Finally, a management tool for Bitlocker

I first deployed Bitlocker and AD integration with Windows 7 Enterprise back before it was publicly released (that gap between when it gets released to Volume Licence customers, but not to the public). It wasn’t easy, and I had to use some interesting hacks and self-discovered cludges gleaned from old Vista documentation, as the Win 7 documentation hadn’t been released by Microsoft at the time. I had meant to document and release it as a quick-fix blog entry but the time passed and everything can be done properly now.

Since deployment, Bitlocker has been fantastic. The only issue we’ve had with Bitlocker since we deployed it is that of ensuring that end-users don’t suspend it or disable it, and that we most definitely have a good backup of the recovery key.

Effectively, without a management tool, you fly a bit blind until a problem comes up, or a Bitlockered laptop ends up in your lap with it disabled. Ignorance shouldn’t be bliss when it comes to full disk encryption and protecting your company’s data.

The AD backup of keys is a particular pain, as we’ve found that sometimes, Bitlocker just forgets to back itself up to AD when it’s enabled. To mitigate this, we’ve just instructed Bitlocker to also copy the key to a secure fileshare when it’s enabled during the MDT task, as well as backing it up to AD.

Fortunately, Microsoft have started to build a Bitlocker management tool called Microsoft Bitlocker Administration and Management. You can read more about it on the Windows Team Blog.

It’s still in Beta, but I’m looking forward to trying this out!

Upgrading the SQL Server on a BlackBerry Enterprise Server when installing BES for Exchange 5.0 SP3

Bit of a long winded title, but this article will attempt to cover the steps you need to take in order to go from a Standalone BES server with the MSDE database to a supported SQL Server Express database; so that you can install BES for Exchange 5.0.3 (or 5.0 SP3). This is a quick and dirty post, so please excuse any typos!

Our situation was this:

  • BES 5.0.2 installed using the default MSDE database (we have less than 100 BES users, so this isn’t a problem).
  • When trying to install BES 5.0.3 upgrade, it failed, saying you need to upgrade the version of SQL you’re running before SP3 can be installed.

Here’s what you need to do in very basic terms:

  • Install a “New Installation” of SQL 2008 R2 Express with the management tools on to the BES Server (don’t try and do the upgrade like I did; it doesn’t do anything to MSDE ;))
  • Completely stop and disable all BlackBerry services under Administration Tools > Services
  • Open up the SQL Management Studio, connect to the existing MSDE instance, and perform a Full backup of the BESMgmt database to a file location.
  • Now, still in  SQL Management Studio, connect to the new database server instance (should be servername\sqlexpress) and perform a restore of the database you just backed up.
  • Open up the SQL Server Configuration Manager:
    • Navigate to: SQL Server Network Configuration > Protocols for SQLEXPRESS
    • Enable TCP/IP
    • You may need to restart the SQL Service at this point.
  • Re-enable (but do not start) the BlackBerry services you stopped and disabled earlier.
  • Run the 5.0 SP3 installer, and point it at the new database instance. If you were using MSDE, you’ll need to change the connection port from the default to “Dynamic”.

Bootnotes:

When we first tried it, the installer threw an error at the last install step (after upgrading the DB). For whatever reason, rebooting and trying again fixed the issue and SP3 installed successfully.

In case you’re wondering, the reason for the full backup/restore step is because SQL express management tools wouldn’t let us move or copy the database. You may have better luck, however 🙂

Also note that, according to RIM’s compatibility matrix, SQL Express 2008 R2 isn’t supported for BES 5.0.3. You may wish to download and install SQL Express 2008 SP2  instead.

MDT 2010, IE9, offlineServicing error

Came across this the other day and didn’t see anything come up in a Google search so figured I’d blog it.

If you’ve recently added Internet Explorer 9 (IE9) to your MDT deployment, and you’re getting an offlineServicing error when deploying an OS, you may want to check this out.

The problem seems to occur when:

  • You’re running Microsoft Deployment Toolkit 2010
  • You’re deploying Windows 7 with SP1 integrated
  • You’ve added IE9 in .cab format to the deployment via Packages
  • When deploying an OS, you get a fatal error saying: “Windows could not apply unattend settings during pass [offlineServicing]”

To fix the problem, I removed the IE9 .cab from Packages and instead, integrated it into the install.wim image, using these instructions: Windows 7 – Add or Remove Packages Offline

I will attempt to write up proper instructions when I can, but the above link should provide you with enough information to work it out 🙂