Using MBAM to start BitLocker Encryption in a Task Sequence


The script has been updated to abort if the TPM is not Active and to create Endorsement Key Pair if it does not exist on the TPM.

 

Microsoft BitLocker Administration and Monitoring (MBAM) provides features to manage BitLocker encryption of computers in an enterprise.  More information on MBAM can be found here.

BitLocker creates recovery information at the time of encryption and MBAM stores that information in the recovery data store. While MBAM can update its recovery data store when the agent is installed on a system that is already encrypted, it is preferable to have MBAM control the encryption process.  MBAM Encryption is controlled by Group Policy.  Group Policy is not applied during a SCCM Task Sequence.  It is possible to have MBAM start encryption during the task sequence, the techniques are described in the following whitepaper Using MBAM Data Encryption With MDT http://go.microsoft.com/fwlink/?LinkId=229053

Manually starting BitLocker Encryption with MBAM

Manually starting encryption with MABM requires five steps:

  1. Install the MBAM Agent. 
  2. Stop the MBAM agent
  3. Import registry settings that will instruct the agent to start encryption.
  4. Wait for encryption to start
  5. Remove the most of the imported registry settings

Installing MBAM Agent

The MBAM agent can be installed during Windows 7 Image creation. 

To install MBAM during the deployment, just create a SCCM package/program to install the agent.

Creating the registry import files.

Create a .reg file that contains the required MBAM entries. There is a template in Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg. This template will become the basis for the AddMBAMRegEntries.reg file.

Do the following on an unencrypted system with the MBAM Agent installed(from an elevated command prompt):

  1. Net Stop MBAMAGENT
  2. reg import “c:\Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg”
  3. using regedit make the following changes:
    1. Change the KeyRecoveryServiceEndPoint key to have the URL of the MBAM recovery server.
    2. Add NoStartupDelay as a DWORD with a value of one.
  4. Export the MBAM key to a file (AddMBAMRegEntries.reg)

    Next, create a .reg file to remove the entries

    1. Copy AddMBAMRegEntries.reg to RemoveMBAMRegEntries.reg
    2. Open RemoveMBAMEntries.reg in notepad
    3. Delete the line: “Installed”=dword:00000001
    4. for all the other keys in the file replace everything after the equals sign with a minus sign (E.G. “NoStartupDelay”=dword:00000001 becomes “NoStartupDelay”=-)
    5. Save RemoveMBAMRegEntries.reg

    Note: More information on creating and editing .reg files is available here.

    At this point test that the .reg files are correct by starting the MBAM agent (net Start MBAMAGENT), encryption will begin within a couple of minutes.  After encryption begins, run the removeMBAMEntries.reg file to remove the unneeded entries.

    For encryption to begin, the MBAM agent needs to talk to the server.  If this server communication fails the encryption will not start.  If there is a problem, verify that the URL is correct and the MBAM server is functioning correctly.

    Sample AddMBAMRegEntries.reg file

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
    “Installed”=dword:00000001
    “KeyRecoveryOptions”=dword:00000001
    “UseKeyRecoveryService”=dword:00000001
    “KeyRecoveryServiceEndPoint”=hex(2):68,00,74,00,74,00,70,00,73,00,3a,00,2f,00,\
    2f,00,63,00,69,00,73,00,35,00,33,00,33,00,76,00,6d,00,6d,00,62,00,61,00,6d,\
    00,2e,00,61,00,76,00,6e,00,65,00,74,00,2e,00,63,00,6f,00,6d,00,2f,00,4d,00,\
    42,00,41,00,4d,00,52,00,65,00,63,00,6f,00,76,00,65,00,72,00,79,00,41,00,6e,\
    00,64,00,48,00,61,00,72,00,64,00,77,00,61,00,72,00,65,00,53,00,65,00,72,00,\
    76,00,69,00,63,00,65,00,2f,00,43,00,6f,00,72,00,65,00,53,00,65,00,72,00,76,\
    00,69,00,63,00,65,00,2e,00,73,00,76,00,63,00,00,00
    “DeploymentTime”=dword:00000001
    “NoStartupDelay”=dword:00000001

    Sample RemoveMBAMRegEntries.reg file

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
    “KeyRecoveryOptions”=-
    “UseKeyRecoveryService”=-
    “KeyRecoveryServiceEndPoint”=-
    “DeploymentTime”=-
    “NoStartupDelay”=-

     

    Automating the process with a script

    StartMBAMEncryption.wsf is a MDT 2010 style script that will automate the last four steps   To use this script create a folder that contains StartMBAMEncryption.wsf, ZTIUtility.vbs from the MDT toolkit, and the two .reg files created above. 

    To start Encryption run the following from an elevated command prompt:

    cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg

    How does the script work?

    Make sure that MBAM is installed, do a WMI query for the MBAMAGENT service. If the service does not exist, fail.

        Set oServices = objWMI.ExecQuery(“Select * from win32_service where name=’MBAMAgent'”)
        TestAndFail (oServices.count = 1), 10005, “MBAM Client Agent is not installed”

    The service exists,  stop the service.  Using the result of the previous query, call the StopService method.  Note that the query will return at most one item.

        
        ‘Stop the service
        for each oService in oServices
          oService.StopService()
        Next

    Use the REG IMPORT command to import the  AddMBAMRegEntries.reg file, this will give the MBAM agent instruction to start encryption.

     
        sCMD = “Reg IMPORT “”” & sAddRefFilePath & “”””
        iRetVal = oUtility.RunWithHeartbeat(sCMD)
        TestAndFail iretVal, 10006, “Importing AddRegFile: ” & sAddRefFilePath

    Now, using the result of the original WMI query again, start the MBAM agent

        ‘ Restart the MBAMAgent Service
        for each oService in oServices
          oService.StartService()
        Next

    Since BitLocker information is in a different Namespace, the script must create a connection to that Namespace.

        strConnectionStr1 = “winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!root\cimv2\Security\MicrosoftVolumeEncryption” 
        On Error resume Next
        Set objWMIBDE = GetObject(strConnectionStr1)
        on error goto 0
        TestAndFail Err, 10007, “Unable to connect to Bitlocker WMI Object –  bitlocker not installed”

    Using the object just created, query for a Win32_EncryptableVolume for the C: drive. Once that object is obtained, go into a loop sleeping 30 seconds, updating the Task Sequence progress bar, and checking to see if the encryption is in progress.  Note that the script is checking for both in progress (EncryptionStatus = 2) and Encrypted (EncryptionStatus = 1).  This loop will wait 10 minutes for the encryption to start.  In testing the encryption has started within 2 minutes.

        iCount = 0
        iLoopCount = 0
        oLogging.CreateEntry “Waiting for Encryption to Start”, LogTypeInfo
        Do
          oLogging.ReportProgress “Waiting For Encryptiont to Start”,  iLoopCount/20
          wscript.Sleep 30000
          Set colEnVol = objWMIBDE.ExecQuery(“Select * from Win32_EncryptableVolume where DriveLetter=’C:'”)
          for each oEncVol in colEnVol
          oEncVol.GetConversionStatus iEncryptionStatus, iPercentComplete
          Next

          ILoopCount = iLoopCount + 1
          If iLoopCount >= 20 then
            TestAndFail False, 10008, “Timeout: Encryption did not start”
          End If
        Loop Until ((iEncryptionStatus = 1) or (iEncryptionStatus = 2))
        oLogging.ReportProgress “Encryptiont Started”, 100
        oLogging.CreateEntry “Encryptiont Started”, LogTypeInfo

    All that is left to do is cleanup the registry by importing the removeMBAMEntries.reg file

        sCMD = “Reg IMPORT “”” & sRemoveRegFilePath & “”””
        iRetVal = oUtility.RunWithHeartbeat(sCMD)
        TestAndFail iretVal, 10009, “Importing RemoveRegFile: ” & sRemoveRegFilePath

     

    Creating the MBAM Support Task Sequence Package

    Create a new folder and add the two .reg files created above, a copy of ZTIUTILITY.VBS from the MDT scripts package, and StartMBAMEncryption.wsf.  In you SCCM console, create a new package, and program.  The program command line will be:

    cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg  

    Or, to wait until encryption is finished, before the task sequence continues, the program command line will be:

      cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg   /WaitForEncryption:true

      

    Changes to the Task Sequence

    TPM Issues

    The Trusted Platform Module (TPM) must be visible to the OS and enabled.  making the TPM visible, varies by hardware vendor and system.  There is a script that will check if the TPM is visible Here.    For information on how to enable the TPM from a task sequence see the table below.

    Lenovo http://support.lenovo.com/en_US/detail.page?LegacyDocID=MIGR-68488

    Dell

    http://en.community.dell.com/techcenter/os-applications/w/wiki/how-to-enable-trusted-platform-module-using-a-configmgr-2007-task-sequence.aspx
    HP http://itbloggen.se/cs/blogs/micke/archive/2010/10/18/enable-tpm-via-task-sequence-on-hp-boxes.aspx

     

    Disk Partitioning

    BitLocker requires an unencrypted partition that will hold the Boot files and boot database.  This partition has to be at least 100MB, but it is recommended that it be 300MB.  A 300MB partition will allow recovery environment (WinRE) to be copied to the unencrypted drive.  WinRE is automatically copied when BitLocker is enabled if there is enough space on the boot partition.

    For Bare Metal deployments, the partition can be created during the Partition Disk step.

    1. Create a 300MB primary partition and mark it Active (Make Bootable)  
    2. Create a primary partition that uses 100% of the remaining disk  Assign a variable to this disk (OSDISK)
    3. Change the Apply Operating System step to put the Operating System on the disk specified in the variable OSDISK

    image

    image

    image

    image

    For refresh from XP or Windows 7 system that does not have a separate boot partition, use the following steps:

     

    The following steps should be added before the step that installs the MBAM support package created above.

    Using ZTIBDE.WSF (from MDT)

    Add a Run Command Line step that runs ZTIBDE.WSF

    Cscript %ScriptRoot%\ztibde.wsf

    Using BdeHDCfg

    Add a Run Command Line step  with the following command line:

    BdeHdCfg -target default -quiet

    This will create a 300MB partition for the boot files.  

    Add a Reboot System step following this step.

    Additional information on BitLocker, Configuration Manager 2007, and disk partitions can be found on the Configuration manager Support Team blog http://blogs.technet.com/b/configurationmgr/archive/2011/01/20/solution-the-enable-bitlocker-task-fails-to-run-during-a-configmgr-2007-task-sequence.aspx

    Join the Domain

    The computer system must be in a Domain in order for MBAM to escrow the BitLocker Keys. 

    Joining a domain is required for this process to work correctly.

    Enabling BitLocker

    To enable BitLocker, simply add an install software step to install the package/program created above.  It is recommended that this be one of the last steps in the Task Sequence because encrypting the disk will consume many system resources until the disk is fully encrypted.

    Waiting for Encryption to Finish

    To ensure the highest security level, the system should not be released to a user until the disk is completely encrypted.  The /WaitForEncryption:True option will force the script to wait up to 5 hours for the encryption to finish.  If the encryption doesn’t finish within 5 hours, the fact will be logged but the script will not abort.  This option can be useful if there are business requirements that the system be fully encrypted before any data is restored.

    cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg /WaitForEncryption:true

    This post was contributed by David Hornbaker, a Senior Consultant with Microsoft Services – U.S. East Region. 

    Special thanks to Manoj Sehgal, Senior Support Escalation Engineer, Platforms core, Microsoft Services, and William Lees, Principal SDE, Microsoft Corporation, for their assistance with this post.

    Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use

    StartMBAMEncryption.zip

    Comments (61)

    1. Anonymous says:

      Dave Hornbaker from Deployment Guys wrote a script some time ago, that kicks off MBAM encryption of the

    2. Anonymous says:

      http://deploymentbunny.com/2010/10/18/enable-tpm-via-task-sequence-on-hp-boxes/ – is working link for TPM configuration in HP boxes.

    3. Anonymous says:

      Dave Hornbaker from Deployment Guys wrote a script some time ago, that kicks off MBAM encryption of the

    4. Anonymous says:

      Matthew

      change the GPOs for Operating System drive under BitLocker Drive Encryption.

      – Configure TPM startup to “Do not allow TPM”

      – Configure TPM startup PIN to “Allow TPM and PIN”

      – Configure TPM startup key to “Do not allow startup key with TPM”

      – Configure TPM startup key and PIN to “Do not allow startup key and PIN with TPM”

      Dave

    5. Anonymous says:

      Hi David,

      Thank you for replying.  Yes, I have confirmed the URL is correct.  I am not using SSL.  When you say "start the MBAM client", so you mean start the agent, or start MBAMClientUI.exe?  

      Thanks,

      Tom

    6. Anonymous says:

      Sorry I haven't answered you sooner, I have been on vacation.

      Thomas, What I meant was, to start the MBAM client, The client should prompt you to start encryption within about an hour.  If that works, that means that the client is communicating with the server.

      In both of the cases it seems like the client cannot communicate with the server, most common issue I have seen are not being in the domain or the URL in the .REG file being incorrect.  Verify those things, and also verify the client will work normally as I mentioned above.  You should also check the MBAM client event logs.

      Dave

    7. Anonymous says:

      Hi Jonathan,

       Exactly what path did you use for the EncryptionMethod?

      According to social.technet.microsoft.com/…/how-to-change-the-default-bitlocker-encryption-method-and-cipher-strength-when-using-the-enable-bitlocker-task-in-configmgr-2007.aspx

      The correct path is HKLMSOFTWAREPoliciesMicrosoftFVEEncryptionMethod  

      Dave

    8. Anonymous says:

      Paul,

       Check to see if your joining the domain.  The most common cause for timeouts is not being in the domain.

      As for the timeout, it was adjusted in the latest version that I posted additional experience with the process..

      Dave

    9. Anonymous says:

      You can use sysnative.

      When running in  a 64bit OS use %windir%sysnativecscript.exe to run the script.  That will force the TS to run the 64 bit version of cscript.exe

      By the way if you are using MDT Lite Touch, I would recommend placing the machine in an OU that doesn't get any policy, and then moving to the proper OU at the end of the TS.  That way GPO cannot interfere with the TS.

      Thanks

      Dave

    10. Anonymous says:

      Found a solution – Adding the following entry into the "AddMBAMRegEntries.reg" file changes the Encryption Method to 'AES 256-bit with Diffuser':

      [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftFVE]

      "EncryptionMethod"=dword:00000002

    11. yannara says:

      I got my endpoint to hex, using group policies and then export data to notepad. I tried to do everything as instructed, but after task sequence, encryption status on machine has an alert mark on OS partition. I can get rid of the alert By entering new
      PIN code. But still, there is no TPM password in database. Should I just open new thread about this in Social Microsoft / MBAM node?

    12. Anonymous says:

      Is there an updated script for MBAM 2.0 that will deal with the D drive encryption?

    13. Anonymous says:

      It is entered in regedit and then exported.

    14. David Hornbaker says:

      Yannara
      The script will work fine with MABM 2.5

    15. Anonymous says:

      Brian,

       I detect that the machine is BitLocker Encrypted store that in a task sequence variable.  If encrypted disable protectors and refresh the OS.  Then in state restore if the not encrypted run the MBAM script if encrypted just enable protectors

    16. Anonymous says:

      Cameron

       There should be a StartMBAMEncryption.log.   Check The MBAM Event log (in Eventviewer).  Confirm that the URL in the REG file specified in the command line is the correct URL for your site.  You say the MBAM client is working so I assume if you start the client and wait, you get the MBAM encryption prompt, correct?

      Dave

    17. Anonymous says:

      Hi Bruno

      Most likely cause is that the server URL is incorrect in the .reg file or the server cannot be contacted.  Verify the URL and verify you can connect to the server form the subnet the system is on (open the URL in IE)

      Dave

    18. Anonymous says:

      It sounds like there a problem communicating with the MBAM server.  Verify that the URL is correct in the ,REG files, that the machine is domain joined.  Try get to the MBAM server URL using IE.  Look for any IIS issues on the server, or cert issues if using SSL.  But it sounds like you have done all of this.  

      If you start the MBAM client without the REG file in place, does the machine eventually get policy and prompt to encrypt (may take up to 60 minutes)?  Check the MBAM event log.

      Dave

    19. Anonymous says:

      Is there a way to change the default encryption method from 128-bit to '256-bit with Diffuser'?

      We have a requirement to have the 256-bit encryption being used as part of the SCCM Task Sequence using MBAM.

      I had assumned that by adding the entry below to the AddMBAMRegEntries.reg file that this would take effect but it doesn't seem to work:

      "EncryptionMethod"=dword:00000002

      Does anyone know if it is possible to do this using MBAM as part of a SCCM Task Sequence?

    20. Anonymous says:

      Bruno,

       Disable 64 bit redirection on that step.  The registry entries are being written to the wrong location.

      Dave

    21. Anonymous says:

      Marc,

       The script fragments within the post proper is just to explain how the script works.  There is a link to the complete script at the bottom of the post.

      Thanks

      Dave

    22. Anonymous says:

      When I attempt to run the script from the command line I get the same results as Bruno, "Timeout: Encryption did not start".  I am testing the script with Windows 7 64-bit.  The Bitlocker UI says the drive is ready for encryption.  I have yet to try this in a task sequence – don't want to waste time if I cannot get the script to execute from the commandline.  I have used the task manager to verify that 64-bit cscript is running within a 64-bit command prompt.  Debug info says TPM is enabled, activated and has keys.  I can connect to the service page on the MBAM at the URL specified in the reg file from the test machine.

      HELP!

    23. Anonymous says:

      An additional fixed disk could be encrypted using the builtin BitLocker support after the C: (OS drice) has been encrypted.  However, after the Task Sequence is completed and the machine gets policy, MABM will prompt for a passowrd, since MBAM requires a Password protector.

    24. Anonymous says:

      Doh! Of course!

      Awesome write up. We are planning to deploy bitlocker using MBAM to 11,000 workstations. We have started with our latest laptop roll out. .

    25. Anonymous says:

      I followed the steps above in reagrds to partitioning in the Tas Squence.  When I image a computer it installs the OS to the OSDISK partition but it uses the D: drive instead of creating it on the C: drive.  How can I get the TS to install the OS onto the C: drive?  What happens if I change the BDEDISK to be hidden?

    26. Anonymous says:

      What tool did you use to convert KeyRecoveryServiceEndPoint from an http:// string to the HEX you have up there?

      Putting the text in as string in Notepad doesn't seem to work.

    27. Or Tsemah says:

      Did you had any luck encrypting both C: & D: during OSD automatically ?

      The other partitions require a one-time password that jumps out when a user first log on while C: is encrypting

    28. Matthew Cranfield says:

      Hello,

      Thanks for the post. I've got encryption working in the Task Sequence using the above steps. We also require a differnent start up Pin on our company laptops. When the build has completed I can set a pin using the MBAM client.

      The issue is that the laptop never reports to the MBAM server. If I enable bitlocker manully on a laptop the I have no issues.

      In the event log of the laptop that does not report in to the MBAM server, there is an error message in the event log of the laptop stating that group policy does not permit TPM only.

      If I run manage-bde -status the protectors are set to TPm and PIn.

      Do you have any ideas how I can resolve this issue please?

      Kind regards

      Matt

    29. Bruno Henriques says:

      Hello Guys, thanks for this posting it´s really useful!

      I already have this working in my lab but when I tried to put it in the production environment I end up with not encrypting the machine during the Task Sequence (MDT 2010) with the error – 10008, "Timeout: Encryption did not start" .

      Then I reboot the machine and apears the error message " Bitlocker could not be enabled – The bitlocker encryption key cannot be obtained…."

      Before I send the TS to the machine I verify that the TPM is enabled in the BIOS, so what could I check to fix this error? Any ideas?

      Thanks in advance!

      Regards,

      Bruno

    30. Bruno Henriques says:

      Hello David,

      Thank you for the answer, I did that test: when your script it trying to to encrypt the drive (in the step "Waiting for Encryption to Start") I already check in regedit the URL of my .key that was imported and try it in the IE and it went good making a service connection to the MBAM Server, so it must be another thing that im not checking it out that´s blocking the connection to the server…

      One thing that I also noticed is if your script can´t encrypt the drive (in my case) he also cannot apply the RemoveRegFile:RemoveMBAMRegEntries.reg key, is that the normal behaviour of the script?

      Cheers,

      Bruno

    31. Bruno Henriques says:

      Hello David,

      I noticed one thing in my tests: if I create an MDT TS for Windows 7 SP1 (x86) it encrypts fine during the TS with no problems…..but if I do it in a an MDT TS for Windows 7 SP1 (x64) I can´t encrypt the machine during the TS (it time´s out with failure "Timeout: Encryption did not start").

      Did you had the same results in this scenario? What could I change to the x64 version of Windows 7 SP1 to start encrypting during the TS?

      Cheers,

      Bruno

    32. Bruno Henriques says:

      Hello David

      If I had an SCCM TS I would do that in a second 😉  but in my case I just have an MDT 2010 (I don´t have SCCM in my environment)  and I don´t know how to "Disable 64 bit redirection on that step" in a run command line option (in an MDT TS ) 🙁

      Did you already try this in x64 Windows 7 deployment and all went good with your script?

      Sorry to bother you with this  but im running out of solutions 😐

      Best regards,

      Bruno

    33. Manoj Sehgal says:

      Jonathan,

      Yes you can change the encryption strength.

      In the Task Sequence (just before the Enable Bitlocker task) add a Command Line TS item that runs the following command:

      reg add HKLMSOFTWAREPoliciesMicrosoftFVE /v EncryptionMethod /t REG_DWORD /d 2 /f

      This isn't the same location as the other values added under 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftMBAM' but the MBAM client still recognises the value and encrypts the drive using 256-bit with Diffuser regardless.

      Thx

      Manoj

    34. Marc Zimmerman says:

      Hi David,

      First, thank you for this great post> I have however  a problem getting the script to run in our environment.

      I just copied the script above, pasted it to notepad and saved as a .WSF. However when I run the script I get an error : "Unterminated entity reference – matching ';' not found". when adding the missing ";" it shows "invalid entity reference"

      According to the internet, this could be solved by renaming the file to .VBS, but that opens a new set of errors. As I'm not at home in the scripting world, I'm wondering if you have any tips?

      Thanks,

      Marc

    35. Paul Byrd says:

      FYI –

      I have had trouble getting my drives to begin encryption due to timeout and found that the script you downoad has different time settings than the broken down explanation. here's what's in the download:

      Do

           oLogging.ReportProgress "Waiting For Encryptiont to Start",  iLoopCount*4/20

           wscript.Sleep 15000

      Which will set the time between tests at 15 seconds. I changed mine to the example settings above…

      Do

           oLogging.ReportProgress "Waiting For Encryptiont to Start",  iLoopCount/20

           wscript.Sleep 30000

      and now my task sequence will wait long enough for encryption to start.

    36. Paul Byrd says:

      Hi David,

      I am definitely joining the domain. Haven't had a problem since I chnged the DL'd file back to the original settings, but I also found that I needed to use the BDEHDCFG instead of the partitioning during diskpart since I was deploying a thick image.

      Paul

    37. Cameron Kerr says:

      I have been going around in circles for days trying to get this working. I have a SCCM 2012 environment. The task sequence enables the TPM and the computer is joined to the domain. Ive set the script as the last step in my task sequence. but it times out with the same errors that the other guys we're getting above. I can access the server if i bring up ie. the registry keys are there. the Mbam agent is there and functioning?

      Im not sure which logs to check. there is nothing referencing it in SMTS.log..

      Its the last thing i have to get working and its doing my head in.

      Any ideas?

    38. Brian says:

      I know this post comment section has been quiet for a while but I wanted to ask if anyone that has this working properly has run into any issues with the MBAM client in a refresh scenario?  The process outlined in this post works quite well but when I re-image a computer that is already MBAM encrypted the MBAM client stops being able to apply policy.

      I know this really isn't the place for a question like this but I figure maybe someone has run into it before.

    39. Brian says:

      David,

      Thanks so much for the response.  In your scenario do you disable protectors by simply using a command line of: manage-bde -protectors -disable C:?  Or do you perform that function with a different mechanism, i.e. the Disable Bitlocker SCCM step or the ztiDisableProtectors.wsf MDT script?  If I'm correct it sounds like you: disable protectors if encrypted, reboot to WinPE, apply new .wim OS, re-install MBAM client, and then simply re-enable protectors i.e. manage-bde -protectors -enable C:?  And you have no MBAM client errors listed in Event Viewer taking that route?

      My refresh sequence sounds very similar but I am using the built in SCCM step to disable BitLocker as of right now.  I perform that disable step, backup user data with hardlinks, reboot to WinPE, wipe and apply new WIM, install MBAM agent again, and then used the manage-bde -protectors -enable C: command.  The OS boots and is still fully encrypted, but if I look in Event Viewer for the MBAM items I see that an error occurred trying to apply policy.  The only way I've found to get this to stop is to decrypt the drive and allow the MBAM client to re-encrypt.  But that doesn't sound correct to me.

      And if it isn't too much trouble could you shed a little light on how you determine if encrypted or not?  I found a couple of WMI queries online but haven't had really any luck getting this to work properly.

      Sorry if this is off-topic from the previous postings but any help would definitely be appreciated.  Thanks!

    40. Philemon says:

      I  am having problems getting the encryption process to work even after l have entered the above registry settings.  I keep getting the following error.

      " BitLocker  could not be enabled

      The BitLocker encryption key cannot be obtained. Verify that the Trusted Platform Module (TPM) is enabled and ownership has been taken. If this computer does not have a TPM, verify that the USB drive is inserted and available.

      C:was encrypted"

      I have tried with 4 different laptops to get it working but l keep getting the same thing. I would appreciate any assistance

    41. Drew says:

      David,

      Great write up!  Do you have updates instructions for SCCM 2012 and MDT 2012?  I have followed MOST of the steps here, but cannot find StartMBAMEncryption.wsf anywhere..  Any help would be greatly appreciated!

    42. ali says:

      I am trying to setup MBAM with SCCM task sequence to enable encryption and for some reason the encryption will not start.

      1) Imported MBAM client as a package in SCCM and included in the task sequence.

      2) Created a separate task in the SCCM task sequence to execute the command line at the time of machine build. Here is the command line.

      cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg

      3) The machine fails to activate the bitlocker.

      For testing I tried to manually execute this command on the WIN7 client machine I can see the registry entries are successfully imported and then I see the message waiting for encryption to start……….

      I am not sure what am I missing here, and looking for some help.

      Ali

    43. Dustin C says:

      Does anything in this process need changed for MBAM 2.0?  I've noticed additional registry entries in 2.0.

    44. John B. says:

      I am having an issue getting the MBAM client to recognize the 300MB partition as a valid partition when attempting to encrypt the drive.  The drive has been designated as D: and I can only get the client to initialize when I run the BDEHDcfg.exe to shrink the C drive and create a parition for Bitlocker…when this happens the partition label  is blank in Disk Management.  Event Viewer says it cant encrypt because the volmue has system information.  What am i missing? Any help is appreciated…Thanks!

    45. Milosz E. says:

      Hey, can someone help me out with this? I am able to encrypt C with your script. It works well. After encrypting C drive I have to encrypt drive D (fixed data drive). I created a scheduled task to run on each logon or wake from sleep:

      strComputer = "."  

      Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2SecurityMicrosoftVolumeEncryption")    

      Set volumes = objWMIService.InstancesOf("Win32_EncryptableVolume")    

      Set oShell = CreateObject("Wscript.shell")

      Do Until retval2=100

       'Wscript.Echo retval2

       Wscript.Sleep(60000)

       For Each volume in volumes

         if volume.DriveLetter = "C:" then

           retval= volume.GetConversionStatus(cs,ep)

           retval2=ep

           'Wscript.Echo ep

           'Wscript.Echo retval2

         End If

       Next

      Loop

      oShell.Run "manage-bde.exe -on d: -rk c:",0

      WScript.Sleep(5000)

      oShell.Run "manage-bde.exe -autounlock -enable d:",0

      WScript.Sleep(3000)

      oShell.Run "schtasks /Delete /TN EnableMBAM_D /F",0

      WScript.Sleep(3000)

      wscript.quit

      The problem is when I enable encryption on drive D (it encrypts without problem), it is reported correctly in SQL, but I am not able to retrieve unlock key from SQL DB. Keys for C drive are exported without problem. I think this might be connected to that, C drive is started by your script, which implies using MBAM, and D is started with manage-bde. Could you pls provide a script for drive D or point me out?

    46. Stacy2 says:

      How can I incorporate the TPM pin after I have used the registry keys to silently start encryption?

    47. Anand says:

      Would some one let me know, where I can find this "StartMBAMEncryption.log"

    48. Evans says:

      Any thoughts on using PowerShell and not VB Script?

    49. Evans says:

      I am sure someone can clean up my powershell but here is my first try at it 8o)

      Created By: Evans Conforti
      Created Date: 2/27/2014
      Updated By:
      Updated Date:
      Disclaimer: This script is provided "AS IS" with no warranties, confers no rights, and is not supported by the author.

      .Synopsis
      MBAM 2.0 Bitlocker Enterprise Encryption
      .DESCRIPTION
      Starts the MBAM 2.0 Bitlocker Enterprise Encryption process on systems.
      .EXAMPLE
      Modify the server variables and run the script.
      #>
      # Modify below as needed
      $AppDir= 'MBAM AGENT INSTALL LOCATION'
      $MBAMServer = 'MBAM SERVER NAME'
      # Modify above as needed
      # Modify Below with caution
      function Get-TPM {
      $TPMI = GWMI -Class Win32_TPM -Namespace "rootCIMV2SecurityMicrosoftTpm" -ErrorAction SilentlyContinue
      $TPMV = $TPMI.SpecVersion
      $TPME = $TPMI.IsEnabled_InitialValue
      $TPMA = $TPMI.IsActivated_InitialValue
      $TPMO = $TPMI.IsOwned_InitialValue
      if ($TPMV -notmatch "1.2") {
      Write-Host
      Write-Warning "TPM is not version 1.2! MBAM 2.0 Bitlocker Enterprise Encryption will not work with this system."
      Read-host -prompt "Press Enter to continue! "
      Exit
      }
      if ($TPME -eq $False) {
      Write-Host
      Write-Warning "TPM is not Enabled! Please Enable TPM and then re-run this script."
      Read-host -prompt "Press Enter to continue! "
      Exit
      }
      if ($TPMA -eq $False) {
      Write-Host
      Write-Warning "TPM is not Activated! Please Activate TPM and then re-run this script."
      Read-host -prompt "Press Enter to continue! "
      Exit
      }
      if ($TPMO -eq $False) {
      Write-Host
      Write-Warning "TPM is not Owned! This is normal for first time encryption."
      }
      Get-MBAMStatus
      }

    50. Evans says:

      function Get-MBAMStatus {
      $MBAMA = GWMI -Query "select * from win32_service where name='mbamagent'" -ErrorAction SilentlyContinue
      $MBAMS = $MBAMA.State
      if (!($MBAMA)) {
      Write-Host
      Write-Warning "MBAM Agent is not Installed!"
      $GOS = GWMI -Class Win32_OperatingSystem
      $OSArch = $GOS.OSArchitecture
      If ($OSArch -eq "64-bit") {
      Start-Process "$AppDirMicrosoftMBAM 2013x64MbamClientSetup.exe" -argumentlist "/qb /norestart" -Wait
      }
      If ($OSArch -eq "32-bit") {
      Start-Process -FilePath "$AppDirMicrosoftMBAM 2013x86MbamClientSetup.exe" -argumentlist "/qb /norestart" -Wait
      }
      Get-MBAMStatus
      }
      Else {
      Write-Host
      Write-Host 'MBAM Agent is' $MBAMS
      $MBAMA.StopService() | Out-Null
      New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name KeyRecoveryOption -Value 1 -PropertyType DWord -Force
      New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name UseKeyRecoveryService -Value 1 -PropertyType DWord -Force
      New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name DeploymentTime -Value 1 -PropertyType DWord -Force
      New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name NoStartupDelay -Value 1 -PropertyType DWord -Force
      New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name KeyRecoveryServiceEndPoint -Value "http://$MBAMServer/MBAMRecoveryAndHardwareService/CoreService.svc" -PropertyType ExpandString -Force
      $MBAMA.StartService() | Out-Null
      }
      Get-EncryptableVolume
      }

      function Get-EncryptableVolume {
      $LoopCount = 1
      Do {
      $EVI = GWMI -Class Win32_EncryptableVolume -Namespace "rootcimv2SecurityMicrosoftVolumeEncryption" -ErrorAction SilentlyContinue
      $EVIS = $EVI.GetConversionStatus().ConversionStatus
      If ($EVIS -eq "0") {
      Write-Host
      Write-Host 'Waiting for Encryption to Start'
      }
      If ($EVIS -eq "1") {
      Write-Host
      Write-Host 'Encryption Finished'
      Start-Cleanup
      }
      If ($EVIS -eq "2") {
      Write-Host
      Write-Host 'Encryption Started'
      Start-Cleanup
      }
      Start-Sleep 5
      $LoopCount++
      }
      Until ($LoopCount -ge 20)
      Write-Warning "Timeout: Encryption did not start!"
      Read-host -prompt "Press Enter to continue! "
      }

      function Start-Cleanup {
      Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name KeyRecoveryOption -Force
      Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name UseKeyRecoveryService -Force
      Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name DeploymentTime -Force
      Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name NoStartupDelay -Force
      Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name KeyRecoveryServiceEndPoint -Force
      Exit
      }

      Clear-Host
      Write-Host
      Write-Host 'MBAM 2.0 Bitlocker Enterprise Encryption'
      Get-TPM

    51. Evans says:

      Had an issue with $EVI.GetConversionStatus().ConversionStatus on one system so far. Even though this system when ran $EVI = GWMI -Class Win32_EncryptableVolume -Namespace "rootcimv2SecurityMicrosoftVolumeEncryption" -ErrorAction SilentlyContinue then $EVI.GetConversionStatus().ConversionStatus I kept getting a message that there was no such method GetConversionStatus(), I knew this was not true because when I interrogate (GM) the variable $EVI it shows. Anyone ever run into this?

    52. carl says:

      I am able to run this deployment, but when I go to the HelpDesk website, Manage TPM and submit; I get the error TPM owner password file is not found. When I look up the information in the RecoveryAndHardwareCore.Machines table the TpmPasswordHash is NULL. Any ideas?

    53. Anonymous says:

      Dave Hornbaker from Deployment Guys wrote a script some time ago, that kicks off MBAM encryption of the

    54. Pramod says:

      I want to delete the bitlocker partition through a script. So, is there a way to identify that a particular partition is bitlocker partition

    55. WB says:

      On some machines when I run this, I get repeating lines of "Property LogPath is now = C:MININTSMSODSOSDLOGS" and it doesn't stop until I kill cscript.exe. Any ideas of why this fails to work on some machines but works fine on others or is there any way that I can get this to work?

    56. CS says:

      Having issues with this on x64 bit.. Any ideas? Script seems to fail..

    57. Paul Harfield (MS) says:

      Hi Guys,

      We had a little trouble implementing this with certain hardware failing to encrypt. What we found is that some TPMs need to have a reboot before MBAM completes taking ownership. As a simple workaround we use the script twice with a reboot in the middle, if
      the TPM has previously been owned it works first time but if not the second iteration catches this. One minor issue with the script if encryption fails to take place ( times out) it doesn't remove the registry keys which we found caused issues further down
      the line

    58. yannara says:

      Is this solution compatible to MBAM 2.5? Is enough, if I just take sample reg files from this article and the MDT script and put them all togerher in single package, or do I need to modify something else tham my mbam server url? I feel this solution /
      article is too complex.

    59. yannara says:

      Does the endpoint line must be in hex? Or may I just use
      https://mbam.domain.dom ?

    60. I see you're using ZTIUTILITY.VBS.Is it possible to use this method without MDT Integration?

    61. Mike D says:

      On the step named "Create a .reg file that contains the required MBAM entries." Do you mean create the reg file from a laptop that has the company MBAM GP in place or create it from another source?