Encrypting devices during Windows Autopilot provisioning (WhiteGlove) – Part 1

Posted on February 28, 2023 by ncbrady

Introduction

Note: This is not supported by Microsoft and your mileage may vary. That said, this speeds up compliance and more importantly increases security as the device is already encrypted by the time the user logs on (in Part 2).

Windows Autopilot preprovisioning (WhiteGlove) is the ability to pre-stage content and policies to devices while it’s been installed in the factory. We had a challenge to speed up the overall compliance of Windows Autopilot devices and the obvious solution was to stage as much content as we could during pre-provisioning (WhiteGlove) but to also enable BitLocker encryption during that process, the only problem is that Microsoft don’t officially support BitLocker encryption during the WhiteGlove scenario as the recovery key information is only uploaded when a user logs in.

In our initial testing, encryption itself wouldn’t even start until the user logged in. Not so much of a problem for small content on the hard disc but what if you have hundreds of Gigabytes of data to encrypt which could potentially take hours to encrypt after the user has logged on. As BitLocker encryption is a common Compliance policy setting, this needed to be addressed. The challenge was to do the heavy lifting (pre-provisioning and encryption) during the WhiteGlove process and to only upload the key to Intune once the user actually enrolled the device. That need brought about this solution which is in 3 parts.

Step 1. Create Azure AD group

In Microsoft Intune, create a dynamic device group called WhiteGlove Computers with a query for a WhiteGlove Group Tag. This group will dynamically fill with computers that have the correct Group Tag assigned to them.

create azure ad group with grouptag.png

Below is the query used:

(device.devicePhysicalIds -any (_ -eq "[OrderID]:WhiteGlove"))

Step 2. Exclude BitLocker configuration profiles from this group

Locate any existing BitLocker configuration profiles in your tenant and exclude then from this group otherwise they will cause the solution to fail.

exclude bitlocker policy.png

Step 3. Allow Pre-provisioned deployment

Next, locate your Windows Autopilot Deployment Profiles and enable the WhiteGlove ability by turning on the Allow Pre-provisioned deployment setting. Deploy the profile to the group created in Step 1. This profile must also enable a User Account Type of Local Admin. Don’t panic, we’ll be removing this local admin ability later on in the solution before the end user can cause trouble.

In the example below you can see a Windows Autopilot deployment profile called Intune: Local admin

Windows Autopilot Deployment Profile settings.png

 

Step 4. Exclude standard user deployment profiles

If you have any additional Deployment Profiles for Standard Users, make sure to exclude this group from those profiles otherwise they won’t get the right settings needed for the second part of this solution.

exclude standard user deployment profiles.png

 

Step 5. Configure a WhiteGlove ESP

Configure at least one Enrollment Status Page (ESP) targeted to your WhiteGlove Computers Azure AD group

WhiteGlove ESP.png

Step 6. Add a Win32 App

Next, using the latest version of the IntuneWinappUtil.exe app, create a Win32 app called Enable Bitlocker during Windows Autopilot WhiteGlove. This app will enable Bitlocker during WhiteGlove at the factory. The app is in the attached 7 ZIP file, use 7-Zip to uncompress.

WhiteGlove – Enable BitLocker During WhiteGlove preprovisioning.7z 3.3 kB · 0 downloads

Configure the app settings as follows:

Name: Enable Bitlocker during Windows Autopilot WhiteGlove
Program Install command: install.win.ap.enable.bitlocker.during.whiteglove.cmd
Program uninstall command: install.win.ap.enable.bitlocker.during.whiteglove.cmd
Install behavior: System
Device restart behavior: No specific action
Return codes:
0 Success
1707 Success
3010 Soft reboot
1641 Hard reboot
1618 Retry

Requirements:

Operating system architecture: x64
Minimum operating system Windows 10 1903

Detection rules:

Rules format Manually configure detection rules
Detection rules File C:\Windows

detection rule.PNG

assign the app as required to your WhiteGlove Computers AAD group

assignments.png

Step 7. Add the Group tag to a test device

In this step either import a new CSV of a Windows Autopilot device (or use an existing device) to test this on, and then add the WhiteGlove GroupTag to that Windows Autopilot device.

whiteglove group tag.png

Step 8. Provision the device

The staging of content and policies to the device normally will take place at the factory (OEM) or IT Admin staging area. At the first screen of OOBE (shown below)

oobe first screen.png

The technician needs to press the Windows key 5 times to start provisioning mode.

Next, Select Windows Autopilot provisioning from the list and click Continue.

Windows Autopilot Provisioning.png

If everything went well it will download the correct Windows Autopilot ESP and display it.

correct ESP loaded.png

Click Provision to start the staging process.

Once the ESP installs the Win32 app, it will begin encrypting the drive. You can reveal this with the following command:

manage-bde -status

The next screenshots are from real hardware.

IMG_7002.JPG

and once all apps and policies are installed completely and successfully the drive is fully encrypted and the protectors are stored in the TPM along with a BEK key stored on the SYSTEM partition temporarily.

encryption 100 percent completed.png

At this point the technician can click on Reseal to seal the device for user enrollment (Part 2).

reseal.png

That ‘s it for this part, please join me in Part 2 where we’ll add the next Win32 app which will do a bunch of actions including:

  • create a scheduled task to run a script when WHFB setup is completed
  • remove BEK protector
  • add numerical password protector
  • upload the key to Intune
  • restart the computer with a shutdown message to the end user

Troubleshooting

The Win32 app used in this part logs to C:\Windows\Temp\win.ap.enable.bitlocker.during.whiteglove.log

The contents of which are shown below from a working WhiteGlove deployment, please use this as a reference to compare your log file.

02/27/2023 04:33:46 Starting script: 'win.ap.enable.bitlocker.during.whiteglove' version: '0.11'...
02/27/2023 04:33:46 checking the current bitlocker encryption status
02/27/2023 04:33:47 Current Bitlocker Status: FullyDecrypted, None
02/27/2023 04:33:47 Fully decrypted, no need to decrypt
02/27/2023 04:33:47 starting TPM section
02/27/2023 04:33:48 TPM chip is currently owned, will not attempt to take ownership
02/27/2023 04:33:48 attempting to assign drive letter to the SYSTEM partition
02/27/2023 04:33:51 starting BitLocker Encryption section
02/27/2023 04:33:51 adding reg keys for BitLocker encryption settings
02/27/2023 04:33:51 succeeded adding the reg key
02/27/2023 04:33:51 adding AES-XTS256 reg key for BitLocker encryption settings
02/27/2023 04:33:51 succeeded adding the reg key
02/27/2023 04:33:51 Enabling BitLocker, TPM Protector and Recovery Password Protector
02/27/2023 04:34:10 enabling bitlocker worked YAY!!!!
02/27/2023 04:34:16 Current BL Status: C:, EncryptionInProgress, XtsAes256,Tpm ExternalKey
02/27/2023 04:34:16 Percentage Encrypted: '96'%.
02/27/2023 04:34:16 Percentage Encrypted: '96'%.
02/27/2023 04:34:16 Percentage Encrypted: '96'%.
02/27/2023 04:34:17 Percentage Encrypted: '96'%.
02/27/2023 04:34:17 Percentage Encrypted: '96'%.
02/27/2023 04:34:17 Percentage Encrypted: '96'%.
02/27/2023 04:34:17 Percentage Encrypted: '96'%.
02/27/2023 04:34:18 Percentage Encrypted: '96'%.
02/27/2023 04:34:18 Percentage Encrypted: '96'%.
02/27/2023 04:34:18 Percentage Encrypted: '96'%.
02/27/2023 04:34:18 Percentage Encrypted: '96'%.
02/27/2023 04:34:18 Percentage Encrypted: '96'%.
02/27/2023 04:34:19 Percentage Encrypted: '96'%.
02/27/2023 04:34:19 Percentage Encrypted: '96'%.
02/27/2023 04:34:19 Percentage Encrypted: '97'%.
02/27/2023 04:34:19 Percentage Encrypted: '97'%.
02/27/2023 04:34:19 Percentage Encrypted: '97'%.
02/27/2023 04:34:20 Percentage Encrypted: '97'%.
02/27/2023 04:34:20 Percentage Encrypted: '97'%.
02/27/2023 04:34:20 Percentage Encrypted: '97'%.
02/27/2023 04:34:20 Percentage Encrypted: '97'%.
02/27/2023 04:34:21 Percentage Encrypted: '97'%.
02/27/2023 04:34:21 Percentage Encrypted: '97'%.
02/27/2023 04:34:21 Percentage Encrypted: '97'%.
02/27/2023 04:34:21 Percentage Encrypted: '97'%.
02/27/2023 04:34:21 Percentage Encrypted: '97'%.
02/27/2023 04:34:22 Percentage Encrypted: '97'%.
02/27/2023 04:34:22 Percentage Encrypted: '97'%.
02/27/2023 04:34:22 Percentage Encrypted: '97'%.
02/27/2023 04:34:22 Percentage Encrypted: '97'%.
02/27/2023 04:34:22 Percentage Encrypted: '97'%.
02/27/2023 04:34:23 Percentage Encrypted: '97'%.
02/27/2023 04:34:23 Percentage Encrypted: '97'%.
02/27/2023 04:34:23 Percentage Encrypted: '97'%.
02/27/2023 04:34:23 Percentage Encrypted: '97'%.
02/27/2023 04:34:24 Percentage Encrypted: '97'%.
02/27/2023 04:34:24 Percentage Encrypted: '97'%.
02/27/2023 04:34:24 Percentage Encrypted: '97'%.
02/27/2023 04:34:24 Percentage Encrypted: '97'%.
02/27/2023 04:34:24 Percentage Encrypted: '97'%.
02/27/2023 04:34:25 Percentage Encrypted: '97'%.
02/27/2023 04:34:25 Percentage Encrypted: '97'%.
02/27/2023 04:34:25 Percentage Encrypted: '97'%.
02/27/2023 04:34:25 Percentage Encrypted: '97'%.
02/27/2023 04:34:26 Percentage Encrypted: '97'%.
02/27/2023 04:34:26 Percentage Encrypted: '97'%.
02/27/2023 04:34:26 Percentage Encrypted: '97'%.
02/27/2023 04:34:26 Percentage Encrypted: '97'%.
02/27/2023 04:34:26 Percentage Encrypted: '97'%.
02/27/2023 04:34:27 Percentage Encrypted: '97'%.
02/27/2023 04:34:27 Percentage Encrypted: '97'%.
02/27/2023 04:34:27 Percentage Encrypted: '97'%.
02/27/2023 04:34:27 Percentage Encrypted: '97'%.
02/27/2023 04:34:28 Percentage Encrypted: '97'%.
02/27/2023 04:34:28 Percentage Encrypted: '97'%.
02/27/2023 04:34:28 Percentage Encrypted: '97'%.
02/27/2023 04:34:28 Percentage Encrypted: '97'%.
02/27/2023 04:34:29 Percentage Encrypted: '97'%.
02/27/2023 04:34:29 Percentage Encrypted: '97'%.
02/27/2023 04:34:29 Percentage Encrypted: '97'%.
02/27/2023 04:34:29 Percentage Encrypted: '97'%.
02/27/2023 04:34:29 Percentage Encrypted: '97'%.
02/27/2023 04:34:30 Percentage Encrypted: '97'%.
02/27/2023 04:34:30 Percentage Encrypted: '97'%.
02/27/2023 04:34:30 Percentage Encrypted: '98'%.
02/27/2023 04:34:30 Percentage Encrypted: '98'%.
02/27/2023 04:34:31 Percentage Encrypted: '98'%.
02/27/2023 04:34:31 Percentage Encrypted: '98'%.
02/27/2023 04:34:31 Percentage Encrypted: '98'%.
02/27/2023 04:34:31 Percentage Encrypted: '98'%.
02/27/2023 04:34:31 Percentage Encrypted: '98'%.
02/27/2023 04:34:32 Percentage Encrypted: '98'%.
02/27/2023 04:34:32 Percentage Encrypted: '98'%.
02/27/2023 04:34:32 Percentage Encrypted: '98'%.
02/27/2023 04:34:32 Percentage Encrypted: '98'%.
02/27/2023 04:34:33 Percentage Encrypted: '98'%.
02/27/2023 04:34:33 Percentage Encrypted: '98'%.
02/27/2023 04:34:33 Percentage Encrypted: '98'%.
02/27/2023 04:34:33 Percentage Encrypted: '98'%.
02/27/2023 04:34:34 Percentage Encrypted: '98'%.
02/27/2023 04:34:34 Percentage Encrypted: '98'%.
02/27/2023 04:34:34 Percentage Encrypted: '98'%.
02/27/2023 04:34:34 Percentage Encrypted: '98'%.
02/27/2023 04:34:35 Percentage Encrypted: '98'%.
02/27/2023 04:34:35 Percentage Encrypted: '98'%.
02/27/2023 04:34:35 Percentage Encrypted: '98'%.
02/27/2023 04:34:35 Percentage Encrypted: '98'%.
02/27/2023 04:34:35 Percentage Encrypted: '98'%.
02/27/2023 04:34:36 Percentage Encrypted: '98'%.
02/27/2023 04:34:36 Percentage Encrypted: '98'%.
02/27/2023 04:34:36 Percentage Encrypted: '98'%.
02/27/2023 04:34:36 Percentage Encrypted: '98'%.
02/27/2023 04:34:36 Percentage Encrypted: '98'%.
02/27/2023 04:34:37 Percentage Encrypted: '98'%.
02/27/2023 04:34:37 Percentage Encrypted: '98'%.
02/27/2023 04:34:37 Percentage Encrypted: '98'%.
02/27/2023 04:34:37 Percentage Encrypted: '98'%.
02/27/2023 04:34:38 Percentage Encrypted: '98'%.
02/27/2023 04:34:38 Percentage Encrypted: '98'%.
02/27/2023 04:34:38 Percentage Encrypted: '98'%.
02/27/2023 04:34:38 Percentage Encrypted: '98'%.
02/27/2023 04:34:39 Percentage Encrypted: '98'%.
02/27/2023 04:34:39 Percentage Encrypted: '98'%.
02/27/2023 04:34:39 Percentage Encrypted: '98'%.
02/27/2023 04:34:39 Percentage Encrypted: '98'%.
02/27/2023 04:34:39 Percentage Encrypted: '98'%.
02/27/2023 04:34:40 Percentage Encrypted: '98'%.
02/27/2023 04:34:40 Percentage Encrypted: '98'%.
02/27/2023 04:34:40 Percentage Encrypted: '98'%.
02/27/2023 04:34:40 Percentage Encrypted: '98'%.
02/27/2023 04:34:40 Percentage Encrypted: '98'%.
02/27/2023 04:34:41 Percentage Encrypted: '98'%.
02/27/2023 04:34:41 Percentage Encrypted: '98'%.
02/27/2023 04:34:41 Percentage Encrypted: '98'%.
02/27/2023 04:34:41 Percentage Encrypted: '98'%.
02/27/2023 04:34:41 Percentage Encrypted: '98'%.
02/27/2023 04:34:42 Percentage Encrypted: '98'%.
02/27/2023 04:34:42 Percentage Encrypted: '99'%.
02/27/2023 04:34:42 Percentage Encrypted: '99'%.
02/27/2023 04:34:42 Percentage Encrypted: '99'%.
02/27/2023 04:34:42 Percentage Encrypted: '99'%.
02/27/2023 04:34:43 Percentage Encrypted: '99'%.
02/27/2023 04:34:43 Percentage Encrypted: '99'%.
02/27/2023 04:34:43 Percentage Encrypted: '99'%.
02/27/2023 04:34:43 Percentage Encrypted: '99'%.
02/27/2023 04:34:44 Percentage Encrypted: '99'%.
02/27/2023 04:34:44 Percentage Encrypted: '99'%.
02/27/2023 04:34:44 Percentage Encrypted: '99'%.
02/27/2023 04:34:44 Percentage Encrypted: '99'%.
02/27/2023 04:34:44 Percentage Encrypted: '99'%.
02/27/2023 04:34:45 Percentage Encrypted: '99'%.
02/27/2023 04:34:45 Percentage Encrypted: '99'%.
02/27/2023 04:34:45 Percentage Encrypted: '99'%.
02/27/2023 04:34:45 Percentage Encrypted: '99'%.
02/27/2023 04:34:45 Percentage Encrypted: '99'%.
02/27/2023 04:34:46 Percentage Encrypted: '99'%.
02/27/2023 04:34:46 Percentage Encrypted: '99'%.
02/27/2023 04:34:46 Percentage Encrypted: '99'%.
02/27/2023 04:34:46 Percentage Encrypted: '99'%.
02/27/2023 04:34:46 Percentage Encrypted: '99'%.
02/27/2023 04:34:47 Percentage Encrypted: '99'%.
02/27/2023 04:34:47 Percentage Encrypted: '99'%.
02/27/2023 04:34:47 Percentage Encrypted: '99'%.
02/27/2023 04:34:47 Percentage Encrypted: '99'%.
02/27/2023 04:34:48 Percentage Encrypted: '99'%.
02/27/2023 04:34:48 Percentage Encrypted: '99'%.
02/27/2023 04:34:48 Percentage Encrypted: '99'%.
02/27/2023 04:34:48 Percentage Encrypted: '99'%.
02/27/2023 04:34:48 Percentage Encrypted: '99'%.
02/27/2023 04:34:49 Percentage Encrypted: '99'%.
02/27/2023 04:34:49 Percentage Encrypted: '99'%.
02/27/2023 04:34:49 Percentage Encrypted: '99'%.
02/27/2023 04:34:49 Percentage Encrypted: '99'%.
02/27/2023 04:34:49 Percentage Encrypted: '99'%.
02/27/2023 04:34:50 Percentage Encrypted: '99'%.
02/27/2023 04:34:50 Percentage Encrypted: '99'%.
02/27/2023 04:34:50 Percentage Encrypted: '99'%.
02/27/2023 04:34:50 Percentage Encrypted: '99'%.
02/27/2023 04:34:51 Percentage Encrypted: '99'%.
02/27/2023 04:34:51 Percentage Encrypted: '99'%.
02/27/2023 04:34:51 Percentage Encrypted: '99'%.
02/27/2023 04:34:51 Percentage Encrypted: '99'%.
02/27/2023 04:34:51 Percentage Encrypted: '99'%.
02/27/2023 04:34:52 Percentage Encrypted: '99'%.
02/27/2023 04:34:52 Percentage Encrypted: '99'%.
02/27/2023 04:34:52 Percentage Encrypted: '99'%.
02/27/2023 04:34:52 Percentage Encrypted: '99'%.
02/27/2023 04:34:52 Percentage Encrypted: '99'%.
02/27/2023 04:34:53 Percentage Encrypted: '99'%.
02/27/2023 04:34:53 Percentage Encrypted: '99'%.
02/27/2023 04:34:53 Percentage Encrypted: '99'%.
02/27/2023 04:34:53 Percentage Encrypted: '99'%.
02/27/2023 04:34:54 Percentage Encrypted: '99'%.
02/27/2023 04:34:54 Percentage Encrypted: '99'%.
02/27/2023 04:34:54 Percentage Encrypted: '99'%.
02/27/2023 04:34:54 Percentage Encrypted: '99'%.
02/27/2023 04:34:54 Percentage Encrypted: '99'%.
02/27/2023 04:34:55 Percentage Encrypted: '99'%.
02/27/2023 04:34:55 Percentage Encrypted: '99'%.
02/27/2023 04:34:55 Percentage Encrypted: '99'%.
02/27/2023 04:34:55 Percentage Encrypted: '99'%.
02/27/2023 04:34:55 Percentage Encrypted: '99'%.
02/27/2023 04:34:56 Percentage Encrypted: '99'%.
02/27/2023 04:34:56 Percentage Encrypted: '99'%.
02/27/2023 04:34:56 Percentage Encrypted: '99'%.
02/27/2023 04:34:56 Percentage Encrypted: '99'%.
02/27/2023 04:34:56 Percentage Encrypted: '99'%.
02/27/2023 04:34:57 Percentage Encrypted: '99'%.
02/27/2023 04:34:57 Percentage Encrypted: '99'%.
02/27/2023 04:34:57 Percentage Encrypted: '99'%.
02/27/2023 04:34:57 Percentage Encrypted: '99'%.
02/27/2023 04:34:57 Percentage Encrypted: '99'%.
02/27/2023 04:34:58 Percentage Encrypted: '99'%.
02/27/2023 04:34:58 Percentage Encrypted: '99'%.
02/27/2023 04:34:58 Percentage Encrypted: '99'%.
02/27/2023 04:34:58 Percentage Encrypted: '99'%.
02/27/2023 04:34:59 Percentage Encrypted: '99'%.
02/27/2023 04:34:59 Percentage Encrypted: '99'%.
02/27/2023 04:34:59 Percentage Encrypted: '99'%.
02/27/2023 04:34:59 Percentage Encrypted: '99'%.
02/27/2023 04:34:59 Percentage Encrypted: '99'%.
02/27/2023 04:35:00 Percentage Encrypted: '99'%.
02/27/2023 04:35:00 Percentage Encrypted: '99'%.
02/27/2023 04:35:00 Percentage Encrypted: '99'%.
02/27/2023 04:35:00 Percentage Encrypted: '99'%.
02/27/2023 04:35:01 Percentage Encrypted: '99'%.
02/27/2023 04:35:01 Percentage Encrypted: '99'%.
02/27/2023 04:35:01 Percentage Encrypted: '99'%.
02/27/2023 04:35:01 Percentage Encrypted: '99'%.
02/27/2023 04:35:01 Percentage Encrypted: '99'%.
02/27/2023 04:35:02 Percentage Encrypted: '99'%.
02/27/2023 04:35:02 Percentage Encrypted: '99'%.
02/27/2023 04:35:02 Percentage Encrypted: '99'%.
02/27/2023 04:35:02 Percentage Encrypted: '99'%.
02/27/2023 04:35:03 Percentage Encrypted: '99'%.
02/27/2023 04:35:03 Percentage Encrypted: '99'%.
02/27/2023 04:35:03 Percentage Encrypted: '100'%.
02/27/2023 04:35:03 Current BL Status: C:, FullyEncrypted, XtsAes256,Tpm ExternalKey
02/27/2023 04:35:03 removing drive letter assigned to the SYSTEM partition now...
02/27/2023 04:35:04 The drive is fully encrypted now :-), we are exiting the script !

Once encryption during WhiteGlove is completed a reg key is created (and we look for that later)

encrypted during whiteglove reg key.png

 

Recommended reading

Windows Autopilot for pre-provisioned deployment (Public preview) – https://learn.microsoft.com/en-us/mem/autopilot/pre-provision

This entry was posted in BitLocker, IntuneWinAppUtil.exe. Bookmark the permalink.

2 Responses to Encrypting devices during Windows Autopilot provisioning (WhiteGlove) – Part 1

  1. Bart says:
    January 16, 2024 at 9:52 am

    Hi Niall,
    I like your article but i see that the link for Win32App source files is not working anymore.
    Could you please fix that or share the script via e-mail?

    Thanks!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.