SMS、OSD和Bitlocker(3)

2023-01-31 01:01:31 sms bitlocker osd

Moving the system files and rebooting

So by this time we have two partitions on the disk and the OSD process is running. Any custom tasks you  have defined, including installing applications happen in this stage. Before this stage completes we need to do two things;
现在我们已经有了两个分区,而OSD也在运行。任何你定义的任务,包括安装软件都在这个阶段执行。在这个阶段完成前我们需要做两件事
  1. move the boot files to the system partition 把引导文件放入系统分区
  2. configure the system to reboot and initialise BitLocker. 配置系统重启并初始化Bitlocker
The modified BDE script (ZTIBdeOSD.wsf) does not try to start BitLocker - it just moves the boot files across to the BitLocker partition. It then asks for a reboot - you will see errors in the BDD log files saying that OSD has suppressed the reboot.
修改过的BDE脚本(ZTIBdeOSD.wsf)并不尝试启动Bitlocker,仅仅把引导文件放到Bitlocker的分区中。接着请求重启,你会看到BDD.log中的错误报告
Next we need to re-boot from the new partition so BitLocker can be initiated.下面我们需要从新分区重启,因而Bitlcoker得以初始化
As mentioned I covered off the basics of how force a reboot in an earlier post - I'll outline the process again here as it has changed a little to accommodate more than just rebooting the system. The OSD part of a ZTI process runs before the system has logged on for the first time. So before we can reboot the system we need to loGon. However once we logon ZTI has completed and we no longer have the ZTI framework to rely on. So any scripts or files we need are going to have to be copied to the local hard disk for execution post re-boot. We essentially have three phases;
就如前面那篇blog中提到的如何强制重新启动,我会再次中断部署。ZTI的OSD部分在系统第一次登陆前运行。所以在那之前我们可以重启系统。尽管一旦我们登录,ZTI就结束而且我们不能再使用ZTI架构。因而结束前我们需要的脚本或者文件必须被拷贝到本地硬盘
  1. copy scripts locally and prepare for reboot
  2. auto-logon once OSD completes and reboot
  3. carry out post reboot tasks.
The script z-osdpart1.wsf copies the required files (z-OSDPart2.vbs, z-OSDPart3 and Buildwarning.HTA) locally and configures the auto-logon settings. Once OSD completes the system auto-logons, runs z-OSDpart2.vbs which configures the system to run z-OSDPart3.vbs after reboot and then z-OSDPart2.vbs initiates the reboot. Because ZTI has completed there is no minint directory to use we copy the required files to c:\OSDTemp, if we copied them to the c:\minint directory they would be deleted by the ZTI cleanup process.
Z-osdpart1.wsf拷贝所有需要的文件到本地,配置自动登录。一旦OSD完成系统自动登录,会运行z-OSDpart2.vbs,通过脚本2调用z-OSDpart3.vbs。因为ZTI完成后就没有了minint目录,我们把文件copy到C:\OSDTemp
The screen shot below shows the two tasks as part of a much larger task sequence. As you can see they are placed towards the end of the task sequence.
p_w_picpath
The zipped file, link at the end of this post, has a file TS-snippets.txt that contains these two steps that you can cut and paste into your task sequence.

 

Post Re-Boot

So the system should have rebooted and be running Z-OSDPart3.vbs as the shell. This is quite a simple script that carries out the steps required to initialise encryption of the hard disk. It runs the BuildWarning splash screen, ejects the optical disk, (this is required because if a bootable disk is left in the optical drive then BitLocker cannot start), then starts BitLocker, cleans out the auto-logon infORMation and resets the shell back to the normal desktop before rebooting.
现在系统应该重启过并且运行Z-OSDPART3.vbs作为shell。这个步骤十分简单,他运行必要的步骤来初始化硬盘加密。他运行BuildWarning splash screen、插入光学盘(?)这步是必须的,因为如果引导盘留在光学驱动器中,Bitlocker将无法启动,接着启动Bitlocker,清楚自动登录并在重启前重新设置shell回到默认桌面
 
We use the manage-bde.wsf script to initialise BitLocker once the system has restarted. For our client there was no requirement for a startup PIN - thy just wanted the hard disk encrypting and the recovery key stored in the Active Directory. We used a group Policy to make sure the BitLocker recovery passWord is stored in AD. The command line we used in Z-OSDPart3.vbs is given below. This turns on BitLocker on drive C: with a recovery password (-RP)
我们使用manage-bde.wsf脚本来初始化Bitlocker一旦系统重启。对客户端而言,并没有需要一个启动PIN,仅仅需要硬盘加密和存储在AD中的恢复key。我们使用组策略来确保Bitlocker恢复key保存在AD中。这个在Z-OSDPART3.vbs中使用的命令行如下所示,他开启了C盘的Bitlocer
cscript.exe %windir%\system32\manage-bde.wsf -On c: -RP
So now you should have a system that has been built using OSD and is BitLockerd. Simple wasn't it! ;-)

相关文章