Windows 10 Task Sequence – BitLocker with MBAM Steps (HP+Surface)

My main goal from starting off with Windows 10 was to have my entire imaging suite contained within one single Task Sequence, this includes all drivers for all platforms and multiple OS support.

One major part of my Task Sequence goal was to enable bitlocker for all supported HP Laptop models along with the Surface Pro 3 (now referred to as just Surface 3). The company i currently consult for also wanted me to implement MBAM (Microsoft Bitlocker Administration & Management) within their bitlocker infrastructure and Windows 10 rollout.

I will outline all steps in my Task Sequence and the subsequent group policies to have my bitlocker recovery keys stored to my new MBAM server.

Model Support:

Before you start even considering BitLocker, make it known what models you intend to support. I am only applying bitlocker on models that have a TPM chip, making this known upfront allowed me to force Procurement to only supply models with TPM present. This guide assumes you support HP and Microsoft models, Dell machines can be managed very easily with use of the CCTK tool.

Assumptions:

  • You have a working MBAM Server.
  • You have a good understanding of Bitlocker, TPM / MBAM and how it all fits together.
  • You have access to MBAM application and have created an application for it.
    (msiexec /i “MbamClientSetup-2.5.1100.0.msi” /qn REBOOT=ReallySuppress)

TS Steps:

Enable TPM

Note: I experimented with a LOT of different setups here all using the HP bios tools, i wont go into what i couldn’t get working, i will just point you to what i have working now. The below step will temporarily set the bios password, configure the BIOS including TPM and then remove the temporary BIOS password. To complete the next step, you will need to gather some files, to download all the required HP Files, see my onedrive share here . Once you have the files, place them on your SCCM server, create a package (not application) named HP Bios Tools and point the source files to your freshly copied file source, you do not need to create a program for this step.

Format/Partition Disk

The first step to prepare bitlocker is to prepare the disk, see the following configurations for both UEFI and Non-UEFI Configurations:
Non-UEFI
UEFI

Pre Provision BitLocker 

Enabling this step pre provisions the disk which will cause it to be 99.9% encrypted before you apply your windows image.
First we need to configure the machine’s bios and enable the TPM Chip. I have noticed that i needed to create different versions of the REPSET (settings) files for multiple models because if you try and switch on a setting that doesn’t exist, it will break. Therefore i put together this simple powershell script will apply the correct settings file for its model.
We only want these steps to run if the laptop has TPM and is in fact a laptop, therefore i use this on the Bitlocker Steps folder:
We then need to enable TPM as mentioned earlier, this is the script step i have to do this (see files for script):

 

Then we need to reboot to allow the machine to enable TPM fully, ensure that you reboot back into your boot image assigned to your Task Sequence.
We will then partition the disk as described above:
Finally we will run the Pre Provision step, this will encrypt the disk to 99.9% before we lay down the image.

Bitlocker/MBAM Deployment – HP

The following TS Tree will only apply to Laptops with the manufacturer of HP , because i am using MDT Integration in my TS i can utilise the “ZTIGather” variable of “ISLaptop” – If you dont use MDT you could just run a WMI query to detect chassis type, ram type or battery presence.
We will then install the MBAM Client…
Now that MBAM is installed, we need to stop it from running , this is done with the command:
Net stop mbamagent
We then inject the following REG Keys with regedit.exe /S MbamForcePrompt.reg

Save this file as a .reg and place it somewhere your TS can see. This step will force the user to be prompted for encryption info (if you use a password or pin) on first login. If this is not set there is a significant delay between first login and prompt.

MbamForcePrompt.reg can be also be found on the onedrive share linked earlier. 

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
“NoStartupDelay”=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement]
“ClientWakeupFrequency”=dword:00000001
“StatusReportingFrequency”=dword:00000001
Restart the MBAM Service:
Net start mbamagent
Start MBAM Encryption:
StartMBAMEncryption.wsf  is here:

http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

cscript.exe StartMBAMEncryption.wsf /MBAMServiceEndPoint:http://MBAM.company.org.uk/MBAMRecoveryAndHardwareService/CoreService.svc /Encryptionmethod:0

Steps specific to Surface Tablets:

For surfaces you do not need to enable TPM as it is “always on” therefore there is no need for that step. 
 

1. Ensure you use the UEFI Steps for partitioning the disk as outlined below:

UEFI
2. Install MBAM Client, Reboot. Then Follow the steps outlined.
3. I chose to opt out of using TPM+PIN for surfaces (and all tablets). This is easily achieved by setting this value in group policy. This means you can use the same Bitlocker settings for laptops and tablets.
This is a list of all of my Group Policies for Bitlocker/MBAM

EDIT: If you are running Windows 10 v1511 you need to also follow this post:

29 thoughts on “Windows 10 Task Sequence – BitLocker with MBAM Steps (HP+Surface)

  1. I've updated our task sequence (TS) with the steps in this article. The MBAM Agent installs fine, the service is stopped, the reg keys injected and the the service restarted but the StartMBAMEncryption.wsf script fails during the TS. I acknowledge the error, the TS completes and I logon to Windows to check that BitLocker has not been enabled. When I run the command line manually I see this:-

    ——————-
    C:\Users\admin>cscript.exe “\\server\share\Build\BitLockerSurfacePro\Sta
    rtMBAMEncryption.wsf” /MBAMServiceEndPoint:http://server.company.local/M
    BAMRecoveryAndHardwareService/CoreService.svc /Encryptionmethod:0
    Microsoft (R) Windows Script Host Version 5.8
    Copyright (C) Microsoft Corporation. All rights reserved.

    Property MBAMServiceEndPoint is now = http://server.company.local/MBAMRe
    coveryAndHardwareService/CoreService.svc
    Property Encryptionmethod is now = 0
    Microsoft Deployment Toolkit version: 6.1.2373.0
    MBAMServiceEndPoint: http://server.company.local/MBAMRecoveryAndHardware
    Service/CoreService.svc
    EncryptionMethod: 0
    FAILURE (Err): -2147217405 0x80041003: Connect to MicrosoftTPM provider –
    FAILURE ( 6732 ): Connect to MicrosoftTPM provider –
    C:\Users\admin>
    ——————-

    How can I fix this please?

    Like

  2. Hi Dan, sorry for the delay. I can see from the BIOS/UEFI that the TPM is “enabled” but tpm.msc confirms “The TPM is not ready for use”. Here are the smsts.log entries of the 0x80072718 error as seen during the task sequence:-

    —————
    Installing software for PackageID='PM1000A9' ProgramID='MBAM Encryption Script' AdvertID='PM120263' has started, jobID='{52A6ED0F-7B1E-4945-A0A6-7D86AC8B4295}' InstallSoftware 23/03/2016 19:10:40 1116 (0x045C)
    Setting TSEnv variable 'SMSTSInstallSoftwareJobID_PM1000A9_PM120263_MBAM Encryption Script'='{52A6ED0F-7B1E-4945-A0A6-7D86AC8B4295}' InstallSoftware 23/03/2016 19:10:40 1116 (0x045C)
    Waiting for installation job to complete.. InstallSoftware 23/03/2016 19:10:40 1116 (0x045C)
    Waiting for job status notification… InstallSoftware 23/03/2016 19:11:10 1116 (0x045C)
    Waiting for job status notification… InstallSoftware 23/03/2016 19:11:40 1116 (0x045C)
    Waiting for job status notification… InstallSoftware 23/03/2016 19:12:10 1116 (0x045C)
    Waiting for job status notification… InstallSoftware 23/03/2016 19:12:40 1116 (0x045C)
    Waiting for job status notification… InstallSoftware 23/03/2016 19:13:10 1116 (0x045C)
    Waiting for job status notification… InstallSoftware 23/03/2016 19:13:40 1116 (0x045C)
    Waiting for job status notification… InstallSoftware 23/03/2016 19:14:10 1116 (0x045C)
    Waiting for job status notification… InstallSoftware 23/03/2016 19:14:40 1116 (0x045C)
    Waiting for job status notification… InstallSoftware 23/03/2016 19:15:10 1116 (0x045C)
    Waiting for job status notification… InstallSoftware 23/03/2016 19:15:40 1116 (0x045C)
    Process completed with exit code 2147952408 TSManager 23/03/2016 19:15:44 2788 (0x0AE4)
    !——————————————————————————————–! TSManager 23/03/2016 19:15:44 2788 (0x0AE4)
    Failed to run the action: Start MBAM Encryption Script.
    Unknown error (Error: 80072718; Source: Unknown) TSManager 23/03/2016 19:15:44 2788 (0x0AE4)
    —————

    This only appears to affect Windows 8.1 because our Windows 10 task sequence enables BitLocker (MBAM) fine.

    Does this help identify the root cause of the problem in the Windows 8.1 task sequence please?

    Best regards
    Scott

    Like

  3. Hi Dan,

    I am getting this error –
    C:\_SMSTaskSequence\Packages\ABC01416\StartMBAMEncryption.wsf(2, 38) Windows Script Host: Cannot retrieve referenced URL : ZTIUtility.vbs

    I assume this is because I do not have the step that says Copy Build Files like you do before starting this. I do have a use toolkit package step but that doesnt seem to solve it. What is contained inside the Copy Build Files step? Do I need add this script to my package?

    Thanks,

    Like

  4. Nice post. I learn something more challenging on different blogs everyday. It will always be stimulating to read content from other writers and practice a little something from their store. I’d prefer to use some with the content on my blog whether you don’t mind. I’ll give you a link on your web blog. I recently came to know about http://machinesuae.com/, their Laptops and Tablets are very effective.
    Laptops and Tablets Thanks for sharing.

    Like

  5. Hi,

    Thanks for this post so much detail and presented well. Microsoft can take a cue from this ( one day may be). Is your set up mbam 2.0 or 2.5?

    We have a MBAM set up (2.0) and we want to deploy win 10 1607. The OS drive encryption works, but not the data drive which is just another partition of the same disk which users are given access to store their personal data. Same sequence of steps work for both OS drive ad data drive on win 7. Would you hazard a guess as to what the issue might be ? Thanks again.

    Like

  6. great post – but could you advise/highlight at what point the Laptop is added into AD as part of the Task Sequence? so that the recovery info is stored in AD.
    Also yes we will require a Bitlocker PIN code password – I assume this is entered by the end-user themselves manually.

    Like

  7. This guide is for storing keys in MBAM, you can use the built in step in the TS to save the keys to AD if you choose.

    Apply Network setting step is where you configure domain join.
    Setup Windows and ConfiMgr will join the machine to the domain.

    use the add>Disks>enable bitlocker step if you want to store keys in AD.

    Like

  8. Am I correct in assuming that the partition disk step before the pre-provision bitlocker step is done with a regular BIOS boot because you are only using two partitions and a standard MBR disk. I expected the disk partition steps to be UEFI since most Windows 10 capable hardware nowadays is UEFI and you used a UEFI partition example in a previous part of your task sequence.

    Do you also have a guide on how to install MBAM or a usable link. We are now storing the Bitlocker keys in AD but we want to switch to MBAM.

    Thanks for the great articles btw.

    Like

  9. Super cool tutorial Dan! Thanks for this! We are in a phase of migrating from W7 to W10 (1803) and security wants to enable bitlocker. We don’t have a MBAM server yet but beside that we have mainly Lenovo machines and are also moving to HP so this tutorial comes in handy 😉 Do you have any clue how we can handle Lenovo bios to enable TPM chip?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s