SMS、OSD和Bitlocker(1)
2008-07-07 21:26
489 查看
原文地址:http://blogs.technet.com/deploymentguys/archive/2008/07/07/sms-osd-and-bitlocker.aspx
In this post I am going to talk about a BitLocker solution that myself, Richard Smith and others from Avanade/Accenture - Chris Bird, Jonathan Goulding, Chris Urwin and Steven Westwell - put together for a customer. I should point out that enabling and applying BitLocker via OSD on SMS 2003 SP3 is not supported. So think carefully before implementing this in your environment.
在这篇帖子里我将探讨一个关于Bitlocker的解决方案,这是我、Richard Smith与来自Avanade/Accenture的Chris Bird、Jonathan Goulding、Chris Urwin和Steven Westwell共同为一个顾客制作的。我想指出的是,在SMS 2003 SP3的OSD上并不支持打开或应用BItlocker功能。在实施前请仔细考虑你的环境
First I want to quickly review the process of applying BitLocker via LiteTouch. There are three stages to this;
首先我想做一个简单的回顾,关于通过Litetouch来实施Bitlocker——有三个步骤
Create a partition for the system files 为系统文件创建分区
Move the boot files to the new system partition and mark that as active 把引导文件放到新的系统分区上并激活
Boot from the new partition and initialise BitLocker encryption 从新分区引导并初始化Bitlocer加密
So what are the problems with doing this process under OSD?那么在OSD下的问题是什么呢?
OSD only supports a single partition OSD仅仅支持单分区
the disk partition script needs a location to write the diskpart answer file to 分区脚步需要一个地方来放置分区应答文件
We can not reboot in the middle of the OSD/ZeroTouch task sequence. 我们不能在OSD或者ZTI的过程中重启
Taking these one by one we can break the problem down a bit more and start to deliver solutions.
LTI中的分区脚本需要一个位置来放置Diskpart.txt。现在LTI使用Winpe 2.x的RAM驱动器,所以这不是问题。在OSD下我们只能使用老版本的Winpe,是没有RAM驱动器的。我们想把Diskpart应答文件写到硬盘上,但我们用它分区后会丢失它,所以这并不好。我们只有两个选择:
a) write the file to a network location把应答文件写到网络共享上
b) hard code the partition sizes
If using the latter option you have some challenges around coping with changes in disk size. You could create the BitLocker 2GB partition first and then create the OS partition in the remaining space - you just have to be careful that Windows Vista does not try to install itself into the 2GB Bitlocker partition – As this will be seen as the first installable partition and Windows Vista will not fit into this size of partition.如果使用第二种方法,你会有碰上一些挑战........你可以先创建Bitlocker的2GB分区再创建OS分区。你仅需要小心,Vista并不会尝试把自己安装到2GB的Bitlocker分区,因为这个分区会被认作是第一个可安装分区,而大小容量不足以容下Vista
In our solution we chose option a. The main reason for doing this was that we were also having to support an OEM solution in the same image/task sequence. 在我们的解决方案里,我们选择第一种。主要原因是我们可以同时在同一个镜像/TS的支持OEM解决方案
The OEM solution can only cope with one partition on the hard disk when it boots up - this meant we could not pre-create the BitLocker partition. So now we have to write the diskpart answer file to a network location - but where? In a large organisation spread around the globe you do not really want all 100,000 systems writing their answer file back to a single server somewhere. Luckily there is a server in OSD that is always close to the client system; or should be anyway. This is the SMS Deployment server. We used the SMS Deployment Point server to store the additional scripts, drivers and other files used by the solution (resourceroot=\\%SMSDP%\BDDResource$ - you have to create this package yourself - make sure you specify a fixed share to access it on all DPs). It was easy to create a sub-directory in our SMS package that was writeable by the SMS account to host the answer file. Each answer file is given the name of the computer that will use it, ensuring uniqueness, and not wanting to clog this directory up over time we delete the answer file once used.
OEM解决方案仅能够引导时处理硬盘上的一个分区,这意味着我们不能提前创建Bitlocker分区。所以我们现在必须把diskpart应答文件写到网络上——但是在哪里?在一个庞大的跨国组织里,你不可能将所有100000台电脑的分区应答文件写到某一台服务器上。幸运的是,在OSD中总有一个服务器总是和你的客户端相邻,或者应该和你的客户端相邻。那就是SMS Deployment服务器。我们使用SMS DP服务器来存储附加的脚本、驱动和其他会使用到的文件。在我们的SMS packge中用SMS可写帐号来创建一个子文件夹来保存应答文件。每一个应答文件由电脑名称命名来确保唯一性。
So now we can create multiple partitions and define their sizes from values in the backend database. What's the next problem?
现在我们已经可以创建多分区并在后台数据库定义数值,下一个问题是什么呢?
In this post I am going to talk about a BitLocker solution that myself, Richard Smith and others from Avanade/Accenture - Chris Bird, Jonathan Goulding, Chris Urwin and Steven Westwell - put together for a customer. I should point out that enabling and applying BitLocker via OSD on SMS 2003 SP3 is not supported. So think carefully before implementing this in your environment.
在这篇帖子里我将探讨一个关于Bitlocker的解决方案,这是我、Richard Smith与来自Avanade/Accenture的Chris Bird、Jonathan Goulding、Chris Urwin和Steven Westwell共同为一个顾客制作的。我想指出的是,在SMS 2003 SP3的OSD上并不支持打开或应用BItlocker功能。在实施前请仔细考虑你的环境
First I want to quickly review the process of applying BitLocker via LiteTouch. There are three stages to this;
首先我想做一个简单的回顾,关于通过Litetouch来实施Bitlocker——有三个步骤
Create a partition for the system files 为系统文件创建分区
Move the boot files to the new system partition and mark that as active 把引导文件放到新的系统分区上并激活
Boot from the new partition and initialise BitLocker encryption 从新分区引导并初始化Bitlocer加密
So what are the problems with doing this process under OSD?那么在OSD下的问题是什么呢?
OSD only supports a single partition OSD仅仅支持单分区
the disk partition script needs a location to write the diskpart answer file to 分区脚步需要一个地方来放置分区应答文件
We can not reboot in the middle of the OSD/ZeroTouch task sequence. 我们不能在OSD或者ZTI的过程中重启
Taking these one by one we can break the problem down a bit more and start to deliver solutions.
OSD and Multiple Partitions
The script that is used by LiteTouch to create multiple partitions requires a location to write the diskpart.txt file to. Now LiteTouch uses WinPE2.x which has a built in RAM drive so this is no problem. Under OSD we use a 'legacy' version of WinPE which does not. We could write the diskpart answer file to the hard disk but that would be lost as we used it to wipe the disk so that is no good. Really there are only two options open to us;LTI中的分区脚本需要一个位置来放置Diskpart.txt。现在LTI使用Winpe 2.x的RAM驱动器,所以这不是问题。在OSD下我们只能使用老版本的Winpe,是没有RAM驱动器的。我们想把Diskpart应答文件写到硬盘上,但我们用它分区后会丢失它,所以这并不好。我们只有两个选择:
a) write the file to a network location把应答文件写到网络共享上
b) hard code the partition sizes
If using the latter option you have some challenges around coping with changes in disk size. You could create the BitLocker 2GB partition first and then create the OS partition in the remaining space - you just have to be careful that Windows Vista does not try to install itself into the 2GB Bitlocker partition – As this will be seen as the first installable partition and Windows Vista will not fit into this size of partition.如果使用第二种方法,你会有碰上一些挑战........你可以先创建Bitlocker的2GB分区再创建OS分区。你仅需要小心,Vista并不会尝试把自己安装到2GB的Bitlocker分区,因为这个分区会被认作是第一个可安装分区,而大小容量不足以容下Vista
In our solution we chose option a. The main reason for doing this was that we were also having to support an OEM solution in the same image/task sequence. 在我们的解决方案里,我们选择第一种。主要原因是我们可以同时在同一个镜像/TS的支持OEM解决方案
The OEM solution can only cope with one partition on the hard disk when it boots up - this meant we could not pre-create the BitLocker partition. So now we have to write the diskpart answer file to a network location - but where? In a large organisation spread around the globe you do not really want all 100,000 systems writing their answer file back to a single server somewhere. Luckily there is a server in OSD that is always close to the client system; or should be anyway. This is the SMS Deployment server. We used the SMS Deployment Point server to store the additional scripts, drivers and other files used by the solution (resourceroot=\\%SMSDP%\BDDResource$ - you have to create this package yourself - make sure you specify a fixed share to access it on all DPs). It was easy to create a sub-directory in our SMS package that was writeable by the SMS account to host the answer file. Each answer file is given the name of the computer that will use it, ensuring uniqueness, and not wanting to clog this directory up over time we delete the answer file once used.
OEM解决方案仅能够引导时处理硬盘上的一个分区,这意味着我们不能提前创建Bitlocker分区。所以我们现在必须把diskpart应答文件写到网络上——但是在哪里?在一个庞大的跨国组织里,你不可能将所有100000台电脑的分区应答文件写到某一台服务器上。幸运的是,在OSD中总有一个服务器总是和你的客户端相邻,或者应该和你的客户端相邻。那就是SMS Deployment服务器。我们使用SMS DP服务器来存储附加的脚本、驱动和其他会使用到的文件。在我们的SMS packge中用SMS可写帐号来创建一个子文件夹来保存应答文件。每一个应答文件由电脑名称命名来确保唯一性。
So now we can create multiple partitions and define their sizes from values in the backend database. What's the next problem?
现在我们已经可以创建多分区并在后台数据库定义数值,下一个问题是什么呢?
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- SMS、OSD和Bitlocker(2)
- SMS、OSD和Bitlocker(3)
- SMS2003部署用OSD部署Windows 2003
- SMS2003部署用OSD部署Windows 2003
- SMS OSD实现win2008操作系统的部署
- 利用SMS OSD部署win2008
- 利用SMS OSD实现win2008操作系统的部署 推荐
- 利用SMS OSD实现win2008操作系统的部署
- SMS 2003 系列 —OSD部署指南 推荐
- SMS OSD的一个奇怪故障
- 用sms osd部署win2008操作系统
- 利用SMS OSD部署win2008
- SMS2003部署用OSD部署Windows 2003
- 安装和配置SMSMSE邮件安全系统
- SCCM OSD排错(二) 推荐
- 监听SMS消息
- Windows 7 BitLocker 体验
- 处理数据SMS消息
- SMS系列之六:利用SMS实现操作系统的补丁分发 推荐
- WAP,SMS,MMS和移动电子邮件