Encrypting devices during Windows Autopilot provisioning (WhiteGlove) – Part 2

Introduction

Windows Autopilot preprovisioning (WhiteGlove) is the ability to pre-stage content and policies to devices while it’s been installed in the factory. We had a challenge to speed up the overall compliance of Windows Autopilot devices and the obvious solution was to stage as much content as we could during pre-provisioning (WhiteGlove) but to also enable BitLocker encryption during that process, the only problem is that Microsoft don’t officially support BitLocker encryption during the WhiteGlove scenario as the recovery key information is only uploaded when a user logs in.

In our initial testing, encryption itself wouldn’t even start until the user logged in. Not so much of a problem for small content on the hard disc but what if you have hundreds of Gigabytes of data to encrypt which could potentially take hours to encrypt after the user has logged on. As BitLocker encryption is a common Compliance policy setting, this needed to be addressed. The challenge was to do the heavy lifting (pre-provisioning and encryption) during the WhiteGlove process and to only upload the key to Intune once the user actually enrolled the device. That need brought about this solution which is in 3 parts.

In Part 1 you configured your environment and added a Win32 app to enforce encryption during WhiteGlove provisioning leaving the device fully encrypted by BitLocker before the end user enrolls it. You saw how to initiate WhiteGlove provisioning and reseal the device. In this part you’ll add another Win32 App to upload the BitLocker recovery information to Intune after the user has enrolled the device and in particular completed Windows Hello For Business (WHFB) setup which occurs directly at the end of the enrollment.

To see the other parts in this mini-series see below:

The Win32 app in this part actually does a few things namely:

  • creates a scheduled task which is triggered on an event id
  • extracts a second script which does the following
    • removes the BEK protector
    • adds a numerical password protector
    • uploads the recovery information to Intune
    • *if the above is successful*
      • removes the users local admin permissions
      • adds a runonce regkey for the next login
      • adds a reg key to show that all is completed
      • deletes the scheduled task
      • restart the computer to speed up BitLocker compliance with a 5 second warning

Step 1. Add the Win32 app

Next, using the latest version of the IntuneWinappUtil.exe app, create a Win32 app called Win.AP.CreateScheduledTask_Win.AP.WhiteGlove.UploadBitLockerKeyToIntune. The app is in the attached 7 ZIP file, use 7-Zip to decompress.

Note: Only logged on members of windows-noob.com can download this file.

WhiteGlove – Upload bitlocker key after user login.7z 18.27 kB · 0 downloads

Configure the app settings as follows:

Name: Win.AP.CreateScheduledTask_Win.AP.WhiteGlove.UploadBitLockerKeyToIntune
Program Install command:  install.Win.AP.CreateScheduledTask_Win.AP.WhiteGlove.UploadBitLockerKeyToIntune.cmd
Program uninstall command: install.Win.AP.CreateScheduledTask_Win.AP.WhiteGlove.UploadBitLockerKeyToIntune.cmd
Install behavior: System
Device restart behavior: No specific action
Return codes:
0 Success
1707 Success
3010 Soft reboot
1641 Hard reboot
1618 Retry

Requirements

Operating system architecture: x64
Minimum operating system Windows 10 1903

Registry:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\windows-noob\WhiteGlove

as per the screenshot below:

registry requirements.png

 

Detection rules

Rules format: Manually configure detection rules

Detection rules File: C:\Windows

File or folder: Installed_WhiteGlove_Bitlocker_key_uploader.txt

Detection method: File or folder exists

detection rule.png

Next, configure the following Dependencies for the Win32 app

dependencies.png

finally, assign the Win32 app as Required to our WhiteGlove Computers Azure ad group created in part 1.

assignments.png

 

Step 2. Enroll a provisioned device

Now that you’ve completed parts 1 and 2, you are ready to review what happens with the new Win32 app. After the user logs on, the ESP does it’s thing and starts Account Setup, during this phased the Windows Hello For Business (WHFB) setup starts. Once completed the end user will see something like this.whfb completed.png

This generates an EventID (Microsoft-Windows-User Device Registration/Admin”>*[System[(EventID=300))

user device registration.png

and that event ID triggers our scheduled task to run the associated win.ap.upload.bitlocker.key.after.whiteglove.vbs script which in turn launches the powershell script of the same name. That script does all the points mentioned above and then restarts the computer to enforce compliance quickly.

Troubleshooting

This Win32App creates some files which are extracted to C:\Windows\Temp. Review the log files for the generation of the Scheduled Task. Below is a reference log file, use it to compare to your attempts.

02/27/2023 04:49:16 Starting the 'Win.AP.CreateScheduledTask_win.ap.upload.bitlocker.key.after.whiteglove' version '0.16' script...
02/27/2023 04:49:16 Starting initial checks to determine if we should exit from the script if not...
02/27/2023 04:49:16 Logged on user method#1 detected as: 'AP-5CG03729P0\defaultuser0'
02/27/2023 04:49:16 Logged on user method#2 detected as: 'AP-5CG03729P0$'
02/27/2023 04:49:16 Looking for the following Regpath: 'HKLM:\Software\WOW6432Node\windows-noob\WhiteGlove\'...
02/27/2023 04:49:16 testing reg key
02/27/2023 04:49:16 returning true to reg key check
02/27/2023 04:49:16 The required WhiteGlove registry key was found, continuing script
02/27/2023 04:49:16 Found: 'EncryptedDuringWhiteGlove'
02/27/2023 04:49:16  Logged on user is: AP-5CG03729P0\defaultuser0
02/27/2023 04:49:16 extracting scripts to 'C:\Windows\Temp'...
02/27/2023 04:49:16 decoding BASE64 encoded file...win.ap.upload.bitlocker.key.after.whiteglove.ps1
02/27/2023 04:49:16 decoding BASE64 encoded file...win.ap.upload.bitlocker.key.after.whiteglove.vbs
02/27/2023 04:49:16 Creating windows-noob foldername...
02/27/2023 04:49:16 Creating scheduled task...
02/27/2023 04:49:18 Info: The scheduled task doesn't exist, will create it.
02/27/2023 04:49:18 DEBUG: Using the following values for the scheduled task:
02/27/2023 04:49:18 DEBUG: User: 'AP-5CG03729P0\defaultuser0' Time: '' Script: 'C:\Windows\Temp\win.ap.upload.bitlocker.key.after.whiteglove.vbs' Action: 'MSFT_TaskExecAction' Trigger: 'MSFT_TaskLogonTrigger' Settings: 'MSFT_TaskSettings3' Principal: 'MSFT_TaskPrincipal2' Foldername: 'windows-noob'.
02/27/2023 04:49:18 about to create the scheduled task...
02/27/2023 04:49:18 Succeeded in creating the scheduled task
02/27/2023 04:49:19 DEBUG: task=MSFT_ScheduledTask (TaskName = "Win.AP.WhiteGlove.UploadBitLockerKeyToI..., TaskPath = "\windows-noob\") taskName=Win.AP.WhiteGlove.UploadBitLockerKeyToIntune run=02/27/2023 04:50:18
02/27/2023 04:49:19 DEBUG: settings the scheduled task settings=MSFT_ScheduledTask (TaskName = "Win.AP.WhiteGlove.UploadBitLockerKeyToI..., TaskPath = "\windows-noob\")
02/27/2023 04:49:19 Exiting script.

Below is the log file from the which uploads the key

02/27/2023 04:51:48 Starting script: 'win.ap.upload.bitlocker.key.after.whiteglove' version: '0.14'...
02/27/2023 04:51:48 Checking logged on user to determine if we are still in the ESP or not.
02/27/2023 04:51:49 Not in ESP, will continue!
02/27/2023 04:51:49 Removing BEK...
02/27/2023 04:51:49 removing BEK protector
02/27/2023 04:51:51 DEBUG: BLV = 'C:'
02/27/2023 04:51:51 attempting to remove protector...
02/27/2023 04:51:52 succeeded removing protector!
02/27/2023 04:51:52 DEBUG: BLV = 'C:'
02/27/2023 04:51:52 Adding RK...
02/27/2023 04:51:52 adding recovery password...
02/27/2023 04:51:53 succeeded adding protector !
02/27/2023 04:51:53
02/27/2023 04:51:53 about to upload key to Azure
02/27/2023 04:51:55 succeeded to upload the BitLocker recovery key to Azure !
02/27/2023 04:51:55 removing user 'AzureAD\NiallBrady' from Local Admins group
02/27/2023 04:51:55 succeeded to remove the user from the group
02/27/2023 04:51:55 about to remove the Scheduled task
02/27/2023 04:52:00 Info: The 'Win.AP.WhiteGlove.UploadBitLockerKeyToIntune' scheduled task exists, removing the scheduled task...
02/27/2023 04:52:00 About to delete scheduled task: Win.AP.WhiteGlove.UploadBitLockerKeyToIntune
02/27/2023 04:52:01 Succeeded to remove scheduled task: Win.AP.WhiteGlove.UploadBitLockerKeyToIntune
02/27/2023 04:52:01 succeeded removing the 'Win.AP.WhiteGlove.UploadBitLockerKeyToIntune' scheduled task !
02/27/2023 04:52:01 adding reg key to confirm key upload status
02/27/2023 04:52:01 Creating a RunOnce reg key to trigger intune sync
02/27/2023 04:52:01 succeeded to create the RunOnce registry key
02/27/2023 04:52:01 doing a mandatory shutdown/restart...
02/27/2023 04:52:01 succeeded to issue the shutdown command, will restart in 5 seconds!
02/27/2023 04:52:01 script completed...

That’s it !

checking on the computer which was just enrolled we can determine the Protectors using

manage-bde -protectors -get c:

confirm recovery info.png

 

Checking in Intune we can see the key is uploaded, job done i’d say !

show recovery key.png

 

Please join me in part 3 where we’ll look at adding our successfully enrolled WhiteGlove computers into an Azure AD group to target them with additional policies (such as BitLocker) so that when the BitLocker recovery key is revealed in Intune or on the device, that the policy will rotate the key and upload it to Intune

This entry was posted in BitLocker, Compliance, win32 app, Windows AutoPilot. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.