Windows 10 Task Sequence - BitLocker with MBAM Steps (HP+Surface)

My main goal from starting off with Windows 10 was to have my entire imaging suite contained within one single Task Sequence, this includes all drivers for all platforms and multiple OS support.

One major part of my Task Sequence goal was to enable bitlocker for all supported HP Laptop models along with the Surface Pro 3 (now referred to as just Surface 3). The company i currently consult for also wanted me to implement MBAM (Microsoft Bitlocker Administration & Management) within their bitlocker infrastructure and Windows 10 rollout.

I will outline all steps in my Task Sequence and the subsequent group policies to have my bitlocker recovery keys stored to my new MBAM server.

Model Support:

Before you start even considering BitLocker, make it known what models you intend to support. I am only applying bitlocker on models that have a TPM chip, making this known upfront allowed me to force Procurement to only supply models with TPM present. This guide assumes you support HP and Microsoft models, Dell machines can be managed very easily with use of the CCTK tool.

Assumptions: 

• You have a working MBAM Server.
• You have a good understanding of Bitlocker, TPM / MBAM and how it all fits together. 
• You have access to MBAM application and have created an application for it.
  (msiexec /i "MbamClientSetup-2.5.1100.0.msi" /qn REBOOT=ReallySuppress)

TS Steps:

Enable TPM

Note: I experimented with a LOT of different setups here all using the HP bios tools, i wont go into what i couldn't get working, i will just point you to what i have working now. The below step will temporarily set the bios password, configure the BIOS including TPM and then remove the temporary BIOS password. To complete the next step, you will need to gather some files, to download all the required HP Files, see my onedrive share here . Once you have the files, place them on your SCCM server, create a package (not application) named HP Bios Tools and point the source files to your freshly copied file source, you do not need to create a program for this step.

Format/Partition Disk

The first step to prepare bitlocker is to prepare the disk, see the following configurations for both UEFI and Non-UEFI Configurations:

Non-UEFI

UEFI

Pre Provision BitLocker 

Enabling this step pre provisions the disk which will cause it to be 99.9% encrypted before you apply your windows image. 

First we need to configure the machine's bios and enable the TPM Chip. I have noticed that i needed to create different versions of the REPSET (settings) files for multiple models because if you try and switch on a setting that doesn't exist, it will break. Therefore i put together this simple powershell script will apply the correct settings file for its model. 

We only want these steps to run if the laptop has TPM and is in fact a laptop, therefore i use this on the Bitlocker Steps folder:

We then need to enable TPM as mentioned earlier, this is the script step i have to do this (see files for script):

Then we need to reboot to allow the machine to enable TPM fully, ensure that you reboot back into your boot image assigned to your Task Sequence. 

We will then partition the disk as described above:

Finally we will run the Pre Provision step, this will encrypt the disk to 99.9% before we lay down the image. 

Bitlocker/MBAM Deployment - HP

The following TS Tree will only apply to Laptops with the manufacturer of HP , because i am using MDT Integration in my TS i can utilise the "ZTIGather" variable of "ISLaptop" - If you dont use MDT you could just run a WMI query to detect chassis type, ram type or battery presence.

We will then install the MBAM Client...

Now that MBAM is installed, we need to stop it from running , this is done with the command:

Net stop mbamagent

We then inject the following REG Keys with regedit.exe /S MbamForcePrompt.reg

Save this file as a .reg and place it somewhere your TS can see. This step will force the user to be prompted for encryption info (if you use a password or pin) on first login. If this is not set there is a significant delay between first login and prompt.

MbamForcePrompt.reg can be also be found on the onedrive share linked earlier. 

Windows Registry Editor Version 5.00




[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]

"NoStartupDelay"=dword:00000001




[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement]

"ClientWakeupFrequency"=dword:00000001

"StatusReportingFrequency"=dword:00000001

Restart the MBAM Service:

Net start mbamagent

Start MBAM Encryption: 

StartMBAMEncryption.wsf  is here:

http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

cscript.exe StartMBAMEncryption.wsf /MBAMServiceEndPoint:http://MBAM.company.org.uk/MBAMRecoveryAndHardwareService/CoreService.svc /Encryptionmethod:0

Steps specific to Surface Tablets:

For surfaces you do not need to enable TPM as it is "always on" therefore there is no need for that step. 

1. Ensure you use the UEFI Steps for partitioning the disk as outlined below:

UEFI

2. Install MBAM Client, Reboot. Then Follow the steps outlined. 

3. I chose to opt out of using TPM+PIN for surfaces (and all tablets). This is easily achieved by setting this value in group policy. This means you can use the same Bitlocker settings for laptops and tablets. 

This is a list of all of my Group Policies for Bitlocker/MBAM

EDIT: If you are running Windows 10 v1511 you need to also follow this post:

http://apppackagetips.blogspot.co.uk/2015/12/mbam-will-not-prompt-for-pin-on-windows.html