The script has been updated to abort if the TPM is not Active and to create Endorsement Key Pair if it does not exist on the TPM.
Microsoft BitLocker Administration and Monitoring (MBAM) provides features to manage BitLocker encryption of computers in an enterprise. More information on MBAM can be found here.
BitLocker creates recovery information at the time of encryption and MBAM stores that information in the recovery data store. While MBAM can update its recovery data store when the agent is installed on a system that is already encrypted, it is preferable to have MBAM control the encryption process. MBAM Encryption is controlled by Group Policy. Group Policy is not applied during a SCCM Task Sequence. It is possible to have MBAM start encryption during the task sequence, the techniques are described in the following whitepaper Using MBAM Data Encryption With MDT http://go.microsoft.com/fwlink/?LinkId=229053
Manually starting encryption with MABM requires five steps:
The MBAM agent can be installed during Windows 7 Image creation.
To install MBAM during the deployment, just create a SCCM package/program to install the agent.
Create a .reg file that contains the required MBAM entries. There is a template in Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg. This template will become the basis for the AddMBAMRegEntries.reg file.
Do the following on an unencrypted system with the MBAM Agent installed(from an elevated command prompt):
Next, create a .reg file to remove the entries
Note: More information on creating and editing .reg files is available here.
At this point test that the .reg files are correct by starting the MBAM agent (net Start MBAMAGENT), encryption will begin within a couple of minutes. After encryption begins, run the removeMBAMEntries.reg file to remove the unneeded entries.
For encryption to begin, the MBAM agent needs to talk to the server. If this server communication fails the encryption will not start. If there is a problem, verify that the URL is correct and the MBAM server is functioning correctly.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "Installed"=dword:00000001 "KeyRecoveryOptions"=dword:00000001 "UseKeyRecoveryService"=dword:00000001 "KeyRecoveryServiceEndPoint"=hex(2):68,00,74,00,74,00,70,00,73,00,3a,00,2f,00,\ 2f,00,63,00,69,00,73,00,35,00,33,00,33,00,76,00,6d,00,6d,00,62,00,61,00,6d,\ 00,2e,00,61,00,76,00,6e,00,65,00,74,00,2e,00,63,00,6f,00,6d,00,2f,00,4d,00,\ 42,00,41,00,4d,00,52,00,65,00,63,00,6f,00,76,00,65,00,72,00,79,00,41,00,6e,\ 00,64,00,48,00,61,00,72,00,64,00,77,00,61,00,72,00,65,00,53,00,65,00,72,00,\ 76,00,69,00,63,00,65,00,2f,00,43,00,6f,00,72,00,65,00,53,00,65,00,72,00,76,\ 00,69,00,63,00,65,00,2e,00,73,00,76,00,63,00,00,00 "DeploymentTime"=dword:00000001 "NoStartupDelay"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "KeyRecoveryOptions"=- "UseKeyRecoveryService"=- "KeyRecoveryServiceEndPoint"=- "DeploymentTime"=- "NoStartupDelay"=-
StartMBAMEncryption.wsf is a MDT 2010 style script that will automate the last four steps To use this script create a folder that contains StartMBAMEncryption.wsf, ZTIUtility.vbs from the MDT toolkit, and the two .reg files created above.
To start Encryption run the following from an elevated command prompt:
cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg
Make sure that MBAM is installed, do a WMI query for the MBAMAGENT service. If the service does not exist, fail.
Set oServices = objWMI.ExecQuery("Select * from win32_service where name='MBAMAgent'") TestAndFail (oServices.count = 1), 10005, "MBAM Client Agent is not installed"
The service exists, stop the service. Using the result of the previous query, call the StopService method. Note that the query will return at most one item.
'Stop the service for each oService in oServices oService.StopService() Next
Use the REG IMPORT command to import the AddMBAMRegEntries.reg file, this will give the MBAM agent instruction to start encryption.
sCMD = "Reg IMPORT """ & sAddRefFilePath & """" iRetVal = oUtility.RunWithHeartbeat(sCMD) TestAndFail iretVal, 10006, "Importing AddRegFile: " & sAddRefFilePath
Now, using the result of the original WMI query again, start the MBAM agent
' Restart the MBAMAgent Service for each oService in oServices oService.StartService() Next
Since BitLocker information is in a different Namespace, the script must create a connection to that Namespace.
strConnectionStr1 = "winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!root\cimv2\Security\MicrosoftVolumeEncryption" On Error resume Next Set objWMIBDE = GetObject(strConnectionStr1) on error goto 0 TestAndFail Err, 10007, "Unable to connect to Bitlocker WMI Object - bitlocker not installed"
Using the object just created, query for a Win32_EncryptableVolume for the C: drive. Once that object is obtained, go into a loop sleeping 30 seconds, updating the Task Sequence progress bar, and checking to see if the encryption is in progress. Note that the script is checking for both in progress (EncryptionStatus = 2) and Encrypted (EncryptionStatus = 1). This loop will wait 10 minutes for the encryption to start. In testing the encryption has started within 2 minutes.
iCount = 0 iLoopCount = 0 oLogging.CreateEntry "Waiting for Encryption to Start", LogTypeInfo Do oLogging.ReportProgress "Waiting For Encryptiont to Start", iLoopCount/20 wscript.Sleep 30000 Set colEnVol = objWMIBDE.ExecQuery("Select * from Win32_EncryptableVolume where DriveLetter='C:'") for each oEncVol in colEnVol oEncVol.GetConversionStatus iEncryptionStatus, iPercentComplete Next
ILoopCount = iLoopCount + 1 If iLoopCount >= 20 then TestAndFail False, 10008, "Timeout: Encryption did not start" End If Loop Until ((iEncryptionStatus = 1) or (iEncryptionStatus = 2)) oLogging.ReportProgress "Encryptiont Started", 100 oLogging.CreateEntry "Encryptiont Started", LogTypeInfo
All that is left to do is cleanup the registry by importing the removeMBAMEntries.reg file
sCMD = "Reg IMPORT """ & sRemoveRegFilePath & """" iRetVal = oUtility.RunWithHeartbeat(sCMD) TestAndFail iretVal, 10009, "Importing RemoveRegFile: " & sRemoveRegFilePath
Create a new folder and add the two .reg files created above, a copy of ZTIUTILITY.VBS from the MDT scripts package, and StartMBAMEncryption.wsf. In you SCCM console, create a new package, and program. The program command line will be:
Or, to wait until encryption is finished, before the task sequence continues, the program command line will be:
cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg /WaitForEncryption:true
The Trusted Platform Module (TPM) must be visible to the OS and enabled. making the TPM visible, varies by hardware vendor and system. There is a script that will check if the TPM is visible Here. For information on how to enable the TPM from a task sequence see the table below.
Dell
BitLocker requires an unencrypted partition that will hold the Boot files and boot database. This partition has to be at least 100MB, but it is recommended that it be 300MB. A 300MB partition will allow recovery environment (WinRE) to be copied to the unencrypted drive. WinRE is automatically copied when BitLocker is enabled if there is enough space on the boot partition.
The following steps should be added before the step that installs the MBAM support package created above.
Add a Run Command Line step that runs ZTIBDE.WSF
Cscript %ScriptRoot%\ztibde.wsf
Add a Run Command Line step with the following command line:
BdeHdCfg -target default -quiet
This will create a 300MB partition for the boot files.
Add a Reboot System step following this step.
Additional information on BitLocker, Configuration Manager 2007, and disk partitions can be found on the Configuration manager Support Team blog http://blogs.technet.com/b/configurationmgr/archive/2011/01/20/solution-the-enable-bitlocker-task-fails-to-run-during-a-configmgr-2007-task-sequence.aspx
The computer system must be in a Domain in order for MBAM to escrow the BitLocker Keys.
Joining a domain is required for this process to work correctly.
To enable BitLocker, simply add an install software step to install the package/program created above. It is recommended that this be one of the last steps in the Task Sequence because encrypting the disk will consume many system resources until the disk is fully encrypted.
To ensure the highest security level, the system should not be released to a user until the disk is completely encrypted. The /WaitForEncryption:True option will force the script to wait up to 5 hours for the encryption to finish. If the encryption doesn’t finish within 5 hours, the fact will be logged but the script will not abort. This option can be useful if there are business requirements that the system be fully encrypted before any data is restored.
This post was contributed by David Hornbaker, a Senior Consultant with Microsoft Services - U.S. East Region.
Special thanks to Manoj Sehgal, Senior Support Escalation Engineer, Platforms core, Microsoft Services, and William Lees, Principal SDE, Microsoft Corporation, for their assistance with this post.
Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use
I know this post comment section has been quiet for a while but I wanted to ask if anyone that has this working properly has run into any issues with the MBAM client in a refresh scenario? The process outlined in this post works quite well but when I re-image a computer that is already MBAM encrypted the MBAM client stops being able to apply policy.
I know this really isn't the place for a question like this but I figure maybe someone has run into it before.
Brian,
I detect that the machine is BitLocker Encrypted store that in a task sequence variable. If encrypted disable protectors and refresh the OS. Then in state restore if the not encrypted run the MBAM script if encrypted just enable protectors
David,
Thanks so much for the response. In your scenario do you disable protectors by simply using a command line of: manage-bde -protectors -disable C:? Or do you perform that function with a different mechanism, i.e. the Disable Bitlocker SCCM step or the ztiDisableProtectors.wsf MDT script? If I'm correct it sounds like you: disable protectors if encrypted, reboot to WinPE, apply new .wim OS, re-install MBAM client, and then simply re-enable protectors i.e. manage-bde -protectors -enable C:? And you have no MBAM client errors listed in Event Viewer taking that route?
My refresh sequence sounds very similar but I am using the built in SCCM step to disable BitLocker as of right now. I perform that disable step, backup user data with hardlinks, reboot to WinPE, wipe and apply new WIM, install MBAM agent again, and then used the manage-bde -protectors -enable C: command. The OS boots and is still fully encrypted, but if I look in Event Viewer for the MBAM items I see that an error occurred trying to apply policy. The only way I've found to get this to stop is to decrypt the drive and allow the MBAM client to re-encrypt. But that doesn't sound correct to me.
And if it isn't too much trouble could you shed a little light on how you determine if encrypted or not? I found a couple of WMI queries online but haven't had really any luck getting this to work properly.
Sorry if this is off-topic from the previous postings but any help would definitely be appreciated. Thanks!
I am having problems getting the encryption process to work even after l have entered the above registry settings. I keep getting the following error.
" BitLocker could not be enabled
The BitLocker encryption key cannot be obtained. Verify that the Trusted Platform Module (TPM) is enabled and ownership has been taken. If this computer does not have a TPM, verify that the USB drive is inserted and available.
C:was encrypted"
I have tried with 4 different laptops to get it working but l keep getting the same thing. I would appreciate any assistance
Great write up! Do you have updates instructions for SCCM 2012 and MDT 2012? I have followed MOST of the steps here, but cannot find StartMBAMEncryption.wsf anywhere.. Any help would be greatly appreciated!