RE: [MDT-OSD] Surface Pro 4 Bitlocker Pre-Provisioning

[Marable, Mike]

We repartition the drive prior to the pre-provisioning.  So it's starting from 
a clean drive.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Miller, Todd
Sent: Wednesday, September 28, 2016 10:29 AM
To: mdtosd@lists.myitforum.com
Subject: RE: [MDT-OSD] Surface Pro 4 Bitlocker Pre-Provisioning

Pre-provisioning is OK for new computers and for redoing computer that are 
already encrypted, but it is not so good if you are reinstalling a computer 
that was not previously encrypted.  Right?  Pre-provisioned bitlocker will only 
encrypt data as it is written to the disk.  If there is unencrypted data on the 
disk from a previous install and you use pre-provisioning - that data on unused 
portions of the disk is still unencrypted.

We like pre-provisioning, but it can be risky depending on the state of the 
computer and its data when you start.

Or is it possible to deploy as pre-provision and then switch to whole disk 
including unused space later?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Marable, Mike
Sent: Friday, September 23, 2016 9:11 AM
To: mdtosd@lists.myitforum.com<mailto:mdtosd@lists.myitforum.com>
Subject: RE: [MDT-OSD] Surface Pro 4 Bitlocker Pre-Provisioning

We do the following for the TPM at the start of the build:

1)      Ensure that TPM is turned on in the BIOs

2)      Disable auto provisioning

a.       Powershell.exe -Command "(gwmi -class win32_tpm -Namespace 
root\cimv2\security\microsofttpm).DisableAutoprovisioning()"

3)      Enable the TPM

a.       Powershell.exe -Command "(gwmi -class win32_tpm -Namespace 
root\cimv2\security\microsofttpm).SetPhysicalPresenceRequest(1)"

4)      Activate the TPM

a.       Powershell.exe -Command "(gwmi -class win32_tpm -Namespace 
root\cimv2\security\microsofttpm).SetPhysicalPresenceRequest(3)"

The immediately after the disk is partitioned we use the built-in pre-provision 
BitLocker action.
Next we apply the image.


Towards the end we install the MBAM client.
Reboot
Run the "Invoke-MbamClientDeployment.ps1"

This is where we get our failure.
"Failed to add Numerical Password protector to device"



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Denzik, Josh
Sent: Friday, September 23, 2016 8:50 AM
To: mdtosd@lists.myitforum.com<mailto:mdtosd@lists.myitforum.com>
Subject: RE: [MDT-OSD] Surface Pro 4 Bitlocker Pre-Provisioning

I am also getting an "already owned" error in the smts log. Mike are you going 
anything else to the tpm before the pre-provision step?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Denzik, Josh
Sent: Friday, September 23, 2016 6:42 AM
To: mdtosd@lists.myitforum.com<mailto:mdtosd@lists.myitforum.com>
Subject: Re: [MDT-OSD] Surface Pro 4 Bitlocker Pre-Provisioning



Thanks Mike! Please let me know if you find anything else out.

Sent from my iPhone

On Sep 22, 2016, at 7:03 PM, Marable, Mike 
<mmara...@med.umich.edu<mailto:mmara...@med.umich.edu>> wrote:
Josh,

We are able to successfully pre-provision BitLocker but our MBAM config script 
fails after installing the MBAM client.  If I remember the error message it is 
something about MBAM being unable to set the numeric password.

We get it pre-provisioned fine.  The MBAM client installs successfully, but the 
MBAM config script (sorry I cannot remember its name) is what fails.

I believe we're using the SCCM+MDT default partitioning for UEFI as well.

I'll VPN in later and get the details.  Right now I don't think I'm being much 
help.  :)

Mike



From: <listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>> 
on behalf of "Denzik, Josh" <den...@musc.edu<mailto:den...@musc.edu>>
Reply-To: "mdtosd@lists.myitforum.com<mailto:mdtosd@lists.myitforum.com>" 
<mdtosd@lists.myitforum.com<mailto:mdtosd@lists.myitforum.com>>
Date: Thursday, September 22, 2016 at 3:39 PM
To: "mdtosd@lists.myitforum.com<mailto:mdtosd@lists.myitforum.com>" 
<mdtosd@lists.myitforum.com<mailto:mdtosd@lists.myitforum.com>>
Subject: [MDT-OSD] Surface Pro 4 Bitlocker Pre-Provisioning

All,

Has anyone been successful using the pre-provision step on a Surface Pro 4? We 
currently use MBAM turn on bitlocker in the task sequence. We have successfully 
been able to pre-provision dell and Lenovo machines with uefi bios. I read that 
it might have something to do with the size of  Windows RE partition...? Any 
insight would be helpful.

-Josh

**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues

**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues

________________________________
Notice: This UI Health Care e-mail (including attachments) is covered by the 
Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and is intended only 
for the use of the individual or entity to which it is addressed, and may 
contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If you are not the intended recipient, any 
dissemination, distribution or copying of this communication is strictly 
prohibited. If you have received this communication in error, please notify the 
sender immediately and delete or destroy all copies of the original message and 
attachments thereto. Email sent to or from UI Health Care may be retained as 
required by law or regulation. Thank you.
________________________________
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues