Using MBAM to start BitLocker Encryption in a Task Sequence
The script has been updated to abort if the TPM is not Active and to create Endorsement Key Pair if it does not exist on the TPM.
Microsoft BitLocker Administration and Monitoring (MBAM) provides features to manage BitLocker encryption of computers in an enterprise. More information on MBAM can be found here.
BitLocker creates recovery information at the time of encryption and MBAM stores that information in the recovery data store. While MBAM can update its recovery data store when the agent is installed on a system that is already encrypted, it is preferable to have MBAM control the encryption process. MBAM Encryption is controlled by Group Policy. Group Policy is not applied during a SCCM Task Sequence. It is possible to have MBAM start encryption during the task sequence, the techniques are described in the following whitepaper Using MBAM Data Encryption With MDT https://go.microsoft.com/fwlink/?LinkId=229053
Manually starting BitLocker Encryption with MBAM
Manually starting encryption with MABM requires five steps:
- Install the MBAM Agent.
- Stop the MBAM agent
- Import registry settings that will instruct the agent to start encryption.
- Wait for encryption to start
- Remove the most of the imported registry settings
Installing MBAM Agent
The MBAM agent can be installed during Windows 7 Image creation.
To install MBAM during the deployment, just create a SCCM package/program to install the agent.
Creating the registry import files.
Create a .reg file that contains the required MBAM entries. There is a template in Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg. This template will become the basis for the AddMBAMRegEntries.reg file.
Do the following on an unencrypted system with the MBAM Agent installed(from an elevated command prompt):
- Net Stop MBAMAGENT
- reg import “c:\Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg”
- using regedit make the following changes:
- Change the KeyRecoveryServiceEndPoint key to have the URL of the MBAM recovery server.
- Add NoStartupDelay as a DWORD with a value of one.
- Export the MBAM key to a file (AddMBAMRegEntries.reg)
Next, create a .reg file to remove the entries
- Copy AddMBAMRegEntries.reg to RemoveMBAMRegEntries.reg
- Open RemoveMBAMEntries.reg in notepad
- Delete the line: "Installed"=dword:00000001
- for all the other keys in the file replace everything after the equals sign with a minus sign (E.G. "NoStartupDelay"=dword:00000001 becomes "NoStartupDelay"=-)
- Save RemoveMBAMRegEntries.reg
Note: More information on creating and editing .reg files is available here.
At this point test that the .reg files are correct by starting the MBAM agent (net Start MBAMAGENT), encryption will begin within a couple of minutes. After encryption begins, run the removeMBAMEntries.reg file to remove the unneeded entries.
For encryption to begin, the MBAM agent needs to talk to the server. If this server communication fails the encryption will not start. If there is a problem, verify that the URL is correct and the MBAM server is functioning correctly.
Sample AddMBAMRegEntries.reg file
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
"Installed"=dword:00000001
"KeyRecoveryOptions"=dword:00000001
"UseKeyRecoveryService"=dword:00000001
"KeyRecoveryServiceEndPoint"=hex(2):68,00,74,00,74,00,70,00,73,00,3a,00,2f,00,\
2f,00,63,00,69,00,73,00,35,00,33,00,33,00,76,00,6d,00,6d,00,62,00,61,00,6d,\
00,2e,00,61,00,76,00,6e,00,65,00,74,00,2e,00,63,00,6f,00,6d,00,2f,00,4d,00,\
42,00,41,00,4d,00,52,00,65,00,63,00,6f,00,76,00,65,00,72,00,79,00,41,00,6e,\
00,64,00,48,00,61,00,72,00,64,00,77,00,61,00,72,00,65,00,53,00,65,00,72,00,\
76,00,69,00,63,00,65,00,2f,00,43,00,6f,00,72,00,65,00,53,00,65,00,72,00,76,\
00,69,00,63,00,65,00,2e,00,73,00,76,00,63,00,00,00
"DeploymentTime"=dword:00000001
"NoStartupDelay"=dword:00000001
Sample RemoveMBAMRegEntries.reg file
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
"KeyRecoveryOptions"=-
"UseKeyRecoveryService"=-
"KeyRecoveryServiceEndPoint"=-
"DeploymentTime"=-
"NoStartupDelay"=-
Automating the process with a script
StartMBAMEncryption.wsf is a MDT 2010 style script that will automate the last four steps To use this script create a folder that contains StartMBAMEncryption.wsf, ZTIUtility.vbs from the MDT toolkit, and the two .reg files created above.
To start Encryption run the following from an elevated command prompt:
cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg
How does the script work?
Make sure that MBAM is installed, do a WMI query for the MBAMAGENT service. If the service does not exist, fail.
Set oServices = objWMI.ExecQuery("Select * from win32_service where name='MBAMAgent'")
TestAndFail (oServices.count = 1), 10005, "MBAM Client Agent is not installed"
The service exists, stop the service. Using the result of the previous query, call the StopService method. Note that the query will return at most one item.
'Stop the service
for each oService in oServices
oService.StopService()
Next
Use the REG IMPORT command to import the AddMBAMRegEntries.reg file, this will give the MBAM agent instruction to start encryption.
sCMD = "Reg IMPORT """ & sAddRefFilePath & """"
iRetVal = oUtility.RunWithHeartbeat(sCMD)
TestAndFail iretVal, 10006, "Importing AddRegFile: " & sAddRefFilePath
Now, using the result of the original WMI query again, start the MBAM agent
' Restart the MBAMAgent Service
for each oService in oServices
oService.StartService()
Next
Since BitLocker information is in a different Namespace, the script must create a connection to that Namespace.
strConnectionStr1 = "winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!root\cimv2\Security\MicrosoftVolumeEncryption"
On Error resume Next
Set objWMIBDE = GetObject(strConnectionStr1)
on error goto 0
TestAndFail Err, 10007, "Unable to connect to Bitlocker WMI Object - bitlocker not installed"
Using the object just created, query for a Win32_EncryptableVolume for the C: drive. Once that object is obtained, go into a loop sleeping 30 seconds, updating the Task Sequence progress bar, and checking to see if the encryption is in progress. Note that the script is checking for both in progress (EncryptionStatus = 2) and Encrypted (EncryptionStatus = 1). This loop will wait 10 minutes for the encryption to start. In testing the encryption has started within 2 minutes.
iCount = 0
iLoopCount = 0
oLogging.CreateEntry "Waiting for Encryption to Start", LogTypeInfo
Do
oLogging.ReportProgress "Waiting For Encryptiont to Start", iLoopCount/20
wscript.Sleep 30000
Set colEnVol = objWMIBDE.ExecQuery("Select * from Win32_EncryptableVolume where DriveLetter='C:'")
for each oEncVol in colEnVol
oEncVol.GetConversionStatus iEncryptionStatus, iPercentComplete
Next
ILoopCount = iLoopCount + 1
If iLoopCount >= 20 then
TestAndFail False, 10008, "Timeout: Encryption did not start"
End If
Loop Until ((iEncryptionStatus = 1) or (iEncryptionStatus = 2))
oLogging.ReportProgress "Encryptiont Started", 100
oLogging.CreateEntry "Encryptiont Started", LogTypeInfo
All that is left to do is cleanup the registry by importing the removeMBAMEntries.reg file
sCMD = "Reg IMPORT """ & sRemoveRegFilePath & """"
iRetVal = oUtility.RunWithHeartbeat(sCMD)
TestAndFail iretVal, 10009, "Importing RemoveRegFile: " & sRemoveRegFilePath
Creating the MBAM Support Task Sequence Package
Create a new folder and add the two .reg files created above, a copy of ZTIUTILITY.VBS from the MDT scripts package, and StartMBAMEncryption.wsf. In you SCCM console, create a new package, and program. The program command line will be:
cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg
Or, to wait until encryption is finished, before the task sequence continues, the program command line will be:
cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg /WaitForEncryption:true
Changes to the Task Sequence
TPM Issues
The Trusted Platform Module (TPM) must be visible to the OS and enabled. making the TPM visible, varies by hardware vendor and system. There is a script that will check if the TPM is visible Here. For information on how to enable the TPM from a task sequence see the table below.
Disk Partitioning
BitLocker requires an unencrypted partition that will hold the Boot files and boot database. This partition has to be at least 100MB, but it is recommended that it be 300MB. A 300MB partition will allow recovery environment (WinRE) to be copied to the unencrypted drive. WinRE is automatically copied when BitLocker is enabled if there is enough space on the boot partition.
For Bare Metal deployments, the partition can be created during the Partition Disk step.
- Create a 300MB primary partition and mark it Active (Make Bootable)
- Create a primary partition that uses 100% of the remaining disk Assign a variable to this disk (OSDISK)
- Change the Apply Operating System step to put the Operating System on the disk specified in the variable OSDISK
For refresh from XP or Windows 7 system that does not have a separate boot partition, use the following steps:
The following steps should be added before the step that installs the MBAM support package created above.
Using ZTIBDE.WSF (from MDT)
Add a Run Command Line step that runs ZTIBDE.WSF
Cscript %ScriptRoot%\ztibde.wsf
Using BdeHDCfg
Add a Run Command Line step with the following command line:
BdeHdCfg -target default -quiet
This will create a 300MB partition for the boot files.
Add a Reboot System step following this step.
Additional information on BitLocker, Configuration Manager 2007, and disk partitions can be found on the Configuration manager Support Team blog https://blogs.technet.com/b/configurationmgr/archive/2011/01/20/solution-the-enable-bitlocker-task-fails-to-run-during-a-configmgr-2007-task-sequence.aspx
Join the Domain
The computer system must be in a Domain in order for MBAM to escrow the BitLocker Keys.
Joining a domain is required for this process to work correctly.
Enabling BitLocker
To enable BitLocker, simply add an install software step to install the package/program created above. It is recommended that this be one of the last steps in the Task Sequence because encrypting the disk will consume many system resources until the disk is fully encrypted.
Waiting for Encryption to Finish
To ensure the highest security level, the system should not be released to a user until the disk is completely encrypted. The /WaitForEncryption:True option will force the script to wait up to 5 hours for the encryption to finish. If the encryption doesn’t finish within 5 hours, the fact will be logged but the script will not abort. This option can be useful if there are business requirements that the system be fully encrypted before any data is restored.
cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg /WaitForEncryption:true
This post was contributed by David Hornbaker, a Senior Consultant with Microsoft Services - U.S. East Region.
Special thanks to Manoj Sehgal, Senior Support Escalation Engineer, Platforms core, Microsoft Services, and William Lees, Principal SDE, Microsoft Corporation, for their assistance with this post.
Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use
Comments
Anonymous
January 01, 2003
Dave Hornbaker from Deployment Guys wrote a script some time ago, that kicks off MBAM encryption of theAnonymous
January 01, 2003
http://deploymentbunny.com/2010/10/18/enable-tpm-via-task-sequence-on-hp-boxes/ - is working link for TPM configuration in HP boxes.Anonymous
January 01, 2003
Dave Hornbaker from Deployment Guys wrote a script some time ago, that kicks off MBAM encryption of theAnonymous
January 01, 2003
Matthew change the GPOs for Operating System drive under BitLocker Drive Encryption.
- Configure TPM startup to “Do not allow TPM”
- Configure TPM startup PIN to “Allow TPM and PIN”
- Configure TPM startup key to “Do not allow startup key with TPM”
- Configure TPM startup key and PIN to “Do not allow startup key and PIN with TPM” Dave
Anonymous
January 01, 2003
Hi David, Thank you for replying. Yes, I have confirmed the URL is correct. I am not using SSL. When you say "start the MBAM client", so you mean start the agent, or start MBAMClientUI.exe? Thanks, TomAnonymous
January 01, 2003
Sorry I haven't answered you sooner, I have been on vacation. Thomas, What I meant was, to start the MBAM client, The client should prompt you to start encryption within about an hour. If that works, that means that the client is communicating with the server. In both of the cases it seems like the client cannot communicate with the server, most common issue I have seen are not being in the domain or the URL in the .REG file being incorrect. Verify those things, and also verify the client will work normally as I mentioned above. You should also check the MBAM client event logs. DaveAnonymous
January 01, 2003
Hi Jonathan, Exactly what path did you use for the EncryptionMethod? According to social.technet.microsoft.com/.../how-to-change-the-default-bitlocker-encryption-method-and-cipher-strength-when-using-the-enable-bitlocker-task-in-configmgr-2007.aspx The correct path is HKLMSOFTWAREPoliciesMicrosoftFVEEncryptionMethod DaveAnonymous
January 01, 2003
Paul, Check to see if your joining the domain. The most common cause for timeouts is not being in the domain. As for the timeout, it was adjusted in the latest version that I posted additional experience with the process.. DaveAnonymous
January 01, 2003
You can use sysnative. When running in a 64bit OS use %windir%sysnativecscript.exe to run the script. That will force the TS to run the 64 bit version of cscript.exe By the way if you are using MDT Lite Touch, I would recommend placing the machine in an OU that doesn't get any policy, and then moving to the proper OU at the end of the TS. That way GPO cannot interfere with the TS. Thanks DaveAnonymous
January 01, 2003
Found a solution - Adding the following entry into the "AddMBAMRegEntries.reg" file changes the Encryption Method to 'AES 256-bit with Diffuser': [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftFVE] "EncryptionMethod"=dword:00000002Anonymous
January 01, 2003
I got my endpoint to hex, using group policies and then export data to notepad. I tried to do everything as instructed, but after task sequence, encryption status on machine has an alert mark on OS partition. I can get rid of the alert By entering new PIN code. But still, there is no TPM password in database. Should I just open new thread about this in Social Microsoft / MBAM node?Anonymous
January 01, 2003
Is there an updated script for MBAM 2.0 that will deal with the D drive encryption?Anonymous
January 01, 2003
It is entered in regedit and then exported.Anonymous
January 01, 2003
Yannara
The script will work fine with MABM 2.5Anonymous
January 01, 2003
Brian, I detect that the machine is BitLocker Encrypted store that in a task sequence variable. If encrypted disable protectors and refresh the OS. Then in state restore if the not encrypted run the MBAM script if encrypted just enable protectorsAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Hi Bruno Most likely cause is that the server URL is incorrect in the .reg file or the server cannot be contacted. Verify the URL and verify you can connect to the server form the subnet the system is on (open the URL in IE) DaveAnonymous
January 01, 2003
It sounds like there a problem communicating with the MBAM server. Verify that the URL is correct in the ,REG files, that the machine is domain joined. Try get to the MBAM server URL using IE. Look for any IIS issues on the server, or cert issues if using SSL. But it sounds like you have done all of this. If you start the MBAM client without the REG file in place, does the machine eventually get policy and prompt to encrypt (may take up to 60 minutes)? Check the MBAM event log. DaveAnonymous
January 01, 2003
Is there a way to change the default encryption method from 128-bit to '256-bit with Diffuser'? We have a requirement to have the 256-bit encryption being used as part of the SCCM Task Sequence using MBAM. I had assumned that by adding the entry below to the AddMBAMRegEntries.reg file that this would take effect but it doesn't seem to work: "EncryptionMethod"=dword:00000002 Does anyone know if it is possible to do this using MBAM as part of a SCCM Task Sequence?Anonymous
January 01, 2003
Bruno, Disable 64 bit redirection on that step. The registry entries are being written to the wrong location. DaveAnonymous
January 01, 2003
Marc, The script fragments within the post proper is just to explain how the script works. There is a link to the complete script at the bottom of the post. Thanks DaveAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
An additional fixed disk could be encrypted using the builtin BitLocker support after the C: (OS drice) has been encrypted. However, after the Task Sequence is completed and the machine gets policy, MABM will prompt for a passowrd, since MBAM requires a Password protector.Anonymous
January 01, 2003
Doh! Of course! Awesome write up. We are planning to deploy bitlocker using MBAM to 11,000 workstations. We have started with our latest laptop roll out. .Anonymous
January 01, 2003
I followed the steps above in reagrds to partitioning in the Tas Squence. When I image a computer it installs the OS to the OSDISK partition but it uses the D: drive instead of creating it on the C: drive. How can I get the TS to install the OS onto the C: drive? What happens if I change the BDEDISK to be hidden?Anonymous
January 01, 2003
What tool did you use to convert KeyRecoveryServiceEndPoint from an http:// string to the HEX you have up there? Putting the text in as string in Notepad doesn't seem to work.Anonymous
February 21, 2012
Did you had any luck encrypting both C: & D: during OSD automatically ? The other partitions require a one-time password that jumps out when a user first log on while C: is encryptingAnonymous
March 13, 2012
Hello, Thanks for the post. I've got encryption working in the Task Sequence using the above steps. We also require a differnent start up Pin on our company laptops. When the build has completed I can set a pin using the MBAM client. The issue is that the laptop never reports to the MBAM server. If I enable bitlocker manully on a laptop the I have no issues. In the event log of the laptop that does not report in to the MBAM server, there is an error message in the event log of the laptop stating that group policy does not permit TPM only. If I run manage-bde -status the protectors are set to TPm and PIn. Do you have any ideas how I can resolve this issue please? Kind regards MattAnonymous
March 30, 2012
Hello Guys, thanks for this posting it´s really useful! I already have this working in my lab but when I tried to put it in the production environment I end up with not encrypting the machine during the Task Sequence (MDT 2010) with the error - 10008, "Timeout: Encryption did not start" . Then I reboot the machine and apears the error message " Bitlocker could not be enabled - The bitlocker encryption key cannot be obtained...." Before I send the TS to the machine I verify that the TPM is enabled in the BIOS, so what could I check to fix this error? Any ideas? Thanks in advance! Regards, BrunoAnonymous
March 31, 2012
Hello David, Thank you for the answer, I did that test: when your script it trying to to encrypt the drive (in the step "Waiting for Encryption to Start") I already check in regedit the URL of my .key that was imported and try it in the IE and it went good making a service connection to the MBAM Server, so it must be another thing that im not checking it out that´s blocking the connection to the server... One thing that I also noticed is if your script can´t encrypt the drive (in my case) he also cannot apply the RemoveRegFile:RemoveMBAMRegEntries.reg key, is that the normal behaviour of the script? Cheers, BrunoAnonymous
April 03, 2012
Hello David, I noticed one thing in my tests: if I create an MDT TS for Windows 7 SP1 (x86) it encrypts fine during the TS with no problems.....but if I do it in a an MDT TS for Windows 7 SP1 (x64) I can´t encrypt the machine during the TS (it time´s out with failure "Timeout: Encryption did not start"). Did you had the same results in this scenario? What could I change to the x64 version of Windows 7 SP1 to start encrypting during the TS? Cheers, BrunoAnonymous
April 03, 2012
The comment has been removedAnonymous
April 19, 2012
The comment has been removedAnonymous
May 02, 2012
The comment has been removedAnonymous
May 20, 2012
FYI - I have had trouble getting my drives to begin encryption due to timeout and found that the script you downoad has different time settings than the broken down explanation. here's what's in the download: Do oLogging.ReportProgress "Waiting For Encryptiont to Start", iLoopCount*4/20 wscript.Sleep 15000 Which will set the time between tests at 15 seconds. I changed mine to the example settings above... Do oLogging.ReportProgress "Waiting For Encryptiont to Start", iLoopCount/20 wscript.Sleep 30000 and now my task sequence will wait long enough for encryption to start.Anonymous
June 13, 2012
Hi David, I am definitely joining the domain. Haven't had a problem since I chnged the DL'd file back to the original settings, but I also found that I needed to use the BDEHDCFG instead of the partitioning during diskpart since I was deploying a thick image. PaulAnonymous
July 09, 2012
The comment has been removedAnonymous
January 22, 2013
I know this post comment section has been quiet for a while but I wanted to ask if anyone that has this working properly has run into any issues with the MBAM client in a refresh scenario? The process outlined in this post works quite well but when I re-image a computer that is already MBAM encrypted the MBAM client stops being able to apply policy. I know this really isn't the place for a question like this but I figure maybe someone has run into it before.Anonymous
January 23, 2013
The comment has been removedAnonymous
March 04, 2013
I am having problems getting the encryption process to work even after l have entered the above registry settings. I keep getting the following error. " BitLocker could not be enabled The BitLocker encryption key cannot be obtained. Verify that the Trusted Platform Module (TPM) is enabled and ownership has been taken. If this computer does not have a TPM, verify that the USB drive is inserted and available. C:was encrypted" I have tried with 4 different laptops to get it working but l keep getting the same thing. I would appreciate any assistanceAnonymous
March 28, 2013
David, Great write up! Do you have updates instructions for SCCM 2012 and MDT 2012? I have followed MOST of the steps here, but cannot find StartMBAMEncryption.wsf anywhere.. Any help would be greatly appreciated!Anonymous
May 29, 2013
The comment has been removedAnonymous
July 09, 2013
Does anything in this process need changed for MBAM 2.0? I've noticed additional registry entries in 2.0.Anonymous
August 16, 2013
The comment has been removedAnonymous
September 05, 2013
Hey, can someone help me out with this? I am able to encrypt C with your script. It works well. After encrypting C drive I have to encrypt drive D (fixed data drive). I created a scheduled task to run on each logon or wake from sleep: strComputer = "." Set objWMIService = GetObject("winmgmts:" & strComputer & "rootCIMV2SecurityMicrosoftVolumeEncryption") Set volumes = objWMIService.InstancesOf("Win32_EncryptableVolume") Set oShell = CreateObject("Wscript.shell") Do Until retval2=100 'Wscript.Echo retval2 Wscript.Sleep(60000) For Each volume in volumes if volume.DriveLetter = "C:" then retval= volume.GetConversionStatus(cs,ep) retval2=ep 'Wscript.Echo ep 'Wscript.Echo retval2 End If Next Loop oShell.Run "manage-bde.exe -on d: -rk c:",0 WScript.Sleep(5000) oShell.Run "manage-bde.exe -autounlock -enable d:",0 WScript.Sleep(3000) oShell.Run "schtasks /Delete /TN EnableMBAM_D /F",0 WScript.Sleep(3000) wscript.quit The problem is when I enable encryption on drive D (it encrypts without problem), it is reported correctly in SQL, but I am not able to retrieve unlock key from SQL DB. Keys for C drive are exported without problem. I think this might be connected to that, C drive is started by your script, which implies using MBAM, and D is started with manage-bde. Could you pls provide a script for drive D or point me out?Anonymous
December 11, 2013
How can I incorporate the TPM pin after I have used the registry keys to silently start encryption?Anonymous
December 12, 2013
Would some one let me know, where I can find this "StartMBAMEncryption.log"Anonymous
February 20, 2014
Any thoughts on using PowerShell and not VB Script?Anonymous
February 27, 2014
I am sure someone can clean up my powershell but here is my first try at it 8o)
Created By: Evans Conforti
Created Date: 2/27/2014
Updated By:
Updated Date:
Disclaimer: This script is provided "AS IS" with no warranties, confers no rights, and is not supported by the author.
.Synopsis
MBAM 2.0 Bitlocker Enterprise Encryption
.DESCRIPTION
Starts the MBAM 2.0 Bitlocker Enterprise Encryption process on systems.
.EXAMPLE
Modify the server variables and run the script.
#>
# Modify below as needed
$AppDir= 'MBAM AGENT INSTALL LOCATION'
$MBAMServer = 'MBAM SERVER NAME'
# Modify above as needed
# Modify Below with caution
function Get-TPM {
$TPMI = GWMI -Class Win32_TPM -Namespace "rootCIMV2SecurityMicrosoftTpm" -ErrorAction SilentlyContinue
$TPMV = $TPMI.SpecVersion
$TPME = $TPMI.IsEnabled_InitialValue
$TPMA = $TPMI.IsActivated_InitialValue
$TPMO = $TPMI.IsOwned_InitialValue
if ($TPMV -notmatch "1.2") {
Write-Host
Write-Warning "TPM is not version 1.2! MBAM 2.0 Bitlocker Enterprise Encryption will not work with this system."
Read-host -prompt "Press Enter to continue! "
Exit
}
if ($TPME -eq $False) {
Write-Host
Write-Warning "TPM is not Enabled! Please Enable TPM and then re-run this script."
Read-host -prompt "Press Enter to continue! "
Exit
}
if ($TPMA -eq $False) {
Write-Host
Write-Warning "TPM is not Activated! Please Activate TPM and then re-run this script."
Read-host -prompt "Press Enter to continue! "
Exit
}
if ($TPMO -eq $False) {
Write-Host
Write-Warning "TPM is not Owned! This is normal for first time encryption."
}
Get-MBAMStatus
}Anonymous
February 27, 2014
function Get-MBAMStatus {
$MBAMA = GWMI -Query "select * from win32_service where name='mbamagent'" -ErrorAction SilentlyContinue
$MBAMS = $MBAMA.State
if (!($MBAMA)) {
Write-Host
Write-Warning "MBAM Agent is not Installed!"
$GOS = GWMI -Class Win32_OperatingSystem
$OSArch = $GOS.OSArchitecture
If ($OSArch -eq "64-bit") {
Start-Process "$AppDirMicrosoftMBAM 2013x64MbamClientSetup.exe" -argumentlist "/qb /norestart" -Wait
}
If ($OSArch -eq "32-bit") {
Start-Process -FilePath "$AppDirMicrosoftMBAM 2013x86MbamClientSetup.exe" -argumentlist "/qb /norestart" -Wait
}
Get-MBAMStatus
}
Else {
Write-Host
Write-Host 'MBAM Agent is' $MBAMS
$MBAMA.StopService() | Out-Null
New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name KeyRecoveryOption -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name UseKeyRecoveryService -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name DeploymentTime -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name NoStartupDelay -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name KeyRecoveryServiceEndPoint -Value "http://$MBAMServer/MBAMRecoveryAndHardwareService/CoreService.svc" -PropertyType ExpandString -Force
$MBAMA.StartService() | Out-Null
}
Get-EncryptableVolume
}
function Get-EncryptableVolume {
$LoopCount = 1
Do {
$EVI = GWMI -Class Win32_EncryptableVolume -Namespace "rootcimv2SecurityMicrosoftVolumeEncryption" -ErrorAction SilentlyContinue
$EVIS = $EVI.GetConversionStatus().ConversionStatus
If ($EVIS -eq "0") {
Write-Host
Write-Host 'Waiting for Encryption to Start'
}
If ($EVIS -eq "1") {
Write-Host
Write-Host 'Encryption Finished'
Start-Cleanup
}
If ($EVIS -eq "2") {
Write-Host
Write-Host 'Encryption Started'
Start-Cleanup
}
Start-Sleep 5
$LoopCount++
}
Until ($LoopCount -ge 20)
Write-Warning "Timeout: Encryption did not start!"
Read-host -prompt "Press Enter to continue! "
}
function Start-Cleanup {
Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name KeyRecoveryOption -Force
Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name UseKeyRecoveryService -Force
Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name DeploymentTime -Force
Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name NoStartupDelay -Force
Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name KeyRecoveryServiceEndPoint -Force
Exit
}
Clear-Host
Write-Host
Write-Host 'MBAM 2.0 Bitlocker Enterprise Encryption'
Get-TPMAnonymous
March 06, 2014
Had an issue with $EVI.GetConversionStatus().ConversionStatus on one system so far. Even though this system when ran $EVI = GWMI -Class Win32_EncryptableVolume -Namespace "rootcimv2SecurityMicrosoftVolumeEncryption" -ErrorAction SilentlyContinue then $EVI.GetConversionStatus().ConversionStatus I kept getting a message that there was no such method GetConversionStatus(), I knew this was not true because when I interrogate (GM) the variable $EVI it shows. Anyone ever run into this?Anonymous
March 22, 2014
I am able to run this deployment, but when I go to the HelpDesk website, Manage TPM and submit; I get the error TPM owner password file is not found. When I look up the information in the RecoveryAndHardwareCore.Machines table the TpmPasswordHash is NULL. Any ideas?Anonymous
April 24, 2014
Dave Hornbaker from Deployment Guys wrote a script some time ago, that kicks off MBAM encryption of theAnonymous
May 08, 2014
I want to delete the bitlocker partition through a script. So, is there a way to identify that a particular partition is bitlocker partitionAnonymous
May 08, 2014
The comment has been removedAnonymous
June 03, 2014
Having issues with this on x64 bit.. Any ideas? Script seems to fail..Anonymous
June 12, 2014
The comment has been removedAnonymous
October 19, 2014
Is this solution compatible to MBAM 2.5? Is enough, if I just take sample reg files from this article and the MDT script and put them all togerher in single package, or do I need to modify something else tham my mbam server url? I feel this solution / article is too complex.Anonymous
October 25, 2014
The comment has been removedAnonymous
October 31, 2014
I see you're using ZTIUTILITY.VBS.Is it possible to use this method without MDT Integration?Anonymous
June 25, 2015
On the step named "Create a .reg file that contains the required MBAM entries." Do you mean create the reg file from a laptop that has the company MBAM GP in place or create it from another source?Anonymous
June 22, 2017
powershell:https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25- Anonymous
June 22, 2017
This is the preferred method if you have MBAM 2.5 SP1. Before SP1 you can use the script in this posting. I will be updating the script to support Windows 10 and make it easier to use in the next few days- Anonymous
June 23, 2017
David congratulations for the post, I need to activate the bitlocker with MBAM for all office machines without requiring the user to enable it. I'll wait for your next post. Will save my life.My machines with Windows 10 - Anonymous
June 23, 2017
David, is it possible to enable the bitlocker without the need to show the screen to the end user? In this method it is done in a task sequence, but it is possible to do it without being in the implementation?Example: Today we have machines with windows 10, but are already in use, and would like to encrypt without the need for an action of the end user
- Anonymous
- Anonymous