August 1 2011

SCCM unattended OSD with bootable USB drive

I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.


Here’s a neat trick to created an unattended USB boot disk for deploying SCCM OSD task sequences. The machine that you are going to use for this process needs to have the SCCM console loaded on it. The machine also needs to be a Windows Vista, Windows 7 or Windows Server 2008 or higher Operating System, this process will not work on Windows XP or Windows Server 2003. Also log onto the machine with an account that has administrative privileges.

  1. Attach the USB Flash Drive to a Windows Vista, 7 or Server 2008 machine (won’t work with XP or 2003)
  2. 2. Open an administrative command prompt window (cmd.exe) and start DISKPART
  3. At the DISKPART> prompt type ‘List disk’
  4. Determine which disk number corresponds to the USB flash drive
  5. At the DISKPART> prompt, type ‘Select disk x’ where x is the disk number that the USB flash drive corresponds to
  6. At the DISKPART> prompt, type ‘Clean’
  7. At the DISKPART> prompt, type ‘List Partition’. If there is a partition, at the DISKPART> prompt, type ‘Select Partition 1’ then type ‘Clean’ or even try ‘Clean all’ if the partitions won’t go away
  8. At the DISKPART> prompt, type ‘Create Partition Primary’. If you receive an error at this stage regarding not being able to create a partition, the USB Flash Drive is not capable of being made bootable and will not work as an SCCM 2007 bootable Task Sequence Media. Please restart the process using a different USB Flash Drive.
  9. At the DISKPART> prompt, type ‘Select Partition 1’
  10. At the DISKPART> prompt, type ‘Format FS=FAT32 QUICK’
  11. At the DISKPART> prompt, type ‘Active’
  12. At the DISKPART> prompt, type ‘Assign’
  13. At the DISKPART> prompt, type ‘Exit’
  14. From the SCCM console, right-click on the Task Sequence and select Create Task Sequence Media. Follow the prompts to create a USB boot disk.
  15. Once created, on the USB drive, navigate to SMSDataTSMBOOTSTRAP.INI
  16. Open TSMBOOTSTRAP.INI and change line Unattended=false to Unattended=true
  17. Save the changes to TSMBOOTSTRAP.INI

You can now boot your machine onto the USB drive (BIOS support required of course) and as long as you have a mandatory advertisement for a OS task sequence and the required computer association in SCCM, you should be fine! Generally much faster the PXE or CD / DVD booting!

If you need to make a few and know that USB is disk 1, you could use a diskpart script (diskpart.txt in this case) something like this (check before you use it!):

Select disk 1
Create Partition Primary
Select Partition 1

And then just run diskpart /s diskpart.txt

I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.


May 10 2010

Encypting disk via BitLocker on Windows 7 with a USB key

BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Windows 7 (and Vista and Server 2008). On my recent travels, I knew there would be times when I would need to leave my laptop unattended (like in a hotel or baggage dropoff area) and I wanted to ensure that my data would be safe if the laptop was stolen or lost.

The solution – use BitLocker Drive Encryption in conjunction with Windows 7 and a USB key – put simply – if the USB key is not plugged into the laptop, Windows will not start and the entire drive is encrypted.  This means that if I need to leave my laptop in a hotel, I can take the USB key with me and know that if my laptop is stolen, although highly inconvienient, my data will be safe and the thief cannot use my laptop.

So how do we do it?

First, ensure that you have either Enterprise or Ultimate versions of Windows 7 and a USB stick (any size will do, the BitLocker keys are very small files). You will also need a BIOS that supports USB devices during bootup – this will be common on any machine that is less than 4 or 5 years old. The USB stick that you use does not need to be dedicated to hosting the BitLocker keys, it can also be used for normal document storage or for ReadyBoost.

Next you need to open the Local Group Policy Editor (gpedit.msc). Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.  Open ‘Require additional authentication at startup’:

Local Group Policy Editor

Set this to ‘Enabled’ and ensure the Options section has ‘Allow BitLocker without a compatible TPM’ ticked:

Require additional authentication at startup

At this point I would recommend you run the ‘gpupdate /force’ command and restart your computer. Once restarted, ensure your USB stick is inserted into the computer, then head to ‘My Computer’. Right click on your system hard drive (usually C:) to encrypt and select ‘Turn on BitLocker’ (alternatively this can be done from the Control Panel):

Select ‘Require a Startup key at every startup’ as shown below:

Select the USB drive that you had previously inserted:

Select the ‘Save the recovery key to a USB flash drive’ option:

It is recommended to run the BitLocker system check on the next page. Your hard drive will now start to encrypt and you can continue working on the computer during this process. It may prompt you to restart and it will give you a progress bar as shown below. The encyption can take up to a few hours, it will depend on the size of the disk volume. As a rough guide, I would say a 30GB volume takes around 30 minutes.

Once the process is complete, as you can see below, if the USB stick is plugged in, the machine will start successfully. At this point you can remove the USB stick or leave it in and configure it for extra storage or with ReadyBoost as I do.

Successful start with USB stick plugged in

If you attempt to start the machine without the USB stick inserted, you will be the below error message and Windows will not load (just as you want!).

Requesting USB stick to be plugged in

If you look at the new files on your USB stick, you will see 2 files as shown below. These are the ‘key’ files that the system will look for when booting up (actually one is the recovery file, the other is the actually key file). I would highly recommend that you copy these files to another location incase you lose your USB stick. These 2 files can simply be copied like any other files. I would recommend to copy these to another USB stick (you can then boot up with either of the sticks plugged in) and save a copy elsewhere, like your email or give to a friend.

That is it! You can now be comfortable that your system will be encrypted and unusable if it is stolen. The important thing is to keep the USB sticks safe! Always store the USB stick and the laptop separately, otherwise this whole exercise is pointless!!