Hi guys have 2 main issues and I am struggling to understand if it is
environmental, or just "mental"?

We are SCCM CB 1606, and ADK build 1607 with updated boot images.

I have Windows 10 1607, with the 10/11/2016 CU pre-installed, in a standard
(non-MDT) client task sequence.

We have the MB 2.5 SP1 agent and the September servicing release patch for
the MBAM client in the Task sequence (Have not updated the servers yet). We
are using the MBAM enablement scripts from microsoft; the SaveTPM ownerAuth
script, and the "EnableMBAM" powershell are where they need to be in the
TS.  I get no errors during the Task sequence at all.

1. No Win 10 devices are getting their TPM owner auth hash in the MBAM
database.

2. On the surface devices only, when the MBAM Client gets policy that a PIN
is now required, I see the event that MBAM policy has changed and it sets
the non-compliance date, I see it remove the protector and shutoff
bitlocker on the OS drive, but the MBAMclientUI never appears.  If I run it
manually, I set the pin, reboot, everything works fine.  Same exact task
sequence and policy work as intended on an HP elitebook 850 G3.

My last comment, we DO have the "Enable use of Bitlocker authentication
requiring preboot keyboard input on slates" policy enabled.

Please, thank you and have a nice weekend.


Reply via email to