Jump to content


anyweb

Encrypting devices during Windows Autopilot provisioning (WhiteGlove) - Part 2

Recommended Posts

Introduction

Note: This method is not officially supported by Microsoft. That said, this speeds up compliance and more importantly increases security as the device is already encrypted (part 1) before the user logs on (part 2). BitLocker recovery key changes after the user has completed enrolment are handled automatically (part 3).

Note: I've updated the scripts 2023/12/23 to use new logging path and detection files instead of registry keys.

Windows Autopilot preprovisioning (WhiteGlove) is the ability to pre-stage content and policies to devices while it's been installed in the factory. We had a challenge to speed up the overall compliance of Windows Autopilot devices and the obvious solution was to stage as much content as we could during pre-provisioning (WhiteGlove) but to also enable BitLocker encryption during that process, the only problem is that Microsoft don't officially support BitLocker encryption during the WhiteGlove scenario as the recovery key information is only uploaded after a user logs in. In our initial testing, Bitlocker disk encryption wouldn't even start until the user logged in.

That is not so much of a problem for a small amount of content on the hard disc but what if you have hundreds of Gigabytes of data to encrypt which could potentially take hours to encrypt after the user has logged on. As BitLocker encryption is a common Compliance policy setting, this needed to be addressed.

The challenge was to do the heavy lifting (pre-provisioning and encryption) during the WhiteGlove process and to only upload the key to Intune once the user actually enrolled the device. That need brought about this solution which is in 3 parts. The first part covers device encryption during provisioning at the factory. The second part uploads the recovery key to Intune after the user has signed in and completed WHFB setup and the final part moves those successfully encrypted devices to a WhiteGlove_Completed azure ad group targeted with BitLocker policy to take care of rotating recovery key info etc.

All parts are listed below:

The Win32 app in this part actually does a few things namely:

  • creates a scheduled task which is triggered on an event id
  • extracts a second script which does the following
    • removes the BEK protector
    • adds a numerical password protector
    • uploads the recovery information to Intune
    • *if the above is successful*
      • removes the users local admin permissions
      • adds a runonce regkey for the next login
      • adds a reg key to show that all is completed
      • deletes the scheduled task
      • restart the computer to speed up BitLocker compliance with a 5 second warning

Step 1. Add the Win32 app

Using the latest version of the IntuneWinappUtil.exe app, create a Win32 app called Win.AP.CreateScheduledTask_Win.AP.WhiteGlove.UploadBitLockerKeyToIntune. The app is in the attached 7 ZIP file, use 7-Zip to decompress.

Note: Only logged on members of windows-noob.com can download this file.

WhiteGlove - Upload bitlocker key after user login.7z

Configure the app settings as follows:

Name: Win.AP.CreateScheduledTask_Win.AP.WhiteGlove.UploadBitLockerKeyToIntune
Program Install command:  install.Win.AP.CreateScheduledTask_Win.AP.WhiteGlove.UploadBitLockerKeyToIntune.cmd
Program uninstall command: install.Win.AP.CreateScheduledTask_Win.AP.WhiteGlove.UploadBitLockerKeyToIntune.cmd
Install behavior: System
Device restart behavior: No specific action
Return codes:
0 Success
1707 Success
3010 Soft reboot
1641 Hard reboot
1618 Retry

Requirements

Operating system architecture
x64
Minimum operating system
Windows 10 1903
Disk space required (MB)
No Disk space required (MB)
Physical memory required (MB)
No Physical memory required (MB)
Minimum number of logical processors required
No Minimum number of logical processors required
Minimum CPU speed required (MHz)
No Minimum CPU speed required (MHz)
Additional requirement rules
File C:\ProgramData\windowsnoob\WhiteGlove

 

as per the screenshot below:

 

requirements.png

Detection rules

Rules format: Manually configure detection rules

Detection rules File: C:\ProgramData\windowsnoob\WhiteGlove

File or folder: Installed_WhiteGlove_Bitlocker_key_uploader.txt

Detection method: File or folder exists

detection rule.png

 

Next, configure the following Dependencies for the Win32 app

dependencies.png

finally, assign the Win32 app as Required to our WhiteGlove Computers Azure ad group created in part 1.

assignments.png

 

Step 2. Enroll a provisioned device

Now that you've completed parts 1 and 2, you are ready to review what happens with the new Win32 app. After the user logs on, the ESP does it's thing and starts Account Setup, during this phased the Windows Hello For Business (WHFB) setup starts. Once completed the end user will see something like this.

whfb completed.png

 

This generates an EventID (Microsoft-Windows-User Device Registration/Admin">*[System[(EventID=300))

user device registration.png

and that event ID triggers our scheduled task to run the associated win.ap.upload.bitlocker.key.after.whiteglove.vbs script which in turn launches the powershell script of the same name.

That script does all the points mentioned above and then restarts the computer within 5 seconds to enforce compliance quickly.

shutdown message.PNG

Troubleshooting

This Win32App creates some files which are extracted to C:\ProgramData\windowsnoob\WhiteGlove.

Review the log files for the generation of the Scheduled Task. Below is a reference log file, use it to compare to your attempts.

02/27/2023 04:49:16 Starting the 'Win.AP.CreateScheduledTask_win.ap.upload.bitlocker.key.after.whiteglove' version '0.16' script...
02/27/2023 04:49:16 Starting initial checks to determine if we should exit from the script if not...
02/27/2023 04:49:16 Logged on user method#1 detected as: 'AP-5CG03729P0\defaultuser0'
02/27/2023 04:49:16 Logged on user method#2 detected as: 'AP-5CG03729P0$'
02/27/2023 04:49:16 Looking for the following Regpath: 'HKLM:\Software\WOW6432Node\windows-noob\WhiteGlove\'...
02/27/2023 04:49:16 testing reg key
02/27/2023 04:49:16 returning true to reg key check
02/27/2023 04:49:16 The required WhiteGlove registry key was found, continuing script
02/27/2023 04:49:16 Found: 'EncryptedDuringWhiteGlove'
02/27/2023 04:49:16  Logged on user is: AP-5CG03729P0\defaultuser0
02/27/2023 04:49:16 extracting scripts to 'C:\ProgramData\windowsnoob\WhiteGlove'...
02/27/2023 04:49:16 decoding BASE64 encoded file...win.ap.upload.bitlocker.key.after.whiteglove.ps1
02/27/2023 04:49:16 decoding BASE64 encoded file...win.ap.upload.bitlocker.key.after.whiteglove.vbs
02/27/2023 04:49:16 Creating windows-noob foldername...
02/27/2023 04:49:16 Creating scheduled task...
02/27/2023 04:49:18 Info: The scheduled task doesn't exist, will create it.
02/27/2023 04:49:18 DEBUG: Using the following values for the scheduled task:
02/27/2023 04:49:18 DEBUG: User: 'AP-5CG03729P0\defaultuser0' Time: '' Script: 'C:\ProgramData\windowsnoob\WhiteGlove\win.ap.upload.bitlocker.key.after.whiteglove.vbs' Action: 'MSFT_TaskExecAction' Trigger: 'MSFT_TaskLogonTrigger' Settings: 'MSFT_TaskSettings3' Principal: 'MSFT_TaskPrincipal2' Foldername: 'windows-noob'.
02/27/2023 04:49:18 about to create the scheduled task...
02/27/2023 04:49:18 Succeeded in creating the scheduled task
02/27/2023 04:49:19 DEBUG: task=MSFT_ScheduledTask (TaskName = "Win.AP.WhiteGlove.UploadBitLockerKeyToI..., TaskPath = "\windows-noob\") taskName=Win.AP.WhiteGlove.UploadBitLockerKeyToIntune run=02/27/2023 04:50:18
02/27/2023 04:49:19 DEBUG: settings the scheduled task settings=MSFT_ScheduledTask (TaskName = "Win.AP.WhiteGlove.UploadBitLockerKeyToI..., TaskPath = "\windows-noob\")
02/27/2023 04:49:19 Exiting script.

Below is the log file from the which uploads the key

02/27/2023 04:51:48 Starting script: 'win.ap.upload.bitlocker.key.after.whiteglove' version: '0.14'...
02/27/2023 04:51:48 Checking logged on user to determine if we are still in the ESP or not.
02/27/2023 04:51:49 Not in ESP, will continue!
02/27/2023 04:51:49 Removing BEK...
02/27/2023 04:51:49 removing BEK protector
02/27/2023 04:51:51 DEBUG: BLV = 'C:'
02/27/2023 04:51:51 attempting to remove protector...
02/27/2023 04:51:52 succeeded removing protector!
02/27/2023 04:51:52 DEBUG: BLV = 'C:'
02/27/2023 04:51:52 Adding RK...
02/27/2023 04:51:52 adding recovery password...
02/27/2023 04:51:53 succeeded adding protector !
02/27/2023 04:51:53
02/27/2023 04:51:53 about to upload key to Azure
02/27/2023 04:51:55 succeeded to upload the BitLocker recovery key to Azure !
02/27/2023 04:51:55 removing user 'AzureAD\NiallBrady' from Local Admins group
02/27/2023 04:51:55 succeeded to remove the user from the group
02/27/2023 04:51:55 about to remove the Scheduled task
02/27/2023 04:52:00 Info: The 'Win.AP.WhiteGlove.UploadBitLockerKeyToIntune' scheduled task exists, removing the scheduled task...
02/27/2023 04:52:00 About to delete scheduled task: Win.AP.WhiteGlove.UploadBitLockerKeyToIntune
02/27/2023 04:52:01 Succeeded to remove scheduled task: Win.AP.WhiteGlove.UploadBitLockerKeyToIntune
02/27/2023 04:52:01 succeeded removing the 'Win.AP.WhiteGlove.UploadBitLockerKeyToIntune' scheduled task !
02/27/2023 04:52:01 adding reg key to confirm key upload status
02/27/2023 04:52:01 Creating a RunOnce reg key to trigger intune sync
02/27/2023 04:52:01 succeeded to create the RunOnce registry key
02/27/2023 04:52:01 doing a mandatory shutdown/restart...
02/27/2023 04:52:01 succeeded to issue the shutdown command, will restart in 5 seconds!
02/27/2023 04:52:01 script completed...

That's it !

checking on the computer which was just enrolled we can determine the Protectors using

manage-bde -protectors -get c:

confirm recovery info.png

 

Checking in Intune we can see the key is uploaded, job done i'd say !

show recovery key.png

 

Please join me in part 3 where we'll look at adding our successfully enrolled WhiteGlove computers into an Azure AD group to target them with additional policies (such as BitLocker) so that when the BitLocker recovery key is revealed in Intune or on the device, that the policy will rotate the key and upload it to Intune

Recommended reading

 

 

WhiteGlove - Upload bitlocker key after user login.7z

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.