Share via


Start MBAM encryption on Bitlocker pre-provisioned and Windows To Go drives.

Dave Hornbaker from Deployment Guys wrote a script some time ago, that kicks off MBAM encryption of the hard drive. It can be found here:

https://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

As time goes, there are new features in SCCM and MDT as well as in Bitlocker and MBAM.

One of two things that the original script does not address is pre-provisioned Bitlocker in SCCM 2012 SP1 (It's actually, a feature of Windows 8 and Windows PE 4). What it means, that once you started the encryption with "Pre-provision Bitlocker" (it actually calls Manage-bde -on %OSDisk% -UsedSpaceOnly), your system hard drive is encrypted right off the bat, and while applying the image, your data becomes encrypted automatically.

The second thing is Windows To Go. Here is the article, that describes how to create a pre-staged media for Windows To Go: https://technet.microsoft.com/en-us/library/jj651035.aspx. There are a couple issues with WTG and SCCM:

  • Recovery key is not saved in MBAM if using this method
  • Wtgcreator does not leverage pre-provisioning feature. It means, that you will have to encrypt the entire drive as a part of the process afterwards.

 

I'm providing two VB scripts, ZTIPrepareBDE.wsf and StartMBAMEncryption.wsf.

  • ZTIPrepareBDE.wsf is the ZTIBDE.wsf script from MDT with actual encryption stripped out. Run this script in live OS from the TS first, with condition _SMSTSWTG <> “TRUE” so it won’t run on Windows To Go. It does all preparation with TPM, and it also partitions the drive cutting off 500MB for boot files, all standard stuff from Bitlocker support from MDT, which works just fine but does not support MBAM. This script requires OSDBitLockerMode=TPM and IsBDE=TRUE
  • StartMBAMEncryption.wsf is the script that used to start encryption and have recovery key reported to MBAM. It takes parameter MBAMServiceEndPoint which is URL to MBAM Service End Point, it also takes OSDBitLockerPIN for WTG - if we're deploying WTG, it will set this password. No need to use the original osdbitlocker_wtg.exe. Run this script after ZTIPrepareBDE.wsf in your TS. I'd suggest to create a package and put ZTIPrepareBDE.wsf and StartMBAMEncryption.wsf from attached file as well as copies of ZTIDiskUtility.vbs, ZTIUtility.vbs and ztiRunCommandHidden.wsf from MDT Scripts folder.

I also included a version of SCCMWTGDuplicator.ps1 script that replaces WTGCreator.exe from SCCM. This script requires all boot files from WTG stick created with original WTGCreator.exe - simply copy all files to Boot directory. This script asks for WIM file with pre-staged media and lists all USB drives and then provisions them with WTG.

 

Enjoy and let me know if you have any questions :)

 

Credits go to my colleagues:

Dave Hornbaker, who created the original StartMBAMEncryption.wsf script

Michael Murgolo, who improved this script

Michael Niehaus, who inspired me on those kind of things :)

Lance Crandall, who worked with me educating me on best approaches with my script and without his input it would not be possible.

 

 

 

 

 

 

 

MBAMAgent-Policy.zip

Comments

  • Anonymous
    September 19, 2013
    Hi there. Thanks for the update to the script. I cannot get the ZTIPrepareBDE.wsf to run in x64 winPE 4.0Is this by design?Thanks

  • Anonymous
    September 20, 2013
    Yes, it runs from live OS. What do you need to do in PE? TPM work before pre-provisioning?

  • Anonymous
    September 24, 2013
    Is it possible to make pre-provisioning work on Windows 7 using this script (pure MDT, non-SCCM solution)?According to this thread it's supported:social.technet.microsoft.com/.../preprovisioning-bitlocker-and-deploying-windows-7-enterprise-supported-by-microsoftI've managed to pre-provision BitLocker for Windows 7 using the pre-provision step in SCCM, but I cannot get it to work with your script in MDT, since it has to be run post OS installation.Any suggestions?

  • Anonymous
    September 24, 2013
    Also, it does not seem to store the recovery password in the MBAM database (in a non-preprovision scenario). Although encryption has been initialized. I thought encryption wouldn't start if backup of the key fails?

  • Anonymous
    October 03, 2013
    I have it from a reliable source that if you simply use the built-in bitlocker pre-provisioning steps and use a tpm only setting your drive will encrypt and if you install mbam later in the ts it will prompt for a boot passphrase once the client 'phones home' and a user logs in to the system, this all depends on your group policy settings of course.  I am hoping to try this out later today.

  • Anonymous
    October 03, 2013
    The comment has been removed

  • Anonymous
    October 19, 2013
    Hi, I am using WTGCreator comes with SCCM 2012SP1. It is not detecting WIM file. Is it only me ?

  • Anonymous
    January 30, 2014
    Hi there,Is the TPMOwnerShip password is sent to MBAM Database with this method ?Thanks

  • Anonymous
    February 03, 2014
    Hi,Is it possible to Pre-provision a Fixed Data Drive ? If yes How ?Thanks

  • Anonymous
    April 02, 2014
    I'm testing out some hobbled together method using the enablebitlocker.vbs script to Activate TPM and take ownership while in WinPE4, it does an automatic reboot, then when resumes, my imaging scripts create partition structure, and calls manage-bde -on c: -UsedSpaceOnly.  This works to successfully enable pre-provisioning.  I then call imagex to apply my sysprepped windows 7 image.  Windows 7 successfully boots and completes mini-setup.After installing MBAM client, and logging on, I get an MBAM prompt to choose a PIN.  This appears to complete successfully.  When I check MBAM recovery console, I do get the recovery key.What IS missing from MBAM, though, is TPM information, likely because it's already owned by having to use the "enablebitlocker.vbs" to take ownership of the TPM.  You CANNOT run manage-bde to start encryption in winpe4 without first enabling and taking ownership of the TPM, so... looks like we're stuck with no TPM backups in MBAM database.Is there something I can do different?  I still want to pre-provision due to the encryption time savings, and ENFORCING that laptops are encrypted before an end-user gets it in their hands.  If end users had it their way, they'd click on the MBAM Postpone button 1 Million times...I don't like enabling bitlocker after imaging because our software deployment tools kick in with software installs and if bitlocker is encrypting after OS install, the drive space is REALLY LOW until encryption is done.  Another HUGE benefit of pre-provisioning.Do I even REALLY NEED the TPM backups?  If all else fails, can't I still do recovery, then once in, use manage-bde to take ownership of the TPM again if I had to?Long winded... sorry...THANKS!

  • Anonymous
    July 23, 2014
    Yes, you're not going to have TPM information if you're pre-provisioning with -UsedSpaceOnly.You'll still be able to wipe TPM chip and access the drive by providing the recovery key. So I say - not a big deal.

  • Anonymous
    January 28, 2015
    I am trying to understand  your script. Where do you set the paramenter MBAMServiceEndPoint?  sMBAMServiceEndPoint = oEnvironment.Item("MBAMServiceEndPoint") Are there any other places in the script that have to be edited to fit my enviorment?

  • Anonymous
    February 02, 2015
    Whenever I run the StartMBAMEncryption.wsf script from a Task Sequence using SCCM 2012 R2 I get the following error:ZTI ERROR - Unhandled error returned by StartMBAMEncryption: The system cannot find the file specified.(-2147024894  0x80070002)Any suggestions?

  • Anonymous
    February 05, 2015
    The comment has been removed

  • Anonymous
    April 21, 2015
    @ Aaron can you share a screenshot of your task sequence or email me cfreeman21 [at] gmail.com

  • Anonymous
    April 27, 2015
    The comment has been removed

  • Anonymous
    July 16, 2015
    Joshua - great point. I usually do pre-encryption in Windows PE with manage-bde -on %OSDisk% -UsedSpaceOnly -em aes256 so it's already 256. But you can add it and try/

  • Anonymous
    July 16, 2015
    Actually, I just realized something. Where did you take that code from? My StartMBAMEncryption.wsf does not have it, but instead, has /EncryptionMethod switch which defaults to "4" (AES256) if no value specified