The Deployment Guys

Helping to deploy your world automagically...

Using MBAM to start BitLocker Encryption in a Task Sequence

Using MBAM to start BitLocker Encryption in a Task Sequence

  • Comments 63
  • Likes

The script has been updated to abort if the TPM is not Active and to create Endorsement Key Pair if it does not exist on the TPM.


Microsoft BitLocker Administration and Monitoring (MBAM) provides features to manage BitLocker encryption of computers in an enterprise.  More information on MBAM can be found here.

BitLocker creates recovery information at the time of encryption and MBAM stores that information in the recovery data store. While MBAM can update its recovery data store when the agent is installed on a system that is already encrypted, it is preferable to have MBAM control the encryption process.  MBAM Encryption is controlled by Group Policy.  Group Policy is not applied during a SCCM Task Sequence.  It is possible to have MBAM start encryption during the task sequence, the techniques are described in the following whitepaper Using MBAM Data Encryption With MDT

Manually starting BitLocker Encryption with MBAM

Manually starting encryption with MABM requires five steps:

  1. Install the MBAM Agent. 
  2. Stop the MBAM agent
  3. Import registry settings that will instruct the agent to start encryption.
  4. Wait for encryption to start
  5. Remove the most of the imported registry settings

Installing MBAM Agent

The MBAM agent can be installed during Windows 7 Image creation. 

To install MBAM during the deployment, just create a SCCM package/program to install the agent.

Creating the registry import files.

Create a .reg file that contains the required MBAM entries. There is a template in Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg. This template will become the basis for the AddMBAMRegEntries.reg file.

Do the following on an unencrypted system with the MBAM Agent installed(from an elevated command prompt):

  1. Net Stop MBAMAGENT
  2. reg import “c:\Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg”
  3. using regedit make the following changes:
    1. Change the KeyRecoveryServiceEndPoint key to have the URL of the MBAM recovery server.
    2. Add NoStartupDelay as a DWORD with a value of one.
  4. Export the MBAM key to a file (AddMBAMRegEntries.reg)

    Next, create a .reg file to remove the entries

    1. Copy AddMBAMRegEntries.reg to RemoveMBAMRegEntries.reg
    2. Open RemoveMBAMEntries.reg in notepad
    3. Delete the line: "Installed"=dword:00000001
    4. for all the other keys in the file replace everything after the equals sign with a minus sign (E.G. "NoStartupDelay"=dword:00000001 becomes "NoStartupDelay"=-)
    5. Save RemoveMBAMRegEntries.reg

    Note: More information on creating and editing .reg files is available here.

    At this point test that the .reg files are correct by starting the MBAM agent (net Start MBAMAGENT), encryption will begin within a couple of minutes.  After encryption begins, run the removeMBAMEntries.reg file to remove the unneeded entries.

    For encryption to begin, the MBAM agent needs to talk to the server.  If this server communication fails the encryption will not start.  If there is a problem, verify that the URL is correct and the MBAM server is functioning correctly.

    Sample AddMBAMRegEntries.reg file

    Windows Registry Editor Version 5.00


    Sample RemoveMBAMRegEntries.reg file

    Windows Registry Editor Version 5.00



    Automating the process with a script

    StartMBAMEncryption.wsf is a MDT 2010 style script that will automate the last four steps   To use this script create a folder that contains StartMBAMEncryption.wsf, ZTIUtility.vbs from the MDT toolkit, and the two .reg files created above. 

    To start Encryption run the following from an elevated command prompt:

    cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg

    How does the script work?

    Make sure that MBAM is installed, do a WMI query for the MBAMAGENT service. If the service does not exist, fail.

        Set oServices = objWMI.ExecQuery("Select * from win32_service where name='MBAMAgent'")
        TestAndFail (oServices.count = 1), 10005, "MBAM Client Agent is not installed"

    The service exists,  stop the service.  Using the result of the previous query, call the StopService method.  Note that the query will return at most one item.

        'Stop the service
        for each oService in oServices

    Use the REG IMPORT command to import the  AddMBAMRegEntries.reg file, this will give the MBAM agent instruction to start encryption.

        sCMD = "Reg IMPORT """ & sAddRefFilePath & """"
        iRetVal = oUtility.RunWithHeartbeat(sCMD)
        TestAndFail iretVal, 10006, "Importing AddRegFile: " & sAddRefFilePath

    Now, using the result of the original WMI query again, start the MBAM agent

        ' Restart the MBAMAgent Service
        for each oService in oServices

    Since BitLocker information is in a different Namespace, the script must create a connection to that Namespace.

        strConnectionStr1 = "winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!root\cimv2\Security\MicrosoftVolumeEncryption" 
        On Error resume Next
        Set objWMIBDE = GetObject(strConnectionStr1)
        on error goto 0
        TestAndFail Err, 10007, "Unable to connect to Bitlocker WMI Object -  bitlocker not installed"

    Using the object just created, query for a Win32_EncryptableVolume for the C: drive. Once that object is obtained, go into a loop sleeping 30 seconds, updating the Task Sequence progress bar, and checking to see if the encryption is in progress.  Note that the script is checking for both in progress (EncryptionStatus = 2) and Encrypted (EncryptionStatus = 1).  This loop will wait 10 minutes for the encryption to start.  In testing the encryption has started within 2 minutes.

        iCount = 0
        iLoopCount = 0
        oLogging.CreateEntry "Waiting for Encryption to Start", LogTypeInfo
          oLogging.ReportProgress "Waiting For Encryptiont to Start",  iLoopCount/20
          wscript.Sleep 30000
          Set colEnVol = objWMIBDE.ExecQuery("Select * from Win32_EncryptableVolume where DriveLetter='C:'")
          for each oEncVol in colEnVol
          oEncVol.GetConversionStatus iEncryptionStatus, iPercentComplete

          ILoopCount = iLoopCount + 1
          If iLoopCount >= 20 then
            TestAndFail False, 10008, "Timeout: Encryption did not start"
          End If
        Loop Until ((iEncryptionStatus = 1) or (iEncryptionStatus = 2))
        oLogging.ReportProgress "Encryptiont Started", 100
        oLogging.CreateEntry "Encryptiont Started", LogTypeInfo

    All that is left to do is cleanup the registry by importing the removeMBAMEntries.reg file

        sCMD = "Reg IMPORT """ & sRemoveRegFilePath & """"
        iRetVal = oUtility.RunWithHeartbeat(sCMD)
        TestAndFail iretVal, 10009, "Importing RemoveRegFile: " & sRemoveRegFilePath


    Creating the MBAM Support Task Sequence Package

    Create a new folder and add the two .reg files created above, a copy of ZTIUTILITY.VBS from the MDT scripts package, and StartMBAMEncryption.wsf.  In you SCCM console, create a new package, and program.  The program command line will be:

    cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg  

    Or, to wait until encryption is finished, before the task sequence continues, the program command line will be:

      cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg   /WaitForEncryption:true


    Changes to the Task Sequence

    TPM Issues

    The Trusted Platform Module (TPM) must be visible to the OS and enabled.  making the TPM visible, varies by hardware vendor and system.  There is a script that will check if the TPM is visible Here.    For information on how to enable the TPM from a task sequence see the table below.




    Disk Partitioning

    BitLocker requires an unencrypted partition that will hold the Boot files and boot database.  This partition has to be at least 100MB, but it is recommended that it be 300MB.  A 300MB partition will allow recovery environment (WinRE) to be copied to the unencrypted drive.  WinRE is automatically copied when BitLocker is enabled if there is enough space on the boot partition.

    For Bare Metal deployments, the partition can be created during the Partition Disk step.

    1. Create a 300MB primary partition and mark it Active (Make Bootable)  
    2. Create a primary partition that uses 100% of the remaining disk  Assign a variable to this disk (OSDISK)
    3. Change the Apply Operating System step to put the Operating System on the disk specified in the variable OSDISK





    For refresh from XP or Windows 7 system that does not have a separate boot partition, use the following steps:


    The following steps should be added before the step that installs the MBAM support package created above.

    Using ZTIBDE.WSF (from MDT)

    Add a Run Command Line step that runs ZTIBDE.WSF

    Cscript %ScriptRoot%\ztibde.wsf

    Using BdeHDCfg

    Add a Run Command Line step  with the following command line:

    BdeHdCfg -target default -quiet

    This will create a 300MB partition for the boot files.  

    Add a Reboot System step following this step.

    Additional information on BitLocker, Configuration Manager 2007, and disk partitions can be found on the Configuration manager Support Team blog

    Join the Domain

    The computer system must be in a Domain in order for MBAM to escrow the BitLocker Keys. 

    Joining a domain is required for this process to work correctly.

    Enabling BitLocker

    To enable BitLocker, simply add an install software step to install the package/program created above.  It is recommended that this be one of the last steps in the Task Sequence because encrypting the disk will consume many system resources until the disk is fully encrypted.

    Waiting for Encryption to Finish

    To ensure the highest security level, the system should not be released to a user until the disk is completely encrypted.  The /WaitForEncryption:True option will force the script to wait up to 5 hours for the encryption to finish.  If the encryption doesn’t finish within 5 hours, the fact will be logged but the script will not abort.  This option can be useful if there are business requirements that the system be fully encrypted before any data is restored.

    cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg /WaitForEncryption:true

    This post was contributed by David Hornbaker, a Senior Consultant with Microsoft Services - U.S. East Region. 

    Special thanks to Manoj Sehgal, Senior Support Escalation Engineer, Platforms core, Microsoft Services, and William Lees, Principal SDE, Microsoft Corporation, for their assistance with this post.

    Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use

    • Did you had any luck encrypting both C: & D: during OSD automatically ?

      The other partitions require a one-time password that jumps out when a user first log on while C: is encrypting

    • An additional fixed disk could be encrypted using the builtin BitLocker support after the C: (OS drice) has been encrypted.  However, after the Task Sequence is completed and the machine gets policy, MABM will prompt for a passowrd, since MBAM requires a Password protector.

    • What tool did you use to convert KeyRecoveryServiceEndPoint from an http:// string to the HEX you have up there?

      Putting the text in as string in Notepad doesn't seem to work.

    • It is entered in regedit and then exported.

    • Doh! Of course!

      Awesome write up. We are planning to deploy bitlocker using MBAM to 11,000 workstations. We have started with our latest laptop roll out. .

    • Hello,

      Thanks for the post. I've got encryption working in the Task Sequence using the above steps. We also require a differnent start up Pin on our company laptops. When the build has completed I can set a pin using the MBAM client.

      The issue is that the laptop never reports to the MBAM server. If I enable bitlocker manully on a laptop the I have no issues.

      In the event log of the laptop that does not report in to the MBAM server, there is an error message in the event log of the laptop stating that group policy does not permit TPM only.

      If I run manage-bde -status the protectors are set to TPm and PIn.

      Do you have any ideas how I can resolve this issue please?

      Kind regards


    • Matthew

      change the GPOs for Operating System drive under BitLocker Drive Encryption.

      - Configure TPM startup to “Do not allow TPM”

      - Configure TPM startup PIN to “Allow TPM and PIN”

      - Configure TPM startup key to “Do not allow startup key with TPM”

      - Configure TPM startup key and PIN to “Do not allow startup key and PIN with TPM”


    • Hello Guys, thanks for this posting it´s really useful!

      I already have this working in my lab but when I tried to put it in the production environment I end up with not encrypting the machine during the Task Sequence (MDT 2010) with the error - 10008, "Timeout: Encryption did not start" .

      Then I reboot the machine and apears the error message " Bitlocker could not be enabled - The bitlocker encryption key cannot be obtained...."

      Before I send the TS to the machine I verify that the TPM is enabled in the BIOS, so what could I check to fix this error? Any ideas?

      Thanks in advance!



    • Hi Bruno

      Most likely cause is that the server URL is incorrect in the .reg file or the server cannot be contacted.  Verify the URL and verify you can connect to the server form the subnet the system is on (open the URL in IE)


    • Hello David,

      Thank you for the answer, I did that test: when your script it trying to to encrypt the drive (in the step "Waiting for Encryption to Start") I already check in regedit the URL of my .key that was imported and try it in the IE and it went good making a service connection to the MBAM Server, so it must be another thing that im not checking it out that´s blocking the connection to the server...

      One thing that I also noticed is if your script can´t encrypt the drive (in my case) he also cannot apply the RemoveRegFile:RemoveMBAMRegEntries.reg key, is that the normal behaviour of the script?



    • Hello David,

      I noticed one thing in my tests: if I create an MDT TS for Windows 7 SP1 (x86) it encrypts fine during the TS with no problems.....but if I do it in a an MDT TS for Windows 7 SP1 (x64) I can´t encrypt the machine during the TS (it time´s out with failure "Timeout: Encryption did not start").

      Did you had the same results in this scenario? What could I change to the x64 version of Windows 7 SP1 to start encrypting during the TS?



    • Bruno,

       Disable 64 bit redirection on that step.  The registry entries are being written to the wrong location.


    • Hello David

      If I had an SCCM TS I would do that in a second ;)  but in my case I just have an MDT 2010 (I don´t have SCCM in my environment)  and I don´t know how to "Disable 64 bit redirection on that step" in a run command line option (in an MDT TS ) :(

      Did you already try this in x64 Windows 7 deployment and all went good with your script?

      Sorry to bother you with this  but im running out of solutions :|

      Best regards,


    • You can use sysnative.

      When running in  a 64bit OS use %windir%\sysnative\cscript.exe to run the script.  That will force the TS to run the 64 bit version of cscript.exe

      By the way if you are using MDT Lite Touch, I would recommend placing the machine in an OU that doesn't get any policy, and then moving to the proper OU at the end of the TS.  That way GPO cannot interfere with the TS.



    • Is there a way to change the default encryption method from 128-bit to '256-bit with Diffuser'?

      We have a requirement to have the 256-bit encryption being used as part of the SCCM Task Sequence using MBAM.

      I had assumned that by adding the entry below to the AddMBAMRegEntries.reg file that this would take effect but it doesn't seem to work:


      Does anyone know if it is possible to do this using MBAM as part of a SCCM Task Sequence?

    Your comment has been posted.   Close
    Thank you, your comment requires moderation so it may take a while to appear.   Close
    Leave a Comment