Jump to content


anyweb

Encrypting devices during Windows Autopilot provisioning (WhiteGlove) - Part 1

Recommended Posts

Introduction

Note: This method is not officially supported by Microsoft. That said, this speeds up compliance and more importantly increases security as the device is already encrypted (part 1) before the user logs on (part 2). BitLocker recovery key changes after the user has completed enrolment are handled automatically (part 3).

Note: I've updated the scripts 2023/12/23 to use new logging path and detection files instead of registry keys.

Windows Autopilot preprovisioning (WhiteGlove) is the ability to preprovision content and policies to devices while they are installed in the factory.

We had a challenge to speed up the overall compliance of Windows Autopilot devices and the obvious solution was to stage as much content as we could during preprovisioning (WhiteGlove) but to also enable BitLocker encryption during that process, the only problem is that Microsoft don't officially support BitLocker encryption during the WhiteGlove scenario as the recovery key information is only uploaded after a user logs in. In our initial testing, Bitlocker disk encryption wouldn't even start until the user logged in.

That is not so much of a problem for a small amount of content on the hard disc but what if you have hundreds of Gigabytes of data to encrypt which could potentially take hours to encrypt after the user has logged on. As BitLocker encryption is a common Compliance policy setting, this needed to be addressed.

The challenge was to do the heavy lifting (pre-provisioning and encryption) during the WhiteGlove process and to only upload the key to Intune once the user actually enrolled the device. That need brought about this solution which is in 3 parts. The first part covers device encryption during provisioning at the factory. The second part uploads the recovery key to Intune after the user has signed in and completed WHFB setup and the final part moves those successfully encrypted devices to a WhiteGlove_Completed azure ad group targeted with BitLocker policy to take care of rotating recovery key info etc.

All parts are listed below:

 

Step 1. Create an Azure AD group

In Microsoft Intune, create a dynamic device group called WhiteGlove Computers with a query for a WhiteGlove Group Tag. This group will dynamically fill with computers that have the correct Group Tag assigned to them.

create azure ad group with grouptag.png

Below is the query used:

(device.devicePhysicalIds -any (_ -eq "[OrderID]:WhiteGlove"))

Step 2. Exclude BitLocker configuration profiles from this group

Locate any existing BitLocker configuration profiles in your tenant and exclude then from this group otherwise they will cause the solution to fail.

exclude bitlocker policy.png

Step 3. Allow Pre-provisioned deployment

Next, locate your Windows Autopilot Deployment Profiles and enable the WhiteGlove ability by turning on the Allow Pre-provisioned deployment setting. Deploy the profile to the group created in Step 1. This profile must also enable a User Account Type of Local Admin. Don't panic, we'll be removing this local admin ability later on in the solution before the end user can cause trouble.

In the example below you can see a Windows Autopilot deployment profile called Intune: Local admin

Windows Autopilot Deployment Profile settings.png

 


Step 4. Exclude standard user deployment profiles

If you have any additional Deployment Profiles for Standard Users, make sure to exclude this group from those profiles otherwise they won't get the right settings needed for the second part of this solution.

exclude standard user deployment profiles.png

 

Step 5. Configure a WhiteGlove ESP

Configure at least one Enrollment Status Page (ESP) targeted to your WhiteGlove Computers Azure AD group

WhiteGlove ESP.png

Step 6. Add a Win32 App

Next, using the latest version of the IntuneWinappUtil.exe app, create a Win32 app called Enable Bitlocker during Windows Autopilot WhiteGlove. This app will enable Bitlocker during WhiteGlove at the factory. The app is in the attached 7 ZIP file, use 7-Zip to uncompress.

Note: Only logged on members of windows-noob.com can download this file.

WhiteGlove - Enable BitLocker During WhiteGlove preprovisioning.7z

 

Configure the app settings as follows:

Name: Enable Bitlocker during Windows Autopilot WhiteGlove
Program Install command: install.win.ap.enable.bitlocker.during.whiteglove.cmd
Program uninstall command: install.win.ap.enable.bitlocker.during.whiteglove.cmd
Install behavior: System
Device restart behavior: No specific action
Return codes:
0 Success
1707 Success
3010 Soft reboot
1641 Hard reboot
1618 Retry

Requirements:

Operating system architecture: x64
Minimum operating system Windows 10 1903

Detection rules:

Rules format Manually configure detection rules

Detection rules File

Path: C:\ProgramData\windowsnoob\WhiteGlove

File or folder: EncryptedDuringWhiteGlove.txt

Detection method: File or folder exists

detection rule.PNG

Next, assign the app as required to your WhiteGlove Computers AAD group

assignments.png


Step 7. Add the Group tag to a test device

In this step either import a new CSV of a Windows Autopilot device (or use an existing device) to test this on, and then add the WhiteGlove GroupTag to that Windows Autopilot device.

whiteglove group tag.png

Step 8. Provision the device

The staging of content and policies to the device normally will take place at the factory (OEM) or IT Admin staging area. At the first screen of OOBE (shown below)

oobe first screen.png

The technician needs to press the Windows key 5 times to start provisioning mode.

Next, Select Windows Autopilot provisioning from the list and click Continue.

Windows Autopilot Provisioning.png

If everything went well it will download the correct Windows Autopilot deployment profile and display it (Intune: Local admin)

correct ESP loaded.png

Click Provision to start the staging process.

Once the ESP installs the Win32 app, it will begin encrypting the drive. You can reveal this with the following command:

manage-bde -status

The next screenshots are from real hardware.

IMG_7002.JPG

and once all apps and policies are installed completely and successfully the drive is fully encrypted and the protectors are stored in the TPM along with a BEK key stored on the SYSTEM partition temporarily.

encryption 100 percent completed.png

At this point the technician can click on Reseal to seal the device for user enrollment (Part 2).

reseal.png

That 's it for this part, please join me in Part 2 where we'll add the next Win32 app which will do a bunch of actions including:

  • create a scheduled task to run a script when WHFB setup is completed
  • remove BEK protector
  • add numerical password protector
  • upload the key to Intune
  • restart the computer with a shutdown message to the end user

Troubleshooting

The Win32 app used in this part logs to C:\ProgramData\windowsnoob\WhiteGlove\win.ap.enable.bitlocker.during.whiteglove.log

The contents of which are shown below from a working WhiteGlove deployment, please use this as a reference to compare your log file.

02/27/2023 04:33:46 Starting script: 'win.ap.enable.bitlocker.during.whiteglove' version: '0.11'...
02/27/2023 04:33:46 checking the current bitlocker encryption status
02/27/2023 04:33:47 Current Bitlocker Status: FullyDecrypted, None
02/27/2023 04:33:47 Fully decrypted, no need to decrypt
02/27/2023 04:33:47 starting TPM section
02/27/2023 04:33:48 TPM chip is currently owned, will not attempt to take ownership
02/27/2023 04:33:48 attempting to assign drive letter to the SYSTEM partition
02/27/2023 04:33:51 starting BitLocker Encryption section
02/27/2023 04:33:51 adding reg keys for BitLocker encryption settings
02/27/2023 04:33:51 succeeded adding the reg key
02/27/2023 04:33:51 adding AES-XTS256 reg key for BitLocker encryption settings
02/27/2023 04:33:51 succeeded adding the reg key
02/27/2023 04:33:51 Enabling BitLocker, TPM Protector and Recovery Password Protector
02/27/2023 04:34:10 enabling bitlocker worked YAY!!!!
02/27/2023 04:34:16 Current BL Status: C:, EncryptionInProgress, XtsAes256,Tpm ExternalKey
02/27/2023 04:34:16 Percentage Encrypted: '96'%.
02/27/2023 04:34:16 Percentage Encrypted: '96'%.
02/27/2023 04:34:16 Percentage Encrypted: '96'%.
02/27/2023 04:34:17 Percentage Encrypted: '96'%.
02/27/2023 04:34:17 Percentage Encrypted: '96'%.
02/27/2023 04:34:17 Percentage Encrypted: '96'%.
02/27/2023 04:34:17 Percentage Encrypted: '96'%.
02/27/2023 04:34:18 Percentage Encrypted: '96'%.
02/27/2023 04:34:18 Percentage Encrypted: '96'%.
02/27/2023 04:34:18 Percentage Encrypted: '96'%.
02/27/2023 04:34:18 Percentage Encrypted: '96'%.
02/27/2023 04:34:18 Percentage Encrypted: '96'%.
02/27/2023 04:34:19 Percentage Encrypted: '96'%.
02/27/2023 04:34:19 Percentage Encrypted: '96'%.
02/27/2023 04:34:19 Percentage Encrypted: '97'%.
02/27/2023 04:34:19 Percentage Encrypted: '97'%.
02/27/2023 04:34:19 Percentage Encrypted: '97'%.
02/27/2023 04:34:20 Percentage Encrypted: '97'%.
02/27/2023 04:34:20 Percentage Encrypted: '97'%.
02/27/2023 04:34:20 Percentage Encrypted: '97'%.
02/27/2023 04:34:20 Percentage Encrypted: '97'%.
02/27/2023 04:34:21 Percentage Encrypted: '97'%.
02/27/2023 04:34:21 Percentage Encrypted: '97'%.
02/27/2023 04:34:21 Percentage Encrypted: '97'%.
02/27/2023 04:34:21 Percentage Encrypted: '97'%.
02/27/2023 04:34:21 Percentage Encrypted: '97'%.
02/27/2023 04:34:22 Percentage Encrypted: '97'%.
02/27/2023 04:34:22 Percentage Encrypted: '97'%.
02/27/2023 04:34:22 Percentage Encrypted: '97'%.
02/27/2023 04:34:22 Percentage Encrypted: '97'%.
02/27/2023 04:34:22 Percentage Encrypted: '97'%.
02/27/2023 04:34:23 Percentage Encrypted: '97'%.
02/27/2023 04:34:23 Percentage Encrypted: '97'%.
02/27/2023 04:34:23 Percentage Encrypted: '97'%.
02/27/2023 04:34:23 Percentage Encrypted: '97'%.
02/27/2023 04:34:24 Percentage Encrypted: '97'%.
02/27/2023 04:34:24 Percentage Encrypted: '97'%.
02/27/2023 04:34:24 Percentage Encrypted: '97'%.
02/27/2023 04:34:24 Percentage Encrypted: '97'%.
02/27/2023 04:34:24 Percentage Encrypted: '97'%.
02/27/2023 04:34:25 Percentage Encrypted: '97'%.
02/27/2023 04:34:25 Percentage Encrypted: '97'%.
02/27/2023 04:34:25 Percentage Encrypted: '97'%.
02/27/2023 04:34:25 Percentage Encrypted: '97'%.
02/27/2023 04:34:26 Percentage Encrypted: '97'%.
02/27/2023 04:34:26 Percentage Encrypted: '97'%.
02/27/2023 04:34:26 Percentage Encrypted: '97'%.
02/27/2023 04:34:26 Percentage Encrypted: '97'%.
02/27/2023 04:34:26 Percentage Encrypted: '97'%.
02/27/2023 04:34:27 Percentage Encrypted: '97'%.
02/27/2023 04:34:27 Percentage Encrypted: '97'%.
02/27/2023 04:34:27 Percentage Encrypted: '97'%.
02/27/2023 04:34:27 Percentage Encrypted: '97'%.
02/27/2023 04:34:28 Percentage Encrypted: '97'%.
02/27/2023 04:34:28 Percentage Encrypted: '97'%.
02/27/2023 04:34:28 Percentage Encrypted: '97'%.
02/27/2023 04:34:28 Percentage Encrypted: '97'%.
02/27/2023 04:34:29 Percentage Encrypted: '97'%.
02/27/2023 04:34:29 Percentage Encrypted: '97'%.
02/27/2023 04:34:29 Percentage Encrypted: '97'%.
02/27/2023 04:34:29 Percentage Encrypted: '97'%.
02/27/2023 04:34:29 Percentage Encrypted: '97'%.
02/27/2023 04:34:30 Percentage Encrypted: '97'%.
02/27/2023 04:34:30 Percentage Encrypted: '97'%.
02/27/2023 04:34:30 Percentage Encrypted: '98'%.
02/27/2023 04:34:30 Percentage Encrypted: '98'%.
02/27/2023 04:34:31 Percentage Encrypted: '98'%.
02/27/2023 04:34:31 Percentage Encrypted: '98'%.
02/27/2023 04:34:31 Percentage Encrypted: '98'%.
02/27/2023 04:34:31 Percentage Encrypted: '98'%.
02/27/2023 04:34:31 Percentage Encrypted: '98'%.
02/27/2023 04:34:32 Percentage Encrypted: '98'%.
02/27/2023 04:34:32 Percentage Encrypted: '98'%.
02/27/2023 04:34:32 Percentage Encrypted: '98'%.
02/27/2023 04:34:32 Percentage Encrypted: '98'%.
02/27/2023 04:34:33 Percentage Encrypted: '98'%.
02/27/2023 04:34:33 Percentage Encrypted: '98'%.
02/27/2023 04:34:33 Percentage Encrypted: '98'%.
02/27/2023 04:34:33 Percentage Encrypted: '98'%.
02/27/2023 04:34:34 Percentage Encrypted: '98'%.
02/27/2023 04:34:34 Percentage Encrypted: '98'%.
02/27/2023 04:34:34 Percentage Encrypted: '98'%.
02/27/2023 04:34:34 Percentage Encrypted: '98'%.
02/27/2023 04:34:35 Percentage Encrypted: '98'%.
02/27/2023 04:34:35 Percentage Encrypted: '98'%.
02/27/2023 04:34:35 Percentage Encrypted: '98'%.
02/27/2023 04:34:35 Percentage Encrypted: '98'%.
02/27/2023 04:34:35 Percentage Encrypted: '98'%.
02/27/2023 04:34:36 Percentage Encrypted: '98'%.
02/27/2023 04:34:36 Percentage Encrypted: '98'%.
02/27/2023 04:34:36 Percentage Encrypted: '98'%.
02/27/2023 04:34:36 Percentage Encrypted: '98'%.
02/27/2023 04:34:36 Percentage Encrypted: '98'%.
02/27/2023 04:34:37 Percentage Encrypted: '98'%.
02/27/2023 04:34:37 Percentage Encrypted: '98'%.
02/27/2023 04:34:37 Percentage Encrypted: '98'%.
02/27/2023 04:34:37 Percentage Encrypted: '98'%.
02/27/2023 04:34:38 Percentage Encrypted: '98'%.
02/27/2023 04:34:38 Percentage Encrypted: '98'%.
02/27/2023 04:34:38 Percentage Encrypted: '98'%.
02/27/2023 04:34:38 Percentage Encrypted: '98'%.
02/27/2023 04:34:39 Percentage Encrypted: '98'%.
02/27/2023 04:34:39 Percentage Encrypted: '98'%.
02/27/2023 04:34:39 Percentage Encrypted: '98'%.
02/27/2023 04:34:39 Percentage Encrypted: '98'%.
02/27/2023 04:34:39 Percentage Encrypted: '98'%.
02/27/2023 04:34:40 Percentage Encrypted: '98'%.
02/27/2023 04:34:40 Percentage Encrypted: '98'%.
02/27/2023 04:34:40 Percentage Encrypted: '98'%.
02/27/2023 04:34:40 Percentage Encrypted: '98'%.
02/27/2023 04:34:40 Percentage Encrypted: '98'%.
02/27/2023 04:34:41 Percentage Encrypted: '98'%.
02/27/2023 04:34:41 Percentage Encrypted: '98'%.
02/27/2023 04:34:41 Percentage Encrypted: '98'%.
02/27/2023 04:34:41 Percentage Encrypted: '98'%.
02/27/2023 04:34:41 Percentage Encrypted: '98'%.
02/27/2023 04:34:42 Percentage Encrypted: '98'%.
02/27/2023 04:34:42 Percentage Encrypted: '99'%.
02/27/2023 04:34:42 Percentage Encrypted: '99'%.
02/27/2023 04:34:42 Percentage Encrypted: '99'%.
02/27/2023 04:34:42 Percentage Encrypted: '99'%.
02/27/2023 04:34:43 Percentage Encrypted: '99'%.
02/27/2023 04:34:43 Percentage Encrypted: '99'%.
02/27/2023 04:34:43 Percentage Encrypted: '99'%.
02/27/2023 04:34:43 Percentage Encrypted: '99'%.
02/27/2023 04:34:44 Percentage Encrypted: '99'%.
02/27/2023 04:34:44 Percentage Encrypted: '99'%.
02/27/2023 04:34:44 Percentage Encrypted: '99'%.
02/27/2023 04:34:44 Percentage Encrypted: '99'%.
02/27/2023 04:34:44 Percentage Encrypted: '99'%.
02/27/2023 04:34:45 Percentage Encrypted: '99'%.
02/27/2023 04:34:45 Percentage Encrypted: '99'%.
02/27/2023 04:34:45 Percentage Encrypted: '99'%.
02/27/2023 04:34:45 Percentage Encrypted: '99'%.
02/27/2023 04:34:45 Percentage Encrypted: '99'%.
02/27/2023 04:34:46 Percentage Encrypted: '99'%.
02/27/2023 04:34:46 Percentage Encrypted: '99'%.
02/27/2023 04:34:46 Percentage Encrypted: '99'%.
02/27/2023 04:34:46 Percentage Encrypted: '99'%.
02/27/2023 04:34:46 Percentage Encrypted: '99'%.
02/27/2023 04:34:47 Percentage Encrypted: '99'%.
02/27/2023 04:34:47 Percentage Encrypted: '99'%.
02/27/2023 04:34:47 Percentage Encrypted: '99'%.
02/27/2023 04:34:47 Percentage Encrypted: '99'%.
02/27/2023 04:34:48 Percentage Encrypted: '99'%.
02/27/2023 04:34:48 Percentage Encrypted: '99'%.
02/27/2023 04:34:48 Percentage Encrypted: '99'%.
02/27/2023 04:34:48 Percentage Encrypted: '99'%.
02/27/2023 04:34:48 Percentage Encrypted: '99'%.
02/27/2023 04:34:49 Percentage Encrypted: '99'%.
02/27/2023 04:34:49 Percentage Encrypted: '99'%.
02/27/2023 04:34:49 Percentage Encrypted: '99'%.
02/27/2023 04:34:49 Percentage Encrypted: '99'%.
02/27/2023 04:34:49 Percentage Encrypted: '99'%.
02/27/2023 04:34:50 Percentage Encrypted: '99'%.
02/27/2023 04:34:50 Percentage Encrypted: '99'%.
02/27/2023 04:34:50 Percentage Encrypted: '99'%.
02/27/2023 04:34:50 Percentage Encrypted: '99'%.
02/27/2023 04:34:51 Percentage Encrypted: '99'%.
02/27/2023 04:34:51 Percentage Encrypted: '99'%.
02/27/2023 04:34:51 Percentage Encrypted: '99'%.
02/27/2023 04:34:51 Percentage Encrypted: '99'%.
02/27/2023 04:34:51 Percentage Encrypted: '99'%.
02/27/2023 04:34:52 Percentage Encrypted: '99'%.
02/27/2023 04:34:52 Percentage Encrypted: '99'%.
02/27/2023 04:34:52 Percentage Encrypted: '99'%.
02/27/2023 04:34:52 Percentage Encrypted: '99'%.
02/27/2023 04:34:52 Percentage Encrypted: '99'%.
02/27/2023 04:34:53 Percentage Encrypted: '99'%.
02/27/2023 04:34:53 Percentage Encrypted: '99'%.
02/27/2023 04:34:53 Percentage Encrypted: '99'%.
02/27/2023 04:34:53 Percentage Encrypted: '99'%.
02/27/2023 04:34:54 Percentage Encrypted: '99'%.
02/27/2023 04:34:54 Percentage Encrypted: '99'%.
02/27/2023 04:34:54 Percentage Encrypted: '99'%.
02/27/2023 04:34:54 Percentage Encrypted: '99'%.
02/27/2023 04:34:54 Percentage Encrypted: '99'%.
02/27/2023 04:34:55 Percentage Encrypted: '99'%.
02/27/2023 04:34:55 Percentage Encrypted: '99'%.
02/27/2023 04:34:55 Percentage Encrypted: '99'%.
02/27/2023 04:34:55 Percentage Encrypted: '99'%.
02/27/2023 04:34:55 Percentage Encrypted: '99'%.
02/27/2023 04:34:56 Percentage Encrypted: '99'%.
02/27/2023 04:34:56 Percentage Encrypted: '99'%.
02/27/2023 04:34:56 Percentage Encrypted: '99'%.
02/27/2023 04:34:56 Percentage Encrypted: '99'%.
02/27/2023 04:34:56 Percentage Encrypted: '99'%.
02/27/2023 04:34:57 Percentage Encrypted: '99'%.
02/27/2023 04:34:57 Percentage Encrypted: '99'%.
02/27/2023 04:34:57 Percentage Encrypted: '99'%.
02/27/2023 04:34:57 Percentage Encrypted: '99'%.
02/27/2023 04:34:57 Percentage Encrypted: '99'%.
02/27/2023 04:34:58 Percentage Encrypted: '99'%.
02/27/2023 04:34:58 Percentage Encrypted: '99'%.
02/27/2023 04:34:58 Percentage Encrypted: '99'%.
02/27/2023 04:34:58 Percentage Encrypted: '99'%.
02/27/2023 04:34:59 Percentage Encrypted: '99'%.
02/27/2023 04:34:59 Percentage Encrypted: '99'%.
02/27/2023 04:34:59 Percentage Encrypted: '99'%.
02/27/2023 04:34:59 Percentage Encrypted: '99'%.
02/27/2023 04:34:59 Percentage Encrypted: '99'%.
02/27/2023 04:35:00 Percentage Encrypted: '99'%.
02/27/2023 04:35:00 Percentage Encrypted: '99'%.
02/27/2023 04:35:00 Percentage Encrypted: '99'%.
02/27/2023 04:35:00 Percentage Encrypted: '99'%.
02/27/2023 04:35:01 Percentage Encrypted: '99'%.
02/27/2023 04:35:01 Percentage Encrypted: '99'%.
02/27/2023 04:35:01 Percentage Encrypted: '99'%.
02/27/2023 04:35:01 Percentage Encrypted: '99'%.
02/27/2023 04:35:01 Percentage Encrypted: '99'%.
02/27/2023 04:35:02 Percentage Encrypted: '99'%.
02/27/2023 04:35:02 Percentage Encrypted: '99'%.
02/27/2023 04:35:02 Percentage Encrypted: '99'%.
02/27/2023 04:35:02 Percentage Encrypted: '99'%.
02/27/2023 04:35:03 Percentage Encrypted: '99'%.
02/27/2023 04:35:03 Percentage Encrypted: '99'%.
02/27/2023 04:35:03 Percentage Encrypted: '100'%.
02/27/2023 04:35:03 Current BL Status: C:, FullyEncrypted, XtsAes256,Tpm ExternalKey
02/27/2023 04:35:03 removing drive letter assigned to the SYSTEM partition now...
02/27/2023 04:35:04 The drive is fully encrypted now :-), we are exiting the script !

Once encryption during WhiteGlove is completed a reg key is created

encrypted during whiteglove reg key.png

and a file is created called EncryptedDuringWhiteGlove.txt in C:\ProgramData\windowsnoob\WhiteGlove

wg logs after enrollment.png

This file is used as the detection rule for this Win32 app meaning that encryption must be completed by the app to be detected.

Note: This solution was originally tested and released for use on Windows 10 version 22H2, but it works just fine on Windows 11 version 22H2 or later. Do make sure that Automatic Bitlocker Encryption is disabled by the OEM (HP, Dell, Lenovo, etc) or disable it yourself using the following method:
 

1. DISM mount your WIM image.
2. reg load HKLM\TEMP C:\mountpath\Windows\System32\config\SYSTEM
3. reg add HKLM\TEMP\CurrentControlSet\Control\BitLocker /v PreventDeviceEncryption /t REG_DWORD /d 1 /f
4. reg unload HKLM\TEMP
5. DISM commit your changes.

Recommended reading

Share this post


Link to post
Share on other sites

I have followed all steps, but when the script runs it keeps saying: "Precentage Encrypted 0%." and the Autopilot will timeout. This is on a Microsoft Surface device (Surface Laptop 5).

Also I tried to run the PowerShell command Clear-Tpm at the beginning of the script but it didn't make any difference.

Great job btw, thanks for all your work!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.