The script has been updated to abort if the TPM is not Active and to create Endorsement Key Pair if it does not exist on the TPM.
Microsoft BitLocker Administration and Monitoring (MBAM) provides features to manage BitLocker encryption of computers in an enterprise. More information on MBAM can be found here.
BitLocker creates recovery information at the time of encryption and MBAM stores that information in the recovery data store. While MBAM can update its recovery data store when the agent is installed on a system that is already encrypted, it is preferable to have MBAM control the encryption process. MBAM Encryption is controlled by Group Policy. Group Policy is not applied during a SCCM Task Sequence. It is possible to have MBAM start encryption during the task sequence, the techniques are described in the following whitepaper Using MBAM Data Encryption With MDT http://go.microsoft.com/fwlink/?LinkId=229053
Manually starting encryption with MABM requires five steps:
The MBAM agent can be installed during Windows 7 Image creation.
To install MBAM during the deployment, just create a SCCM package/program to install the agent.
Create a .reg file that contains the required MBAM entries. There is a template in Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg. This template will become the basis for the AddMBAMRegEntries.reg file.
Do the following on an unencrypted system with the MBAM Agent installed(from an elevated command prompt):
Next, create a .reg file to remove the entries
Note: More information on creating and editing .reg files is available here.
At this point test that the .reg files are correct by starting the MBAM agent (net Start MBAMAGENT), encryption will begin within a couple of minutes. After encryption begins, run the removeMBAMEntries.reg file to remove the unneeded entries.
For encryption to begin, the MBAM agent needs to talk to the server. If this server communication fails the encryption will not start. If there is a problem, verify that the URL is correct and the MBAM server is functioning correctly.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "Installed"=dword:00000001 "KeyRecoveryOptions"=dword:00000001 "UseKeyRecoveryService"=dword:00000001 "KeyRecoveryServiceEndPoint"=hex(2):68,00,74,00,74,00,70,00,73,00,3a,00,2f,00,\ 2f,00,63,00,69,00,73,00,35,00,33,00,33,00,76,00,6d,00,6d,00,62,00,61,00,6d,\ 00,2e,00,61,00,76,00,6e,00,65,00,74,00,2e,00,63,00,6f,00,6d,00,2f,00,4d,00,\ 42,00,41,00,4d,00,52,00,65,00,63,00,6f,00,76,00,65,00,72,00,79,00,41,00,6e,\ 00,64,00,48,00,61,00,72,00,64,00,77,00,61,00,72,00,65,00,53,00,65,00,72,00,\ 76,00,69,00,63,00,65,00,2f,00,43,00,6f,00,72,00,65,00,53,00,65,00,72,00,76,\ 00,69,00,63,00,65,00,2e,00,73,00,76,00,63,00,00,00 "DeploymentTime"=dword:00000001 "NoStartupDelay"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "KeyRecoveryOptions"=- "UseKeyRecoveryService"=- "KeyRecoveryServiceEndPoint"=- "DeploymentTime"=- "NoStartupDelay"=-
StartMBAMEncryption.wsf is a MDT 2010 style script that will automate the last four steps To use this script create a folder that contains StartMBAMEncryption.wsf, ZTIUtility.vbs from the MDT toolkit, and the two .reg files created above.
To start Encryption run the following from an elevated command prompt:
cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg
Make sure that MBAM is installed, do a WMI query for the MBAMAGENT service. If the service does not exist, fail.
Set oServices = objWMI.ExecQuery("Select * from win32_service where name='MBAMAgent'") TestAndFail (oServices.count = 1), 10005, "MBAM Client Agent is not installed"
The service exists, stop the service. Using the result of the previous query, call the StopService method. Note that the query will return at most one item.
'Stop the service for each oService in oServices oService.StopService() Next
Use the REG IMPORT command to import the AddMBAMRegEntries.reg file, this will give the MBAM agent instruction to start encryption.
sCMD = "Reg IMPORT """ & sAddRefFilePath & """" iRetVal = oUtility.RunWithHeartbeat(sCMD) TestAndFail iretVal, 10006, "Importing AddRegFile: " & sAddRefFilePath
Now, using the result of the original WMI query again, start the MBAM agent
' Restart the MBAMAgent Service for each oService in oServices oService.StartService() Next
Since BitLocker information is in a different Namespace, the script must create a connection to that Namespace.
strConnectionStr1 = "winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!root\cimv2\Security\MicrosoftVolumeEncryption" On Error resume Next Set objWMIBDE = GetObject(strConnectionStr1) on error goto 0 TestAndFail Err, 10007, "Unable to connect to Bitlocker WMI Object - bitlocker not installed"
Using the object just created, query for a Win32_EncryptableVolume for the C: drive. Once that object is obtained, go into a loop sleeping 30 seconds, updating the Task Sequence progress bar, and checking to see if the encryption is in progress. Note that the script is checking for both in progress (EncryptionStatus = 2) and Encrypted (EncryptionStatus = 1). This loop will wait 10 minutes for the encryption to start. In testing the encryption has started within 2 minutes.
iCount = 0 iLoopCount = 0 oLogging.CreateEntry "Waiting for Encryption to Start", LogTypeInfo Do oLogging.ReportProgress "Waiting For Encryptiont to Start", iLoopCount/20 wscript.Sleep 30000 Set colEnVol = objWMIBDE.ExecQuery("Select * from Win32_EncryptableVolume where DriveLetter='C:'") for each oEncVol in colEnVol oEncVol.GetConversionStatus iEncryptionStatus, iPercentComplete Next
ILoopCount = iLoopCount + 1 If iLoopCount >= 20 then TestAndFail False, 10008, "Timeout: Encryption did not start" End If Loop Until ((iEncryptionStatus = 1) or (iEncryptionStatus = 2)) oLogging.ReportProgress "Encryptiont Started", 100 oLogging.CreateEntry "Encryptiont Started", LogTypeInfo
All that is left to do is cleanup the registry by importing the removeMBAMEntries.reg file
sCMD = "Reg IMPORT """ & sRemoveRegFilePath & """" iRetVal = oUtility.RunWithHeartbeat(sCMD) TestAndFail iretVal, 10009, "Importing RemoveRegFile: " & sRemoveRegFilePath
Create a new folder and add the two .reg files created above, a copy of ZTIUTILITY.VBS from the MDT scripts package, and StartMBAMEncryption.wsf. In you SCCM console, create a new package, and program. The program command line will be:
Or, to wait until encryption is finished, before the task sequence continues, the program command line will be:
cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg /WaitForEncryption:true
The Trusted Platform Module (TPM) must be visible to the OS and enabled. making the TPM visible, varies by hardware vendor and system. There is a script that will check if the TPM is visible Here. For information on how to enable the TPM from a task sequence see the table below.
Dell
BitLocker requires an unencrypted partition that will hold the Boot files and boot database. This partition has to be at least 100MB, but it is recommended that it be 300MB. A 300MB partition will allow recovery environment (WinRE) to be copied to the unencrypted drive. WinRE is automatically copied when BitLocker is enabled if there is enough space on the boot partition.
The following steps should be added before the step that installs the MBAM support package created above.
Add a Run Command Line step that runs ZTIBDE.WSF
Cscript %ScriptRoot%\ztibde.wsf
Add a Run Command Line step with the following command line:
BdeHdCfg -target default -quiet
This will create a 300MB partition for the boot files.
Add a Reboot System step following this step.
Additional information on BitLocker, Configuration Manager 2007, and disk partitions can be found on the Configuration manager Support Team blog http://blogs.technet.com/b/configurationmgr/archive/2011/01/20/solution-the-enable-bitlocker-task-fails-to-run-during-a-configmgr-2007-task-sequence.aspx
The computer system must be in a Domain in order for MBAM to escrow the BitLocker Keys.
Joining a domain is required for this process to work correctly.
To enable BitLocker, simply add an install software step to install the package/program created above. It is recommended that this be one of the last steps in the Task Sequence because encrypting the disk will consume many system resources until the disk is fully encrypted.
To ensure the highest security level, the system should not be released to a user until the disk is completely encrypted. The /WaitForEncryption:True option will force the script to wait up to 5 hours for the encryption to finish. If the encryption doesn’t finish within 5 hours, the fact will be logged but the script will not abort. This option can be useful if there are business requirements that the system be fully encrypted before any data is restored.
This post was contributed by David Hornbaker, a Senior Consultant with Microsoft Services - U.S. East Region.
Special thanks to Manoj Sehgal, Senior Support Escalation Engineer, Platforms core, Microsoft Services, and William Lees, Principal SDE, Microsoft Corporation, for their assistance with this post.
Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use
Did you had any luck encrypting both C: & D: during OSD automatically ?
The other partitions require a one-time password that jumps out when a user first log on while C: is encrypting
An additional fixed disk could be encrypted using the builtin BitLocker support after the C: (OS drice) has been encrypted. However, after the Task Sequence is completed and the machine gets policy, MABM will prompt for a passowrd, since MBAM requires a Password protector.
What tool did you use to convert KeyRecoveryServiceEndPoint from an http:// string to the HEX you have up there?
Putting the text in as string in Notepad doesn't seem to work.
It is entered in regedit and then exported.
Doh! Of course!
Awesome write up. We are planning to deploy bitlocker using MBAM to 11,000 workstations. We have started with our latest laptop roll out. .
Hello,
Thanks for the post. I've got encryption working in the Task Sequence using the above steps. We also require a differnent start up Pin on our company laptops. When the build has completed I can set a pin using the MBAM client.
The issue is that the laptop never reports to the MBAM server. If I enable bitlocker manully on a laptop the I have no issues.
In the event log of the laptop that does not report in to the MBAM server, there is an error message in the event log of the laptop stating that group policy does not permit TPM only.
If I run manage-bde -status the protectors are set to TPm and PIn.
Do you have any ideas how I can resolve this issue please?
Kind regards
Matt
Matthew
change the GPOs for Operating System drive under BitLocker Drive Encryption.
- Configure TPM startup to “Do not allow TPM”
- Configure TPM startup PIN to “Allow TPM and PIN”
- Configure TPM startup key to “Do not allow startup key with TPM”
- Configure TPM startup key and PIN to “Do not allow startup key and PIN with TPM”
Dave
Hello Guys, thanks for this posting it´s really useful!
I already have this working in my lab but when I tried to put it in the production environment I end up with not encrypting the machine during the Task Sequence (MDT 2010) with the error - 10008, "Timeout: Encryption did not start" .
Then I reboot the machine and apears the error message " Bitlocker could not be enabled - The bitlocker encryption key cannot be obtained...."
Before I send the TS to the machine I verify that the TPM is enabled in the BIOS, so what could I check to fix this error? Any ideas?
Thanks in advance!
Regards,
Bruno
Hi Bruno
Most likely cause is that the server URL is incorrect in the .reg file or the server cannot be contacted. Verify the URL and verify you can connect to the server form the subnet the system is on (open the URL in IE)
Hello David,
Thank you for the answer, I did that test: when your script it trying to to encrypt the drive (in the step "Waiting for Encryption to Start") I already check in regedit the URL of my .key that was imported and try it in the IE and it went good making a service connection to the MBAM Server, so it must be another thing that im not checking it out that´s blocking the connection to the server...
One thing that I also noticed is if your script can´t encrypt the drive (in my case) he also cannot apply the RemoveRegFile:RemoveMBAMRegEntries.reg key, is that the normal behaviour of the script?
Cheers,
I noticed one thing in my tests: if I create an MDT TS for Windows 7 SP1 (x86) it encrypts fine during the TS with no problems.....but if I do it in a an MDT TS for Windows 7 SP1 (x64) I can´t encrypt the machine during the TS (it time´s out with failure "Timeout: Encryption did not start").
Did you had the same results in this scenario? What could I change to the x64 version of Windows 7 SP1 to start encrypting during the TS?
Bruno,
Disable 64 bit redirection on that step. The registry entries are being written to the wrong location.
Hello David
If I had an SCCM TS I would do that in a second ;) but in my case I just have an MDT 2010 (I don´t have SCCM in my environment) and I don´t know how to "Disable 64 bit redirection on that step" in a run command line option (in an MDT TS ) :(
Did you already try this in x64 Windows 7 deployment and all went good with your script?
Sorry to bother you with this but im running out of solutions :|
Best regards,
You can use sysnative.
When running in a 64bit OS use %windir%\sysnative\cscript.exe to run the script. That will force the TS to run the 64 bit version of cscript.exe
By the way if you are using MDT Lite Touch, I would recommend placing the machine in an OU that doesn't get any policy, and then moving to the proper OU at the end of the TS. That way GPO cannot interfere with the TS.
Thanks
Is there a way to change the default encryption method from 128-bit to '256-bit with Diffuser'?
We have a requirement to have the 256-bit encryption being used as part of the SCCM Task Sequence using MBAM.
I had assumned that by adding the entry below to the AddMBAMRegEntries.reg file that this would take effect but it doesn't seem to work:
"EncryptionMethod"=dword:00000002
Does anyone know if it is possible to do this using MBAM as part of a SCCM Task Sequence?