Archive
SCCM 2012 R2 With BitLocker Network Unlock
I’ve read and followed MS documentation available at:
– BitLocker: How to enable Network Unlock
– Bitlocker: Network Unlock (PFE Blog post)
- Client/Server configuration:
- Clients: Windows 8.1 and up on isolated VLAN
- SCCM Servers: 2012 R2 SP1
- SCCM distribution point: dedicated server for network unlock and client deployment
- change to certificate template used for network unlock: Certification Authority and Certificate recipient fields are Windows Server 2012 R2 and Windows 8.1 respectively
After some initial testing I’ve successfuly deployed this configuration at one of our customer’s sites.
Not sure if it is fully supported from MS side but I didn’t do any “funny” customization to get it working – based on this I would guess it should be supported.
Second link is really useful for understanding how the whole thing works – it even has few screenshots of network trace (good reference for troubleshooting).
Good to know:
– Network unlock by itself doesn’t do PXE boot – unlock happens before that with special DHCP packet (provided, that LAN boot is not first BOOT option – which it shouldn’t be). Check second link for more info.
– This change to BitLocker OS drive unlock process will add few seconds to boot process. Why? Before Windows can successfully start and unlock drive with certificate, boot manager has to get valid IP DHCP address (or not if timeout happens). Only after this happens BootRequest packet is send to WDS server which replies with BootReply. How big can this delay be probably depends on usual network-related configuration.
Where to start your journey when your goal is multi-boot USB
Not so often anymore, but still sometimes I find myself in situation when I have to analyze and possibly repair broken Windows system. When that happens, it is good to have few tools at hand. Because you never know what went wrong in advance, it is good to be prepared for all occasions. I usually need only one USB drive – my 32GB multi-boot USB drive (you can also go with less).
On my USB, there are quite few tools; some of them might come in handy even to you some day. Just to kick-start your journey I will give you few pointers:
You need bootable USB and something to boot. I prefer:
Windows 7 USB/DVD tool
– Free
– Good for Windows-only multi-boot
– Wizard driven “ISO to USB/DVD” converter
– Can create bootable USB from any WIM based image, like:
– Windows Vista & Windows Server 2008
– Windows 7 & Windows Server 2008 R2
– Windows Defender Offline
– Microsoft Diagnostics and Recovery Toolset
– Windows PE – you can get it in Windows AIK
– Windows RE – Create a Windows RE Recovery Media
Windows Defender Offline
– Free
– Dedicated to finding and removing malicious and potentially unwanted programs
– Based on Windows PE
– Wizard driven USB/DVD creator
Microsoft Diagnostics and Recovery Toolset
– Free for Microsoft SA customers, available to Volume Licensing customers, Microsoft Development Network subscribers, and Microsoft TechNet subscribers
– Packed with tools like Locksmith, Crash Analyzer, File Restore, Disk Wipe and Standalone System Sweeper
– Based on Windows PE
– Wizard driven USB/DVD creator
Universal USB Installer
– Free
– Great for true multi-boot
– Can combine multiple Windows based and non-Windows based images onto one media
– Supports Windows XP and newer
– Supports 90+ Linux distributions (don’t forget to check out KON-BOOT*)
– Wizard driven USB/DVD creator
When creating bootable USB all the applications require USB format (wipe and FAT32 created).
If you also like to have updated Sysinternals tools with you, don’t forget to check out SysInternalsUpdater.
*Great tool for true bypassing of local Windows Logon passwords.
Remote Server Administration Tools for Windows 7 SP1 available for download
RSAT Client is the collection of Windows Server management tools which enable IT professionals to manage their Windows Server infrastructure from their PCs running Windows 7 SP1 and Windows 7.
This is the list of Windows Server administration tools which are included in RSAT Client for Win7 SP1:
Server Administration Tools:
Server Manager
Role Administration Tools:
Active Directory Certificate Services (AD CS) Tools
Active Directory Domain Services (AD DS) Tools
Active Directory Lightweight Directory Services (AD LDS) Tools
DHCP Server Tools
DNS Server Tools
File Services Tools
Hyper-V Tools
Terminal Services Tools
Feature Administration Tools:
BitLocker Password Recovery Viewer
Failover Clustering Tools
Group Policy Management Tools
Network Load Balancing Tools
SMTP Server Tools
Storage Explorer Tools
Storage Manager for SANs Tools
Windows System Resource Manager Tools
Download page at Microsoft Download Center: RSAT for Windows 7 with SP1
If you followed my previous post on how to manually install RSAT tools on Windows 7 with SP1 you can also install this update on your PC over existing RSAT tools.
Error message when installing RSAT on Windows 7 SP1: ‘This update is not applicable to your computer’ or how to install RSAT on Windows 7 SP1
If you can install RSAT on Windows 7 RTM and than do the update to SP1 – do it. Currently this is the only supported way of using RSAT on Windows 7 updated to SP1.
Use the following steps for testing purposes only. I did clean install of Windows 7 with SP1 already integrated and this was the only way for me to get RSAT working. So far so good 
.
Here are my steps – first download all necessary files to RSAT folder (D:\RSAT), then:
1. step
Expand the RSAT msu file to a folder like D:\RSAT\RTM:
D:\RSAT>start /wait expand -f:* amd64fre_GRMRSATX_MSU.msu RTM
or
D:\RSAT>start /wait expand -f:* x86fre_GRMRSAT_MSU.msu RTM
2. step
Expand the CAB file included in previously expanded MSU:
D:\RSAT\RTM>start /wait expand -f:* Windows6.1-KB958830-x64.cab Windows6.1-KB958830-x64
or
D:\RSAT\RTM>start /wait expand -f:* Windows6.1-KB976932-x86.exe Windows6.1-KB976932-x86
3. step
Extract Windows 7 Service Pack 1 files to a folder like W7-SP1:
D:\RSAT>start /wait windows6.1-KB976932-X64.exe /X:D:\RSAT\W7-SP1
or
D:\RSAT>start /wait windows6.1-KB976932-X86.exe /X:D:\RSAT\W7-SP1
4. step
Expand the CAB file included in previously extracted EXE:
D:\RSAT\W7-SP1>start /wait expand -f:* windows6.1-KB976932-X64.cab windows6.1-KB976902-X64
or
D:\RSAT\W7-SP1>start /wait expand -f:* windows6.1-KB976932-X86.cab windows6.1-KB976902-X86
5. step
Install the RSAT MUMs (replace the language-specific (en-us) MUM files with the language of your Windows 7 OS!):
D:\RSAT>start /wait pkgmgr /ip /m:"d:\RSAT\RTM\Windows6.1-KB958830-x64\microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum"
D:\RSAT>start /wait pkgmgr /ip /m:"d:\RSAT\RTM\Windows6.1-KB958830-x64\microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~amd64~en-us~6.1.7600.16385.mum"
D:\RSAT>start /wait pkgmgr /ip /m:"d:\RSAT\RTM\Windows6.1-KB958830-x64\microsoft-windows-remoteserveradministrationtools-package-minilp~31bf3856ad364e35~amd64~en-us~6.1.7600.16385.mum"
D:\RSAT>start /wait pkgmgr /ip /m:"d:\RSAT\W7-SP1\windows6.1-KB976932-X64\microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum"
or
D:\RSAT>start /wait pkgmgr /ip /m:"d:\RSAT\RTM\Windows6.1-KB958830-x86\microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~x86~~6.1.7600.16385.mum"
D:\RSAT>start /wait pkgmgr /ip /m:"d:\RSAT\RTM\Windows6.1-KB958830-x86\microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~x86~en-us~6.1.7600.16385.mum"
D:\RSAT>start /wait pkgmgr /ip /m:"d:\RSAT\RTM\Windows6.1-KB958830-x86\microsoft-windows-remoteserveradministrationtools-package-minilp~31bf3856ad364e35~x86~en-us~6.1.7600.16385.mum"
D:\RSAT>start /wait pkgmgr /ip /m:"d:\RSAT\W7-SP1\windows6.1-KB976932-X86\microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~x86~~6.1.7601.17514.mum"
You can do the same with DISM in one step:
d:\RSAT\RTM\Windows6.1-KB958830-x64>DISM.exe /Online /NoRestart /Add-Package /PackagePath:"microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum" /PackagePath:"microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~amd64~en-us~6.1.7600.16385.mum" /PackagePath:"microsoft-windows-remoteserveradministrationtools-package-minilp~31bf3856ad364e35~amd64~en-us~6.1.7600.16385.mum" /PackagePath:"d:\RSAT\W7-SP1\windows6.1-KB976932-X64\microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum"
or
d:\RSAT\RTM\Windows6.1-KB958830-x86>DISM.exe /Online /NoRestart /Add-Package /PackagePath:"microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~x86~~6.1.7600.16385.mum" /PackagePath:"microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~x86~en-us~6.1.7600.16385.mum" /PackagePath:"microsoft-windows-remoteserveradministrationtools-package-minilp~31bf3856ad364e35~x86~en-us~6.1.7600.16385.mum" /PackagePath:"d:\RSAT\W7-SP1\windows6.1-KB976932-X86\microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~x86~~6.1.7601.17514.mum"
6. step
Reboot (if needed) and open "Turn Windows Features on or off" and activate the RSAT Tools you want. You can also install all RSAT Tools in one step with DISM:
DISM.exe /Online /NoRestart /Enable-Feature /FeatureName:"RemoteServerAdministrationTools" /FeatureName:"RemoteServerAdministrationTools-ServerManager" /FeatureName:"RemoteServerAdministrationTools-Roles" /FeatureName:"RemoteServerAdministrationTools-Roles-CertificateServices" /FeatureName:"RemoteServerAdministrationTools-Roles-CertificateServices-CA" /FeatureName:"RemoteServerAdministrationTools-Roles-CertificateServices-OnlineResponder" /FeatureName:"RemoteServerAdministrationTools-Roles-AD" /FeatureName:"RemoteServerAdministrationTools-Roles-AD-DS" /FeatureName:"RemoteServerAdministrationTools-Roles-AD-DS-SnapIns" /FeatureName:"RemoteServerAdministrationTools-Roles-AD-DS-AdministrativeCenter" /FeatureName:"RemoteServerAdministrationTools-Roles-AD-DS-NIS" /FeatureName:"RemoteServerAdministrationTools-Roles-AD-LDS" /FeatureName:"RemoteServerAdministrationTools-Roles-AD-Powershell" /FeatureName:"RemoteServerAdministrationTools-Roles-DHCP" /FeatureName:"RemoteServerAdministrationTools-Roles-DNS" /FeatureName:"RemoteServerAdministrationTools-Roles-FileServices" /FeatureName:"RemoteServerAdministrationTools-Roles-FileServices-Dfs" /FeatureName:"RemoteServerAdministrationTools-Roles-FileServices-Fsrm" /FeatureName:"RemoteServerAdministrationTools-Roles-FileServices-StorageMgmt" /FeatureName:"RemoteServerAdministrationTools-Roles-HyperV" /FeatureName:"RemoteServerAdministrationTools-Roles-RDS" /FeatureName:"RemoteServerAdministrationTools-Features" /FeatureName:"RemoteServerAdministrationTools-Features-BitLocker" /FeatureName:"RemoteServerAdministrationTools-Features-Clustering" /FeatureName:"RemoteServerAdministrationTools-Features-GP" /FeatureName:"RemoteServerAdministrationTools-Features-LoadBalancing" /FeatureName:"RemoteServerAdministrationTools-Features-SmtpServer" /FeatureName:"RemoteServerAdministrationTools-Features-StorageExplorer" /FeatureName:"RemoteServerAdministrationTools-Features-StorageManager" /FeatureName:"RemoteServerAdministrationTools-Features-Wsrm" /FeatureName:"IIS-LegacySnapIn" /FeatureName:"IIS-IIS6ManagementCompatibility" /FeatureName:"IIS-WebServerManagementTools" /FeatureName:"IIS-WebServerRole" /FeatureName:"IIS-Metabase"
More info on setup error and download links:
– Error message when installing RSAT: ‘This update is not applicable to your computer’
– How-To: Install RSAT (Remote Server Administration Tools) on Win 7 Sp1
– Remote Server Administration Tools for Windows 7
– Windows 7 and Windows Server 2008 R2 Service Pack 1
Windows 7 SP1
Something probably worth checking out (before you start to deploy SP1):
– Deployment Guide for Windows Server 2008 R2 with SP1 and Windows 7 with SP1
– How to Fix Windows 7 SP1’s “Installation Was not Successful “ Error
– If you are seeing a Fatal error C0000034
– Windows 7 Ultimate SP1 installation fails with error code c0000034
– Windows 7 SP1 fails to install with 0x800f0a13 or 0x800f0826
Going down the IT rabbit hole 