Hi guys have 2 main issues and I am struggling to understand if it is environmental, or just "mental"?
We are SCCM CB 1606, and ADK build 1607 with updated boot images. I have Windows 10 1607, with the 10/11/2016 CU pre-installed, in a standard (non-MDT) client task sequence. We have the MB 2.5 SP1 agent and the September servicing release patch for the MBAM client in the Task sequence (Have not updated the servers yet). We are using the MBAM enablement scripts from microsoft; the SaveTPM ownerAuth script, and the "EnableMBAM" powershell are where they need to be in the TS. I get no errors during the Task sequence at all. 1. No Win 10 devices are getting their TPM owner auth hash in the MBAM database. 2. On the surface devices only, when the MBAM Client gets policy that a PIN is now required, I see the event that MBAM policy has changed and it sets the non-compliance date, I see it remove the protector and shutoff bitlocker on the OS drive, but the MBAMclientUI never appears. If I run it manually, I set the pin, reboot, everything works fine. Same exact task sequence and policy work as intended on an HP elitebook 850 G3. My last comment, we DO have the "Enable use of Bitlocker authentication requiring preboot keyboard input on slates" policy enabled. Please, thank you and have a nice weekend.
