Tag Archives: SCCM

Error Code 1 – Using Invoke-MbamClientDeployment.ps1 in SCCM OSD (and remove postpone from mbamclientui when selecting pin)

I know I’m not alone in the misery of getting this less-than-perfect script to work during OSD and after a good couple of weeks of on-off testing I can finally say I got my desired result and it most certainly deserved a post. Please note, you may need to click on the pictures to see them fully.

GOAL:

Fully encrypt disk with XTSAES256 encryption and escrow keys in MBAM/SCCM database during SCCM OSD task sequence. I also need a PIN to be requested automatically at first logon, with NO POSTPONE available to the user.

I’m not going to detail the ins and outs of what I tried because this post will be far longer than necessary so I’ll concentrate on the steps that finally got it working for me. Don’t get me wrong, this is a buggy script that should really have been updated by Microsoft by now.  Error code 1 is an extremely common problem and can result for any number of reasons.
I originally published similar steps at the  a few years ago and they were the steps I needed at the time to get it working  in that particular environment. The following steps are updated and can be used with ConfigMgr. They will probably work with the old MBAM too as the port to SCCM really is a lift and shift.

High Level:

  1. Pre-provision bitlocker (if required)
  2. Install The MBAM Client
  3. Stop the MBAM Service
  4. EncryptionMethodWithXtsOs
  5. Remove Startup Delay
  6. Start MBAM Service
  7. Force User To Select A New Pin On First Logon
  8. Run Invoke-MBAMClientDeployment Script
  9. GPO Settings

1. Pre-provision bitlocker (if required)

Set this early on just after formatting the disk. If you want full disk encryption, you can leave this step out completely. Be aware , full disk encryption will add the best part of 30m on a build with a 240GB laptop SSD.

2. Install the MBAM Client.

Just because ConfigMgr is now the vessel through which MBAM/Bitlocker is deployed, nothing has really changed. The installation binaries are simply copied down locally when the ConfigMgr client is installed. So not built into the client as you might have expected. Create an MBAM section (because it is still being referred to as such) at the end of your task sequence and as a first step create a RUN COMMAND LINE action:

Command line:

MSIExec.exe /i MBAMClient.msi /qn

Start in:

C:\Windows\CCM

3. Stop the MBAM Service

Another RUN COMMAND LINE action:

net stop mbamagent

4.EncryptionMethodWithXtsOs

Set EncryptionMethod – technically this should be achieved by adding the method as a parameter in the InvokeMBAMClientDeployment.ps1 Script. However I have found this to be somewhat inconsistent depending on the model of computer you’re trying to deploy. Instead, set it here and add UNSPECIFIED as the script parameter. This will set up the disk for XTS-AES256 (see here for other values). Note, use this instead of EncryptionMethod setting for any Win10 OS 1511 and newer (which should be all by now).

Another RUN COMMAND LINE action:

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethodWithXtsOs /t REG_DWORD /d 7 /f

5.Remove Startup Delay

We want to minimise startup delay for the MBAM client service- let’s change it to 1 minute.  Depending on the size of your environment you may wish to extend this. See here for official info on this setting. Without this set, there will be a random delay of up to 90m. There are other settings in this link you may wish to add for the purpose of testing in a lab environment.

Another RUN COMMAND LINE action:

REG ADD HKLM\Software\Microsoft\MBAM /v NoStartupDelay /t REG_DWORD /d 1 /f

6.Start the MBAM Service

Another RUN COMMAND LINE action:

net start mbamagent

7.Force User To Select New PIN at First Logon

By default, the PIN screen will appear in the first 90m after logging in. This can be changed via GPO (see further down). In my experience, admins often want this to happen when users log on. If this is you then you’ll need to update the default user profile.  This will force users to enter a PIN right away.

Note, for this to fire, you must have a fully-active ConfigMgr client and (if you want to avoid the postpone option) the machine must be in receipt of the policy below (9).

Another RUN COMMAND LINE action:

powershell.exe -ExecutionPolicy Bypass -command "reg load HKLM\DefaultUser C:\Users\Default\NTUSER.DAT; new-item -path HKLM:\Defaultuser\Software\Microsoft\Windows\CurrentVersion\RunOnce; New-ItemProperty -force -Path 'HKLM:\Defaultuser\Software\Microsoft\Windows\CurrentVersion\RunOnce' -Name PromptForPIN -Value '""C:\Program Files\Microsoft\MDOP MBAM\MBAMClientUI.exe"""' -Type String; [gc]::collect(); Start-Sleep -Seconds 2; reg unload HKLM\DefaultUser"

8.Run InvokeMBAMClientDeployment.ps1 Script

This is where much of the magic happens, when you can get it to work properly.

There are a couple of steps you need to do for this. First, download the script from the MSFT site. Second, create a ConfigMgr (legacy) package with no program containing the script above, and distribute contents.

This time, add a RUN POWERSHELL SCRIPT action:

NAME: Run Invoke-MbamClientDeployment Script

PACKAGE: <Script Package>

SCRIPTNAME: InvokeMBAMClientDeployment.ps1

PARAMETERS:

-RecoveryServiceEndpoint "https://<SiteServerFQDN>/SMS_MP_MBAM/CoreService.svc" -EncryptionMethod UNSPECIFIED -EncryptAndEscrowDataVolume -IgnoreEscrowOwnerAuthFailure -IgnoreReportStatusFailure -WaitForEncryptionToComplete

PS EXECUTION POLICY : Bypass

Finally add an extra step to restart the computer.

The above will get you as far as MBAMClientUI.exe requesting you either postpone or enter a PIN. But we don’t want the postpone option do we?

To go straight to the enter PIN screen, you’ll need to EITHER configure the GPOs below OR set a compliance policy in MEMCM:

Note, non-compliance grace period needs to be set to 0 days. Obviously, you must make sure your targeted machines are in a collection with the Bitlocker policy applied.

Create a GPO, add the settings below and make sure it applies to your machine. One other issue I noticed – at one point my ConfigMgr client wasn’t fully up and running when I logged in and when this was the case, the MBAMClientUI didn’t fire. Be sure you have a fully up and running client before logging in. It’s worth giving it a little while to download policies, etc.

9.GPO SETTINGS

As a minimum, set the GPO below. There are others you may need but this is the bare minimum.
Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drive
Policy Setting Comment
Encryption Policy Enforcement Settings Enabled
Configure the number of noncompliance grace period days for operating system drives: 0

That’s it. One would assume much of this legwork should automatically be taken care of by the script itself but unfortunately that doesn’t appear to be the case. Don’t forget, you will also need to make sure that no MBAM policies are in place when the script runs. This isn’t a problem with SCCM as GPOs will be suppressed but if you’re using native MDT this can be an issue.

Simon

Script Status Message queries!

If, like me, you spend more than your fair share of time searching through status messages to figure out what broke in the deployment over the weekend, then you’ll know what an arduous process it can be putting the criteria into each query. If you have a good few machines to check then you literally spend half your time typing in machine names and times.

Well no more, because did you know it is perfectly possibly to script this? Status Message Viewer (statview.exe) is simply an executable and with the right parameters and the correct time format applied, you can simply call the status messages from as many machines as you see fit (although I’d recommend you limit this to no more than 15-20 at a time).

One observation when running this against multiple machines is that you’ll notice some of the status messages won’t always contain as much info as you expect – simply refresh the status message and all info will display as expected.

Finally, create a text file containing a list of the machines you wish to take status messages from and use the path as a parameter along with the date from which you wish to obtain the messages, in the format YYYY-MM-DD.

Please note this script assumes you have installed the ConfigMgr admin console on the machine on which you run the script, and in the default location. If you have installed it elsewhere please change statview.exe path accordingly.

Param(
 [string]$path,
 [string]$date
 )
If($date -eq "" -or $path -eq "") 
 { 
     Write-Host "File path and date must be supplied as a parameters.
     Example: 
     -path C:\Temp\Computers.txt
     -date 2021-04-09"
     exit
 } 
$command = "C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\i386\statview.exe"
$siteServer = "SCCMSiteSvr.contoso.com"
$startDate = Get-Date -Format "yyyyMMddHH:mmm.000" -Date $date
$Computers = Get-Content $path
foreach($compName in $Computers)
{
    $commandArgs = "/SMS:Server=\\$siteServer\ /SMS:SYSTEM=$compName /SMS:COMPONENT=Task Sequence Engine /SMS:COMPONENT=Task Sequence Action /SMS:SEVERITY=ERROR /SMS:SEVERITY=WARNING /SMS:SEVERITY=INFORMATION /SMSSTARTTIME=$startDate"
    & "$command" $commandArgs
} 

in-line script execution time-out…

Had this recently on a machine we were upgrading to Win 10 1909. Initially it looked as though there was an issue detecting the application being installed correctly but on closer inspection, the AppDiscovery log file revealed that the same timeout issue was happening on several applications. Googling about there were quite a few posts on how later versions on ConfigMgr now incorporated a client property to change the script timeout setting but this sadly appeared not to be the case. Other posts suggested a script that could be run at server level to fix this. Not really the short-term fix I needed to sort my issue as it would doubtless take weeks to get the change through at work.

Then I found what I needed – a client-side script which I have now lost the source to, so really sorry if this came from you. I’m happy to set the record straight and link as needed. In any case, I do have the script itself, see below. This wil set the timeout to 1200 seconds (from the 60s default). This fixed my issue. I would imagine this could be added to the start of a task sequence if required. Note it’s a VBScript…old skool.

On Error Resume Next
strQuery = "SELECT * FROM CCM_ConfigurationManagementClientConfig"
Set objWMIService = GetObject("winmgmts:\\" & "." & "\ROOT\ccm\Policy\Machine\ActualConfig")
Set colItems = objWMIService.ExecQuery(strQuery, "WQL")
For Each objItem in colItems
objItem.ScriptExecutionTimeOut=1200
objItem.put_()
Next

Set objWMIService = GetObject("winmgmts:\\" & "." & "\ROOT\ccm\Policy\Machine\ActualConfig")
Set colItems = objWMIService.ExecQuery(strQuery, "WQL")
For Each objItem in colItems
If 1200 = objItem.ScriptExecutionTimeOut Then
WScript.Echo "True"
Else
WScript.Echo "False"
End if
Next