I know I’m not alone in the misery of getting this less-than-perfect script to work during OSD and after a good couple of weeks of on-off testing I can finally say I got my desired result and it most certainly deserved a post. Please note, you may need to click on the pictures to see them fully.

GOAL:

Fully encrypt disk with XTSAES256 encryption and escrow keys in MBAM/SCCM database during SCCM OSD task sequence. I also need a PIN to be requested automatically at first logon, with NO POSTPONE available to the user.

I’m not going to detail the ins and outs of what I tried because this post will be far longer than necessary so I’ll concentrate on the steps that finally got it working for me. Don’t get me wrong, this is a buggy script that should really have been updated by Microsoft by now.  Error code 1 is an extremely common problem and can result for any number of reasons.
I originally published similar steps at the  a few years ago and they were the steps I needed at the time to get it working  in that particular environment. The following steps are updated and can be used with ConfigMgr. They will probably work with the old MBAM too as the port to SCCM really is a lift and shift.

High Level:

1. Pre-provision bitlocker (if required)
2. Install The MBAM Client
3. Stop the MBAM Service
4. EncryptionMethodWithXtsOs
5. Remove Startup Delay
6. Start MBAM Service
7. Force User To Select A New Pin On First Logon
8. Run Invoke-MBAMClientDeployment Script
9. GPO Settings

1. Pre-provision bitlocker (if required)

Set this early on just after formatting the disk. If you want full disk encryption, you can leave this step out completely. Be aware , full disk encryption will add the best part of 30m on a build with a 240GB laptop SSD.

2. Install the MBAM Client.

Just because ConfigMgr is now the vessel through which MBAM/Bitlocker is deployed, nothing has really changed. The installation binaries are simply copied down locally when the ConfigMgr client is installed. So not built into the client as you might have expected. Create an MBAM section (because it is still being referred to as such) at the end of your task sequence and as a first step create a RUN COMMAND LINE action:

Command line:

MSIExec.exe /i MBAMClient.msi /qn

Start in:

C:\Windows\CCM

3. Stop the MBAM Service

Another RUN COMMAND LINE action:

net stop mbamagent

4.EncryptionMethodWithXtsOs

Set EncryptionMethod – technically this should be achieved by adding the method as a parameter in the InvokeMBAMClientDeployment.ps1 Script. However I have found this to be somewhat inconsistent depending on the model of computer you’re trying to deploy. Instead, set it here and add UNSPECIFIED as the script parameter. This will set up the disk for XTS-AES256 (see here for other values). Note, use this instead of EncryptionMethod setting for any Win10 OS 1511 and newer (which should be all by now).

Another RUN COMMAND LINE action:

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethodWithXtsOs /t REG_DWORD /d 7 /f

5.Remove Startup Delay

We want to minimise startup delay for the MBAM client service- let’s change it to 1 minute.  Depending on the size of your environment you may wish to extend this. See here for official info on this setting. Without this set, there will be a random delay of up to 90m. There are other settings in this link you may wish to add for the purpose of testing in a lab environment.

Another RUN COMMAND LINE action:

REG ADD HKLM\Software\Microsoft\MBAM /v NoStartupDelay /t REG_DWORD /d 1 /f

6.Start the MBAM Service

Another RUN COMMAND LINE action:

net start mbamagent

7.Force User To Select New PIN at First Logon

By default, the PIN screen will appear in the first 90m after logging in. This can be changed via GPO (see further down). In my experience, admins often want this to happen when users log on. If this is you then you’ll need to update the default user profile.  This will force users to enter a PIN right away.

Note, for this to fire, you must have a fully-active ConfigMgr client and (if you want to avoid the postpone option) the machine must be in receipt of the policy below (9).

Another RUN COMMAND LINE action:

powershell.exe -ExecutionPolicy Bypass -command "reg load HKLM\DefaultUser C:\Users\Default\NTUSER.DAT; new-item -path HKLM:\Defaultuser\Software\Microsoft\Windows\CurrentVersion\RunOnce; New-ItemProperty -force -Path 'HKLM:\Defaultuser\Software\Microsoft\Windows\CurrentVersion\RunOnce' -Name PromptForPIN -Value '""C:\Program Files\Microsoft\MDOP MBAM\MBAMClientUI.exe"""' -Type String; [gc]::collect(); Start-Sleep -Seconds 2; reg unload HKLM\DefaultUser"

8.Run InvokeMBAMClientDeployment.ps1 Script

This is where much of the magic happens, when you can get it to work properly.

There are a couple of steps you need to do for this. First, download the script from the MSFT site. Second, create a ConfigMgr (legacy) package with no program containing the script above, and distribute contents.

This time, add a RUN POWERSHELL SCRIPT action:

NAME: Run Invoke-MbamClientDeployment Script

PACKAGE: <Script Package>

SCRIPTNAME: InvokeMBAMClientDeployment.ps1

PARAMETERS:

-RecoveryServiceEndpoint "https://<SiteServerFQDN>/SMS_MP_MBAM/CoreService.svc" -EncryptionMethod UNSPECIFIED -EncryptAndEscrowDataVolume -IgnoreEscrowOwnerAuthFailure -IgnoreReportStatusFailure -WaitForEncryptionToComplete

PS EXECUTION POLICY : Bypass

Finally add an extra step to restart the computer.

The above will get you as far as MBAMClientUI.exe requesting you either postpone or enter a PIN. But we don’t want the postpone option do we?

To go straight to the enter PIN screen, you’ll need to EITHER configure the GPOs below OR set a compliance policy in MEMCM:

Note, non-compliance grace period needs to be set to 0 days. Obviously, you must make sure your targeted machines are in a collection with the Bitlocker policy applied.

Create a GPO, add the settings below and make sure it applies to your machine. One other issue I noticed – at one point my ConfigMgr client wasn’t fully up and running when I logged in and when this was the case, the MBAMClientUI didn’t fire. Be sure you have a fully up and running client before logging in. It’s worth giving it a little while to download policies, etc.

9.GPO SETTINGS

That’s it. One would assume much of this legwork should automatically be taken care of by the script itself but unfortunately that doesn’t appear to be the case. Don’t forget, you will also need to make sure that no MBAM policies are in place when the script runs. This isn’t a problem with SCCM as GPOs will be suppressed but if you’re using native MDT this can be an issue.

Simon