I know I’m not alone in the misery of getting this less-than-perfect script to work during OSD and after a good couple of weeks of on-off testing I can finally say I got my desired result and it most certainly deserved a post. Please note, you may need to click on the pictures to see them fully.
GOAL:
Encrypt used space only with XTSAES256 encryption and escrow keys in MBAM database during SCCM OSD task sequence. I also need a PIN to be requested automatically at first logon.
I’m not going to detail the ins and outs of what I tried because this post will be far longer than necessary so I’ll concentrate on the steps that finally got it working for me. Don’t get me wrong, this is a buggy script that should really have been updated by Microsoft by now. Error code 1 is an extremely common problem and can result for any number of reasons.
I would suggest you create an MBAM section in the task sequence, filtering on laptops or whatever criteria you require and add the steps below to this section.
High Level:
-
- DISABLE ALL BITLOCKER PRE-PROVISION STEPS
- DISABLE ROOT CERTIFICATE UPDATE
- STOP THE MBAM SERVICE
- ADD ENCRYPTIONMETHOD
- ADD OSENCRYPTIONTYPE
- ADD ENCRYPTIONMETHODWITHXTSOS
- ADD ENACTONFIRSTLOGINREQUIRED
- REMOVE STARTUP DELAY
- START MBAM SERVICE
- FORCE USER TO SELECT A NEW PIN ON FIRST LOGIN
- RUN INVOKE-MBAMCLIENTDEPLOYMENT.PS1 SCRIPT
- RE-ENABLE ROOT CERTIFICATE UPDATE
1. DISABLE ALL BITLOCKER PRE-PROVISION STEPS
Contrary to what I have read elsewhere, the pre-provision step in the task sequence isn’t necessary. In fact, it’ inclusion will cause the error code 1. These steps should be disabled.
2. DISABLE ROOT CERTIFICATE UPDATE
This is a strange one but I have had trouble getting the Invoke-MbamClientDeployment.ps1 to run properly without first disabling the certificate update mechanism in Windows. Trust me, just do it, reboot, run the rest of the steps and make sure you remember to re-enable afterwards.
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot /v DisableRootAutoUpdate /t REG_DWORD /d 1 /f
3. STOP THE MBAM SERVICE
The assumption is that you have installed the MBAM 2.5 SP1 client with the August 2017 hotfix by this stage so there will be an MBAM Agent service running on the machine.
Net stop mbamagent
4. ENCRYPTIONMETHOD
Now I am recreating what worked for me here and despite my requirement for XTSAES256 the below setting seems to work fine for this in my task sequence. However evidence elsewhere suggests the DWORD value should be 7. Feel free to test in your own environment though and let me know how you get on.
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 2 /f
5. ADD OSENCRYPTIONTYPE
We want used space only as this is quickest. See here for other values. Be careful though – if you want the PIN prompt to appear at first logon the disk has to be ‘fully encrypted’, ie with used space only OR full disk. If the disk is still encrypting when the user logs on, they won’t be prompted for the PIN.
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE /v OSEncryptionType /t REG_DWORD /d 2 /f
6. ADD ENCRYPTIONMETHODWITHXTSOS
This is where * I believe * stage 3 gets overwritten (tbc). Essentially this will set the OS encryption to XTSAES256.
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethodWithXtsOs /t REG_DWORD /d 7 /f
7. ADD ENACTONFIRSTLOGINREQUIRED
Call the MBAMClientUI on first login. Technically this shouldn't be needed as I have a step further down which will call this anyway but no harm in adding. REG ADD HKLM\Software\Microsoft\MBAM /v EnactOnFirstLoginRequired /t REG_DWORD /d 1 /f
8. REMOVE STARTUP DELAY
Force MBAM client to wake up within a minute.
REG ADD HKLM\Software\Microsoft\MBAM /v NoStartupDelay /t REG_DWORD /d 1 /f
9. RE-START MBAM SERVICE
Net start mbamagent
10. FORCE USER TO SELECT A NEW PIN ON FIRST LOGIN
This adds a setting to the default user so that every NEW user that logs onto the machine gets prompted for a new MBAM PIN for startup. Note, this will only fire if the disk is fully encrypted to type, ie used space only or full disk. Since we’re aiming for used space only here, disk encryption is pretty quick but it still needs to complete before the prompt will appear. If you log on before encryption is complete then the automatic prompt won’t appear and you will instead need to rely on GPO.
powershell.exe -ExecutionPolicy Bypass -command "reg load HKLM\DefaultUser C:\Users\Default\NTUSER.DAT; New-ItemProperty -Path 'HKLM:\Defaultuser\Software\Microsoft\Windows\CurrentVersion\RunOnce' -Name PromptForPIN -Value '""C:\Program Files\Microsoft\MDOP MBAM\MBAMClientUI.exe"""' -Type String; reg unload HKLM\DefaultUser"
11. RUN INVOKE-MBAMCLIENTDEPLOYMENT.PS1 SCRIPT
The script itself. Note the encryption method, Unspecified. Because we have specified the encryption method earlier, the XTSAES256 encryption is automatically derived from that. Strangely, I couldn’t get this script to work unless I used this parameter and manually set the reg entry. Also note, I am running the script from the local installation of the MBAM client. This ensures that I am running the script that is aligned to that version of the client, ie it should contain any updates provided by any client upgrades you’ve applied, eg August 2017 update.
powershell.exe -ExecutionPolicy Bypass -File "C:\Program Files\Microsoft\MDOP MBAM\Invoke-MbamClientDeployment.ps1" https://MBAMSERVER.local/MBAMRecoveryAndHardwareService/CoreService.svc -EncryptionMethod UNSPECIFIED
12. RE-ENABLE ROOT CERTIFICATE UPDATE
Don’t forget to re-enable this otherwise you’ll end up with all sorts of certificate errors when trying to reach HTTPS sites.
That’s it. One would assume much of this legwork should automatically be taken care of by the script itself but unfortunately that doesn’t appear to be the case. Don’t forget, you will also need to make sure that no MBAM policies are in place when the script runs. This isn’t a problem with SCCM as GPOs will be suppressed but if you’re using native MDT this can be an issue.
Hopefully this will save some of you a few hours (more likely days) of frustration!
Simon
Very interesting article. I also had trouble getting this PS script to work for Windows 10, and I’m still having issues getting it to work for some old legacy Windows 7 laptops (don’t ask..)
However my solution was slightly different and did allow for pre-provisioning.
So in simple terms in relative task sequence location
Initialise
…
UDI Wizard
…
Set BDEInstall to TPM
Set BDEInstallSuppress to No
Set BDEWaitForEncryption to Yes
Clear the TPM
Pre-Provision Bitlocker
Prompt for Bitlocker PIN to save in variable strBLPin (to apply later)
Apply OS
Persist TPM Owner authorisation using “cscript.exe “SaveWinPETpmOwnerAuth.wsf”
…
Then in the Bitlocker section towards the end of the TS
Set EnableBDEWithNoTPM to 0
Set UseAdvancedStartup to 1
Enable Bitlocker (standard TS Step – TPM Only, No Recovery Key)
Install MBAM 2.5SP1
Configure Bitlocker for MBAM using “Invoke-MbamClientDeployment.ps1 -RecoveryServiceEndpoint https://xxxxxxxx/MBAMRecoveryAndHardwareService/CoreService.svc -EncryptionMethod UNSPECIFIED
Add Bitlocker PIN using “manage-bde.exe -protectors -add c: -tp %strBLPin%
and that works every time for Windows 10 from v1607, v1703 and v1709.
Hope that helps and happy to discuss further if you like
Can you show your Task Sequence pls if you don’t mind
I can’t post pictures here it seems, but what would you like to know?
how do i re enable the certificate (the last step)
Hi Tod, you can re-enable the certificate by running:
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot /v DisableRootAutoUpdate /t REG_DWORD /d 0 /f
or simply by deleting this key.
Thanks