none
MBAM 2.5 SP1 SCCM OS Deployment RRS feed

  • Question

  • Recently upgraded to MBAM 2.5 SP1 and now i want to use the scripts that are included in the download. I've taken a look at the Technet article, but it only describes how to use it in a MDT task sequence. I'm still new to SCCM and MDT is not integrated with SCCM. Currently Windows 7 64-Bit is being deployed, during the task sequence the TPM module is enabled and activated and the BIOS is password protected. The OS is being deployed to Dell Latitude laptops. 

    Steps in SCCM:

    1. Restart WinPE
    2. Copy CCTK Tools
    3. Set BIOS Password
    4. Configure AHCI
    5. Enable TPM
    6. Activate TPM
    7. Set Bootorder
    8. Partition Disk
    9. Pre-provision Bitlocker
    10. Apply Operating System
    11. Apply Windows Settings
    12. Apply Network Settings
    13. Apply Device Drivers
    14. Setup Windows and Configuration
    15. Install Applications

    Currently we're manually encrypting the laptops, these are secure using TPM+Pin. 

    (Solved) Question 1: The Technet states that the taks to run "SaveWinPETpmOwnerAuth" needs to run right after the OS is deployed. Unfortunately i have no idead when that is in SCCM. I assume after the step named: Apply Operating System

    (Edit) Found it: As expected it needs to run right after the "Apply Operating System" task.

    ===============================================================

    Question 2: When i run the "SaveWinPETpmOwnerAuth" in Windows it returns the result: Object does not support this property or method: 'GetOwnerAuth' . The script is running from a console started as administrator

    (Edit) The error message above appears when the script is started in Windows. If ran during a task sequence this error message appears:

    Failure in saving WinPE TPM owner-auth will be ignored.
    Default OS device path: \Device\HarddiskVolume6
    Succeeded in getting TPM WMI instance.
    TPM is owned, try save WinPE TPM owner-auth to the registry of the default OS.
    Failed to get WinPE TPM owner-auth. Error: -214702489

    (Edit): Error -214702489 means file not found, assume this is the tpmownership file?



    ====================================================================

    Question 3: When i start the "Invoke-MBAMClientDeployment" script the following error message below. I assume it has something to do with the TPM ownership and the  "SaveWinPETpmOwnerAuth" script that failed to run.

    .\invoke-MbamClientDeployment.ps1 -RecoveryServiceEndpoint https://mbamserver.contoso.local/MBAMRecoveryAndHar
    dwareService/CoreService.svc -IgnoreEscrowRecoveryKeyFailure -IgnoreReportStatusFailure -IgnoreEscrowOwnerAuthFailure

    Checking prerequisites ...
    Preparing TPM and escrowing owner-auth to https://mbamserver.contoso.local/MBAMRecoveryAndHardwareService/CoreService.svc

    Failed to escrow TPM owner-auth to https://mbamserver.contoso.local/MBAMRecoveryAndHardwareService/CoreService.svc. 
    HRESULT: 0x80040203 - MBAM cannot read the TPM owner authorization value. The value may have been removed after a successful e
    scrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others.
    Retry after 30 seconds...

    Unfortunately there's not much info available on the internet













    • Edited by Marc-1983 Thursday, November 12, 2015 8:00 AM
    Wednesday, November 11, 2015 12:55 PM

Answers

  • Short recap:

    Question 1: Solved, the script needs to run right after the "Apply Operating System" task.
    Type: Run Command Line
    Name: Run SaveWinPETpmOwnerAuth.wsf
    Command Line: cscript.exe "SaveWinPETpmOwnerAuth.wsf"
    Package: TPMOwnerAuth (Simple package, no program)

    Question 2: Solved, the TPM module needs to be cleared if it's owned. Also added 2 restarts to the task sequence, without restarting the laptop the task to activate the TPM module fails. 
    Task sequence steps:
    Copy CCTK Tools --> xcopy.exe "*.*" "x:\CCTK\" /E /C /I /Q /H /R /Y /S
    Enable HAPI --> x:\CCTK\HAPI\hapint -i -k C-C-T-K -p X:\CCTK\HAPI\
    Set BIOS password --> cctk --setuppwd=password
    Enable TPM --> cctk --tpm=on --valsetuppwd=password
    Restart Computer
    Copy CCTK Tools --> xcopy.exe "*.*" "x:\CCTK\" /E /C /I /Q /H /R /Y /S
    Enable HAPI --> x:\CCTK\HAPI\hapint -i -k C-C-T-K -p X:\CCTK\HAPI\
    Activate TPM --> cctk --tpmactivation=activate --valsetuppwd=password
    Restart Computer
    Pre-provision BitLocker

    Question 3: The script is not needed, it doesn't run when there are MBAM Client policies applied. I rather edit the registry to force the encryption wizard to appear. The MBAM client does the same when started, it checks the TPM and send the keys to the MBAM database right?

    New question: I do not need to clear the owner of the TPM Module if a machine is being re-imaged? This because the TPM password has already been send to the MBAM database during the previous encryption?



    Monday, November 16, 2015 12:54 PM

  • Question 3: The script is not needed, it doesn't run when there are MBAM Client policies applied. I rather edit the registry to force the encryption wizard to appear. The MBAM client does the same when started, it checks the TPM and send the keys to the MBAM database right?

    New question: I do not need to clear the owner of the TPM Module if a machine is being re-imaged? This because the TPM password has already been send to the MBAM database during the previous encryption?



    Question 3: During OSD policies are not applied, so the script can be run ok. MBAM starts and at some point during 90min, it escrows recovery key ID to DB (event ID 29). During the first time, it also sends TPM password, if it is able to do that (even ID 28).

    New question: As Microsoft has stated about these PS scripts, it should be like that, but I don´t see TPM passwords in my DB.

    Monday, November 16, 2015 1:26 PM

All replies

  • Hi,

    on question 2:

    what state has your tpm at this time was it cleared before or previously owned ?

    on question 3:

    there are several threads here with this Topic. search for invoke-MBAM. But sofar no solution for this problem.

    In Addition:

    for Win 7 you must clear the TPM before so that MABM can take ownership to be able to escrow the TPMOwnerAuth.

    /Oliver

    Thursday, November 12, 2015 11:07 PM
  • Question 2: The TPM module is owned and not cleared before starting the re-image process

    Question 3: It's best to use another script to force the MBAM client encryption wizard to appear as this doesn't seem to work on Windows 7?

    In addition: as suggested I've cleared the TPM, still fails with this error message:

    TPM is not owned - There is no owner-auth to save. Script will exit.

    When does MBAM take ownership of the TPM drive? Is it when the MBAM Client wizard is started?
    Edit: Found it, this is done during the Bitlocker pre-provisioning step, right?















    • Edited by Marc-1983 Friday, November 13, 2015 2:04 PM
    Friday, November 13, 2015 9:50 AM
  • i would start without pre-provisioning Bitlocker. MBAM takes ownership after MBAM client is installed.

    /Oliver

    Friday, November 13, 2015 4:22 PM
  • Works great without pre-provisioning, used it alot with MDT but would like to use the pre-provisioning option as this speeds up the preparation process.

    Just wondering: If the MBAM client takes ownership of a TPM module, it means the client has to be installed. But during the image process the "SaveWinPETpmOwnerAuth" script needs to run, from what I understand i tries to save the TPM password to the registry. But how can it save the password if the TPM isn't owned yet?

    I do hope that Microsoft releases some decent documentation on how the process works, this will make it much easier to troubleshoot. 

    Correct me if i'm wrong but there's no way to fully automate the deployment with Bitlocker pre-provisioning as it requires physical presence to configure the BIOS?


    • Edited by Marc-1983 Monday, November 16, 2015 10:26 AM
    Monday, November 16, 2015 10:19 AM
  • Same technet article applies to MDT and SCCM, there is no deference which one you use.

    Put SaveWinPETpmOwnerAuth right after image apply step. Still, there is issues to get TPM into DP, those scripts are not solid. I also have the feeling, that MBAM encryption takes MUCH more time than "Enable Bitlocker" in OSD. User basically would be unable to use his machine for few hours after OSD.


    • Edited by yannara Monday, November 16, 2015 12:29 PM
    Monday, November 16, 2015 12:29 PM
  • Short recap:

    Question 1: Solved, the script needs to run right after the "Apply Operating System" task.
    Type: Run Command Line
    Name: Run SaveWinPETpmOwnerAuth.wsf
    Command Line: cscript.exe "SaveWinPETpmOwnerAuth.wsf"
    Package: TPMOwnerAuth (Simple package, no program)

    Question 2: Solved, the TPM module needs to be cleared if it's owned. Also added 2 restarts to the task sequence, without restarting the laptop the task to activate the TPM module fails. 
    Task sequence steps:
    Copy CCTK Tools --> xcopy.exe "*.*" "x:\CCTK\" /E /C /I /Q /H /R /Y /S
    Enable HAPI --> x:\CCTK\HAPI\hapint -i -k C-C-T-K -p X:\CCTK\HAPI\
    Set BIOS password --> cctk --setuppwd=password
    Enable TPM --> cctk --tpm=on --valsetuppwd=password
    Restart Computer
    Copy CCTK Tools --> xcopy.exe "*.*" "x:\CCTK\" /E /C /I /Q /H /R /Y /S
    Enable HAPI --> x:\CCTK\HAPI\hapint -i -k C-C-T-K -p X:\CCTK\HAPI\
    Activate TPM --> cctk --tpmactivation=activate --valsetuppwd=password
    Restart Computer
    Pre-provision BitLocker

    Question 3: The script is not needed, it doesn't run when there are MBAM Client policies applied. I rather edit the registry to force the encryption wizard to appear. The MBAM client does the same when started, it checks the TPM and send the keys to the MBAM database right?

    New question: I do not need to clear the owner of the TPM Module if a machine is being re-imaged? This because the TPM password has already been send to the MBAM database during the previous encryption?



    Monday, November 16, 2015 12:54 PM

  • Question 3: The script is not needed, it doesn't run when there are MBAM Client policies applied. I rather edit the registry to force the encryption wizard to appear. The MBAM client does the same when started, it checks the TPM and send the keys to the MBAM database right?

    New question: I do not need to clear the owner of the TPM Module if a machine is being re-imaged? This because the TPM password has already been send to the MBAM database during the previous encryption?



    Question 3: During OSD policies are not applied, so the script can be run ok. MBAM starts and at some point during 90min, it escrows recovery key ID to DB (event ID 29). During the first time, it also sends TPM password, if it is able to do that (even ID 28).

    New question: As Microsoft has stated about these PS scripts, it should be like that, but I don´t see TPM passwords in my DB.

    Monday, November 16, 2015 1:26 PM

  • Question 3: The script is not needed, it doesn't run when there are MBAM Client policies applied. I rather edit the registry to force the encryption wizard to appear. The MBAM client does the same when started, it checks the TPM and send the keys to the MBAM database right?

    New question: I do not need to clear the owner of the TPM Module if a machine is being re-imaged? This because the TPM password has already been send to the MBAM database during the previous encryption?



    Question 3: During OSD policies are not applied, so the script can be run ok. MBAM starts and at some point during 90min, it escrows recovery key ID to DB (event ID 29). During the first time, it also sends TPM password, if it is able to do that (even ID 28).

    New question: As Microsoft has stated about these PS scripts, it should be like that, but I don´t see TPM passwords in my DB.

    In reply to your answer on question 3: Ok, thanks for the explanation. Think I'm not going use the script, changing the registry and configuring the exemption should be enough. 

    In reply to your answer on New question: For me if it failed to get the TPM Owner when the "SaveWinPETpmOwnerAuth"  script is ran, it didn't store the TPM password in the MBAM DB. It seems it needs to read the TPM OwnerAuth, after that it's being stored in the registry. Once the MBAM client started to encrypt the laptop it seems to send the OwnerAuth stored in the registry to the MBAM server.

    Monday, November 16, 2015 1:47 PM
  • I´m able to execute SaveWinPETpmOwnerAuth in TS without failure, and I still will not see TPM password in DB, even if I use MBAM to encrypt the drive with powershell.

    Monday, November 16, 2015 5:03 PM
  • I finally got my first TPM password generated to DB with this PS1 script, but it requires TPM initialization just before the activation. So...now how we get this thingy automatizated...?


    • Edited by yannara Sunday, February 14, 2016 9:36 PM
    Sunday, February 14, 2016 9:36 PM