Note: This method is not officially supported by Microsoft. That said, this speeds up compliance and more importantly increases security as the device is already encrypted (part 1) before the user logs on (part 2). BitLocker recovery key changes after the user has completed enrolment are handled automatically (part 3).
Windows Autopilot preprovisioning (WhiteGlove) is the ability to pre-stage content and policies to devices while it's been installed in the factory. We had a challenge to speed up the overall compliance of Windows Autopilot devices and the obvious solution was to stage as much content as we could during pre-provisioning (WhiteGlove) but to also enable BitLocker encryption during that process, the only problem is that Microsoft don't officially support BitLocker encryption during the WhiteGlove scenario as the recovery key information is only uploaded after a user logs in. In our initial testing, Bitlocker disk encryption wouldn't even start until the user logged in.
That is not so much of a problem for a small amount of content on the hard disc but what if you have hundreds of Gigabytes of data to encrypt which could potentially take hours to encrypt after the user has logged on. As BitLocker encryption is a common Compliance policy setting, this needed to be addressed.
The challenge was to do the heavy lifting (pre-provisioning and encryption) during the WhiteGlove process and to only upload the key to Intune once the user actually enrolled the device. That need brought about this solution which is in 3 parts. The first part covers device encryption during provisioning at the factory. The second part uploads the recovery key to Intune after the user has signed in and completed WHFB setup and the final part moves those successfully encrypted devices to a WhiteGlove_Completed azure ad group targeted with BitLocker policy to take care of rotating recovery key info etc.
The Win32 app in this part actually does a few things namely:
creates a scheduled task which is triggered on an event id
extracts a second script which does the following
removes the BEK protector
adds a numerical password protector
uploads the recovery information to Intune
*if the above is successful*
removes the users local admin permissions
adds a runonce regkey for the next login
adds a reg key to show that all is completed
deletes the scheduled task
restart the computer to speed up BitLocker compliance with a 5 second warning
Step 1. Add the Win32 app
Using the latest version of the IntuneWinappUtil.exe app, create a Win32 app called Win.AP.CreateScheduledTask_Win.AP.WhiteGlove.UploadBitLockerKeyToIntune. The app is in the attached 7 ZIP file, use 7-Zip to decompress.
Note: Only logged on members of windows-noob.com can download this file.
File or folder:Installed_WhiteGlove_Bitlocker_key_uploader.txt
Detection method: File or folder exists
Next, configure the following Dependencies for the Win32 app
finally, assign the Win32 app as Required to our WhiteGlove Computers Azure ad group created in part 1.
Step 2. Enroll a provisioned device
Now that you've completed parts 1 and 2, you are ready to review what happens with the new Win32 app. After the user logs on, the ESP does it's thing and starts Account Setup, during this phased the Windows Hello For Business (WHFB) setup starts. Once completed the end user will see something like this.
This generates an EventID (Microsoft-Windows-User Device Registration/Admin">*[System[(EventID=300))
and that event ID triggers our scheduled task to run the associated win.ap.upload.bitlocker.key.after.whiteglove.vbs script which in turn launches the powershell script of the same name.
That script does all the points mentioned above and then restarts the computer within 5 seconds to enforce compliance quickly.
Troubleshooting
This Win32App creates some files which are extracted to C:\Windows\Temp. Review the log files for the generation of the Scheduled Task. Below is a reference log file, use it to compare to your attempts.
02/27/202304:49:16Starting the 'Win.AP.CreateScheduledTask_win.ap.upload.bitlocker.key.after.whiteglove' version '0.16' script...02/27/202304:49:16Starting initial checks to determine if we should exitfrom the script ifnot...02/27/202304:49:16Logged on user method#1 detected as: 'AP-5CG03729P0\defaultuser0'02/27/202304:49:16Logged on user method#2 detected as: 'AP-5CG03729P0$'02/27/202304:49:16Lookingfor the following Regpath:'HKLM:\Software\WOW6432Node\windows-noob\WhiteGlove\'...
02/27/2023 04:49:16 testing reg key
02/27/2023 04:49:16 returning true to reg key check
02/27/2023 04:49:16 The required WhiteGlove registry key was found, continuing script
02/27/2023 04:49:16 Found: 'EncryptedDuringWhiteGlove'
02/27/2023 04:49:16 Logged on user is: AP-5CG03729P0\defaultuser0
02/27/2023 04:49:16 extracting scripts to 'C:\Windows\Temp'...
02/27/2023 04:49:16 decoding BASE64 encoded file...win.ap.upload.bitlocker.key.after.whiteglove.ps1
02/27/2023 04:49:16 decoding BASE64 encoded file...win.ap.upload.bitlocker.key.after.whiteglove.vbs
02/27/2023 04:49:16 Creating windows-noob foldername...
02/27/2023 04:49:16 Creating scheduled task...
02/27/2023 04:49:18 Info: The scheduled task doesn't exist, will create it.02/27/202304:49:18 DEBUG:Using the following values for the scheduled task:02/27/202304:49:18 DEBUG:User:'AP-5CG03729P0\defaultuser0'Time:''Script:'C:\Windows\Temp\win.ap.upload.bitlocker.key.after.whiteglove.vbs'Action:'MSFT_TaskExecAction'Trigger:'MSFT_TaskLogonTrigger'Settings:'MSFT_TaskSettings3'Principal:'MSFT_TaskPrincipal2'Foldername:'windows-noob'.02/27/202304:49:18 about to create the scheduled task...02/27/202304:49:18Succeededin creating the scheduled task
02/27/202304:49:19 DEBUG: task=MSFT_ScheduledTask (TaskName="Win.AP.WhiteGlove.UploadBitLockerKeyToI..., TaskPath = "\windows-noob\") taskName=Win.AP.WhiteGlove.UploadBitLockerKeyToIntune run=02/27/202304:50:1802/27/202304:49:19 DEBUG: settings the scheduled task settings=MSFT_ScheduledTask (TaskName="Win.AP.WhiteGlove.UploadBitLockerKeyToI..., TaskPath = "\windows-noob\")02/27/202304:49:19Exiting script.
Below is the log file from the which uploads the key
02/27/202304:51:48Starting script:'win.ap.upload.bitlocker.key.after.whiteglove' version:'0.14'...02/27/202304:51:48Checking logged on user to determine if we are still in the ESP ornot.02/27/202304:51:49Notin ESP, will continue!02/27/202304:51:49Removing BEK...02/27/202304:51:49 removing BEK protector
02/27/202304:51:51 DEBUG: BLV ='C:'02/27/202304:51:51 attempting to remove protector...02/27/202304:51:52 succeeded removing protector!02/27/202304:51:52 DEBUG: BLV ='C:'02/27/202304:51:52Adding RK...02/27/202304:51:52 adding recovery password...02/27/202304:51:53 succeeded adding protector !02/27/202304:51:5302/27/202304:51:53 about to upload key to Azure02/27/202304:51:55 succeeded to upload the BitLocker recovery key to Azure!02/27/202304:51:55 removing user 'AzureAD\NiallBrady'fromLocalAdminsgroup02/27/202304:51:55 succeeded to remove the user from the group02/27/202304:51:55 about to remove the Scheduled task
02/27/202304:52:00Info:The'Win.AP.WhiteGlove.UploadBitLockerKeyToIntune' scheduled task exists, removing the scheduled task...02/27/202304:52:00About to delete scheduled task:Win.AP.WhiteGlove.UploadBitLockerKeyToIntune02/27/202304:52:01Succeeded to remove scheduled task:Win.AP.WhiteGlove.UploadBitLockerKeyToIntune02/27/202304:52:01 succeeded removing the 'Win.AP.WhiteGlove.UploadBitLockerKeyToIntune' scheduled task !02/27/202304:52:01 adding reg key to confirm key upload status
02/27/202304:52:01Creating a RunOnce reg key to trigger intune sync
02/27/202304:52:01 succeeded to create the RunOnce registry key
02/27/202304:52:01 doing a mandatory shutdown/restart...02/27/202304:52:01 succeeded to issue the shutdown command, will restart in5 seconds!02/27/202304:52:01 script completed...
That's it !
checking on the computer which was just enrolled we can determine the Protectors using
manage-bde -protectors -get c:
Checking in Intune we can see the key is uploaded, job done i'd say !
Please join me in part 3 where we'll look at adding our successfully enrolled WhiteGlove computers into an Azure AD group to target them with additional policies (such as BitLocker) so that when the BitLocker recovery key is revealed in Intune or on the device, that the policy will rotate the key and upload it to Intune
Introduction
Note: This method is not officially supported by Microsoft. That said, this speeds up compliance and more importantly increases security as the device is already encrypted (part 1) before the user logs on (part 2). BitLocker recovery key changes after the user has completed enrolment are handled automatically (part 3).
Windows Autopilot preprovisioning (WhiteGlove) is the ability to pre-stage content and policies to devices while it's been installed in the factory. We had a challenge to speed up the overall compliance of Windows Autopilot devices and the obvious solution was to stage as much content as we could during pre-provisioning (WhiteGlove) but to also enable BitLocker encryption during that process, the only problem is that Microsoft don't officially support BitLocker encryption during the WhiteGlove scenario as the recovery key information is only uploaded after a user logs in. In our initial testing, Bitlocker disk encryption wouldn't even start until the user logged in.
That is not so much of a problem for a small amount of content on the hard disc but what if you have hundreds of Gigabytes of data to encrypt which could potentially take hours to encrypt after the user has logged on. As BitLocker encryption is a common Compliance policy setting, this needed to be addressed.
The challenge was to do the heavy lifting (pre-provisioning and encryption) during the WhiteGlove process and to only upload the key to Intune once the user actually enrolled the device. That need brought about this solution which is in 3 parts. The first part covers device encryption during provisioning at the factory. The second part uploads the recovery key to Intune after the user has signed in and completed WHFB setup and the final part moves those successfully encrypted devices to a WhiteGlove_Completed azure ad group targeted with BitLocker policy to take care of rotating recovery key info etc.
All parts are listed below:
The Win32 app in this part actually does a few things namely:
Step 1. Add the Win32 app
Using the latest version of the IntuneWinappUtil.exe app, create a Win32 app called Win.AP.CreateScheduledTask_Win.AP.WhiteGlove.UploadBitLockerKeyToIntune. The app is in the attached 7 ZIP file, use 7-Zip to decompress.
Note: Only logged on members of windows-noob.com can download this file.
WhiteGlove - Upload bitlocker key after user login.7z
Configure the app settings as follows:
Name: Win.AP.CreateScheduledTask_Win.AP.WhiteGlove.UploadBitLockerKeyToIntune
Program Install command: install.Win.AP.CreateScheduledTask_Win.AP.WhiteGlove.UploadBitLockerKeyToIntune.cmd
Program uninstall command: install.Win.AP.CreateScheduledTask_Win.AP.WhiteGlove.UploadBitLockerKeyToIntune.cmd
Install behavior: System
Device restart behavior: No specific action
Return codes:
0 Success
1707 Success
3010 Soft reboot
1641 Hard reboot
1618 Retry
Requirements
Operating system architecture: x64
Minimum operating system Windows 10 1903
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\windows-noob\WhiteGlove
as per the screenshot below:
Detection rules
Rules format: Manually configure detection rules
Detection rules File: C:\Windows
File or folder: Installed_WhiteGlove_Bitlocker_key_uploader.txt
Detection method: File or folder exists
Next, configure the following Dependencies for the Win32 app
finally, assign the Win32 app as Required to our WhiteGlove Computers Azure ad group created in part 1.
Step 2. Enroll a provisioned device
Now that you've completed parts 1 and 2, you are ready to review what happens with the new Win32 app. After the user logs on, the ESP does it's thing and starts Account Setup, during this phased the Windows Hello For Business (WHFB) setup starts. Once completed the end user will see something like this.
This generates an EventID (Microsoft-Windows-User Device Registration/Admin">*[System[(EventID=300))
and that event ID triggers our scheduled task to run the associated win.ap.upload.bitlocker.key.after.whiteglove.vbs script which in turn launches the powershell script of the same name.
That script does all the points mentioned above and then restarts the computer within 5 seconds to enforce compliance quickly.
Troubleshooting
This Win32App creates some files which are extracted to C:\Windows\Temp. Review the log files for the generation of the Scheduled Task. Below is a reference log file, use it to compare to your attempts.
Below is the log file from the which uploads the key
That's it !
checking on the computer which was just enrolled we can determine the Protectors using
manage-bde -protectors -get c:Checking in Intune we can see the key is uploaded, job done i'd say !
Please join me in part 3 where we'll look at adding our successfully enrolled WhiteGlove computers into an Azure AD group to target them with additional policies (such as BitLocker) so that when the BitLocker recovery key is revealed in Intune or on the device, that the policy will rotate the key and upload it to Intune
Recommended reading
Share this post
Link to post
Share on other sites