My main goal from starting off with Windows 10 was to have my entire imaging suite contained within one single Task Sequence, this includes all drivers for all platforms and multiple OS support.
One major part of my Task Sequence goal was to enable bitlocker for all supported HP Laptop models along with the Surface Pro 3 (now referred to as just Surface 3). The company i currently consult for also wanted me to implement MBAM (Microsoft Bitlocker Administration & Management) within their bitlocker infrastructure and Windows 10 rollout.
I will outline all steps in my Task Sequence and the subsequent group policies to have my bitlocker recovery keys stored to my new MBAM server.
- You have a working MBAM Server.
- You have a good understanding of Bitlocker, TPM / MBAM and how it all fits together.
- You have access to MBAM application and have created an application for it.
(msiexec /i “MbamClientSetup-2.5.1100.0.msi” /qn REBOOT=ReallySuppress)
Note: I experimented with a LOT of different setups here all using the HP bios tools, i wont go into what i couldn’t get working, i will just point you to what i have working now. The below step will temporarily set the bios password, configure the BIOS including TPM and then remove the temporary BIOS password. To complete the next step, you will need to gather some files, to download all the required HP Files, see my onedrive share here . Once you have the files, place them on your SCCM server, create a package (not application) named HP Bios Tools and point the source files to your freshly copied file source, you do not need to create a program for this step.
Pre Provision BitLocker
Bitlocker/MBAM Deployment – HP
Net stop mbamagent
Save this file as a .reg and place it somewhere your TS can see. This step will force the user to be prompted for encryption info (if you use a password or pin) on first login. If this is not set there is a significant delay between first login and prompt.
MbamForcePrompt.reg can be also be found on the onedrive share linked earlier.
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]“NoStartupDelay”=dword:00000001[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement]“ClientWakeupFrequency”=dword:00000001“StatusReportingFrequency”=dword:00000001
cscript.exe StartMBAMEncryption.wsf /MBAMServiceEndPoint:http://MBAM.company.org.uk/MBAMRecoveryAndHardwareService/CoreService.svc /Encryptionmethod:0