE for the Desktop folder and IsLaptop equal TRUE for the Laptop group. The enable Bitlocker is also limited by a series of Task sequence variables I use.


The difference in time of setting these settings pre-image and setting them post-image is like night and day. On a 9010, it sets all BIOS settings within 15 seconds, whereas it took more than a minute post-image. 


18 January 2016

Installing Microsoft Updates in the Build Post-OS

There are updates that have to be installed after the OS has been installed. .Net Framework is an example. When I am building a reference image, I cannot inject the updates as packages to .Net Framework as it is not installed until after the OS has been installed. There have also been cases where an MSU could not be injected before the OS was installed. It would kill the build. I don't want to waste time having to wait on the windows update task to download, verify, and install the update.  This script will solve these issues. The script is designed to get all EXE and MSU files in the same directory as the InstallOnlineUpdates.ps1 PowerShell script and install them.

The first thing you want to do is let the reference image complete. Once it is finished, look at the ZTIWindowsUpdate.log file. It will show all updates that were downloaded and installed during the Windows Update task. The next thing is to download the updates, which can easily be done at https://catalog.update.microsoft.com/. Once you have the updates downloaded, place them in the same directory as this PowerShell script. In order to sequence these out, number them starting from 01 and etc. You can see how I have done mine in the screenshot below. I put EXE and MSU in the front of the filename so they would be separated and easy to find. 

Now all you have to do is to create an application to execute the PowerShell script and it will install all of your EXE and MSU files that need to be installed post-OS. 

You can download the script from here.


1:  <#       
2:       .NOTES  
3:       ===========================================================================  
4:        Created with:     SAPIEN Technologies, Inc., PowerShell Studio 2015 v4.2.99  
5:        Created on:       1/18/2016 1:41 PM  
6:        Created by:       Mick Pletcher  
7:        Organization:         
8:        Filename:        InstallOnlineUpdates.ps1  
9:       ===========================================================================  
10:       .DESCRIPTION  
11:            This script will install both exe updates and msu updates. It is  
12:            intended to be used during the generation of a reference image. Not  
13:            all updates can be injected offline into the OS. This script takes  
14:            care of those by running post-OS install.  
15:  #>  
16:    
17:    
18:  function Install-EXEUpdates {  
19:       #Declare Variables  
20:       Set-Variable -Name Arguments -Scope Local -Force  
21:       Set-Variable -Name ErrCode -Scope Local -Force  
22:       Set-Variable -Name File -Scope Local -Force  
23:       Set-Variable -Name EXEFiles -Scope Local -Force  
24:       Set-Variable -Name RelativePath -Scope Local -Force  
25:         
26:       $RelativePath = (split-path $SCRIPT:MyInvocation.MyCommand.Path -parent) + "\"  
27:       $EXEFiles = Get-ChildItem -Path $RelativePath -Force | where { $_.Name -like "*.exe*" }  
28:       If ($EXEFiles.Count -ge 1) {  
29:            $EXEFiles | Sort-Object  
30:            cls  
31:            foreach ($File in $EXEFiles) {  
32:                 $Arguments = "/passive /norestart"  
33:                 Write-Host "Installing"$File.Name"....." -NoNewline  
34:                 $ErrCode = (Start-Process -FilePath $File.Fullname -ArgumentList $Arguments -Wait -Passthru).ExitCode  
35:                 If ($ErrCode -eq 0) {  
36:                      Write-Host "Success" -ForegroundColor Yellow  
37:                 } else {  
38:                      Write-Host "Failed with error code"$ErrCode -ForegroundColor Red  
39:                 }  
40:            }  
41:       }  
42:    
43:       #Cleanup Local Variables  
44:       Remove-Variable -Name Arguments -Scope Local -Force  
45:       Remove-Variable -Name ErrCode -Scope Local -Force  
46:       Remove-Variable -Name File -Scope Local -Force  
47:       Remove-Variable -Name EXEFiles -Scope Local -Force  
48:       Remove-Variable -Name RelativePath -Scope Local -Force  
49:  }  
50:    
51:  function Install-MSUUpdates {  
52:       #Declare Variables  
53:       Set-Variable -Name Arguments -Scope Local -Force  
54:       Set-Variable -Name ErrCode -Scope Local -Force  
55:       Set-Variable -Name Executable -Value $env:windir"\System32\wusa.exe" -Scope Local -Force  
56:       Set-Variable -Name File -Scope Local -Force  
57:       Set-Variable -Name MSUFiles -Scope Local -Force  
58:       Set-Variable -Name RelativePath -Scope Local -Force  
59:         
60:       $RelativePath = (split-path $SCRIPT:MyInvocation.MyCommand.Path -parent) + "\"  
61:       $MSUFiles = Get-ChildItem -Path $RelativePath -Force | where { $_.Name -like "*.msu*" }  
62:       If ($MSUFiles.Count -ge 1) {  
63:            $MSUFiles | Sort-Object  
64:            cls  
65:            foreach ($File in $MSUFiles) {  
66:                 $Arguments = $File.FullName + [char]32 + "/quiet /norestart"  
67:                 Write-Host "Installing"$File.Name"....." -NoNewline  
68:                 $ErrCode = (Start-Process -FilePath $Executable -ArgumentList $Arguments -Wait -Passthru).ExitCode  
69:                 If (($ErrCode -eq 0) -or ($ErrCode -eq 2359302)) {  
70:                      Write-Host "Success" -ForegroundColor Yellow  
71:                 } else {  
72:                      Write-Host "Failed with error code"$ErrCode -ForegroundColor Red  
73:                 }  
74:            }  
75:       }  
76:         
77:       #Cleanup Local Variables  
78:       Remove-Variable -Name Arguments -Scope Local -Force  
79:       Remove-Variable -Name ErrCode -Scope Local -Force  
80:       Remove-Variable -Name Executable -Scope Local -Force  
81:       Remove-Variable -Name File -Scope Local -Force  
82:       Remove-Variable -Name MSUFiles -Scope Local -Force  
83:       Remove-Variable -Name RelativePath -Scope Local -Force  
84:  }  
85:    
86:  cls  
87:  Install-EXEUpdates  
88:  Install-MSUUpdates  
89:  Start-Sleep -Seconds 5  
90: