Udostępnij za pośrednictwem


Using MBAM to start BitLocker Encryption in a Task Sequence

The script has been updated to abort if the TPM is not Active and to create Endorsement Key Pair if it does not exist on the TPM.

 

Microsoft BitLocker Administration and Monitoring (MBAM) provides features to manage BitLocker encryption of computers in an enterprise.  More information on MBAM can be found here.

BitLocker creates recovery information at the time of encryption and MBAM stores that information in the recovery data store. While MBAM can update its recovery data store when the agent is installed on a system that is already encrypted, it is preferable to have MBAM control the encryption process.  MBAM Encryption is controlled by Group Policy.  Group Policy is not applied during a SCCM Task Sequence.  It is possible to have MBAM start encryption during the task sequence, the techniques are described in the following whitepaper Using MBAM Data Encryption With MDT https://go.microsoft.com/fwlink/?LinkId=229053

Manually starting BitLocker Encryption with MBAM

Manually starting encryption with MABM requires five steps:

  1. Install the MBAM Agent. 
  2. Stop the MBAM agent
  3. Import registry settings that will instruct the agent to start encryption.
  4. Wait for encryption to start
  5. Remove the most of the imported registry settings

Installing MBAM Agent

The MBAM agent can be installed during Windows 7 Image creation. 

To install MBAM during the deployment, just create a SCCM package/program to install the agent.

Creating the registry import files.

Create a .reg file that contains the required MBAM entries. There is a template in Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg. This template will become the basis for the AddMBAMRegEntries.reg file.

Do the following on an unencrypted system with the MBAM Agent installed(from an elevated command prompt):

  1. Net Stop MBAMAGENT
  2. reg import “c:\Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg”
  3. using regedit make the following changes:
    1. Change the KeyRecoveryServiceEndPoint key to have the URL of the MBAM recovery server.
    2. Add NoStartupDelay as a DWORD with a value of one.
  4. Export the MBAM key to a file (AddMBAMRegEntries.reg)

Next, create a .reg file to remove the entries

  1. Copy AddMBAMRegEntries.reg to RemoveMBAMRegEntries.reg
  2. Open RemoveMBAMEntries.reg in notepad
  3. Delete the line: "Installed"=dword:00000001
  4. for all the other keys in the file replace everything after the equals sign with a minus sign (E.G. "NoStartupDelay"=dword:00000001 becomes "NoStartupDelay"=-)
  5. Save RemoveMBAMRegEntries.reg

Note: More information on creating and editing .reg files is available here.

At this point test that the .reg files are correct by starting the MBAM agent (net Start MBAMAGENT), encryption will begin within a couple of minutes.  After encryption begins, run the removeMBAMEntries.reg file to remove the unneeded entries.

For encryption to begin, the MBAM agent needs to talk to the server.  If this server communication fails the encryption will not start.  If there is a problem, verify that the URL is correct and the MBAM server is functioning correctly.

Sample AddMBAMRegEntries.reg file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
"Installed"=dword:00000001
"KeyRecoveryOptions"=dword:00000001
"UseKeyRecoveryService"=dword:00000001
"KeyRecoveryServiceEndPoint"=hex(2):68,00,74,00,74,00,70,00,73,00,3a,00,2f,00,\
2f,00,63,00,69,00,73,00,35,00,33,00,33,00,76,00,6d,00,6d,00,62,00,61,00,6d,\
00,2e,00,61,00,76,00,6e,00,65,00,74,00,2e,00,63,00,6f,00,6d,00,2f,00,4d,00,\
42,00,41,00,4d,00,52,00,65,00,63,00,6f,00,76,00,65,00,72,00,79,00,41,00,6e,\
00,64,00,48,00,61,00,72,00,64,00,77,00,61,00,72,00,65,00,53,00,65,00,72,00,\
76,00,69,00,63,00,65,00,2f,00,43,00,6f,00,72,00,65,00,53,00,65,00,72,00,76,\
00,69,00,63,00,65,00,2e,00,73,00,76,00,63,00,00,00
"DeploymentTime"=dword:00000001
"NoStartupDelay"=dword:00000001

Sample RemoveMBAMRegEntries.reg file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
"KeyRecoveryOptions"=-
"UseKeyRecoveryService"=-
"KeyRecoveryServiceEndPoint"=-
"DeploymentTime"=-
"NoStartupDelay"=-

 

Automating the process with a script

StartMBAMEncryption.wsf is a MDT 2010 style script that will automate the last four steps   To use this script create a folder that contains StartMBAMEncryption.wsf, ZTIUtility.vbs from the MDT toolkit, and the two .reg files created above. 

To start Encryption run the following from an elevated command prompt:

cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg

How does the script work?

Make sure that MBAM is installed, do a WMI query for the MBAMAGENT service. If the service does not exist, fail.

    Set oServices = objWMI.ExecQuery("Select * from win32_service where name='MBAMAgent'")
    TestAndFail (oServices.count = 1), 10005, "MBAM Client Agent is not installed"

The service exists,  stop the service.  Using the result of the previous query, call the StopService method.  Note that the query will return at most one item.

    
    'Stop the service
    for each oService in oServices
      oService.StopService()
    Next

Use the REG IMPORT command to import the  AddMBAMRegEntries.reg file, this will give the MBAM agent instruction to start encryption.

 
    sCMD = "Reg IMPORT """ & sAddRefFilePath & """"
    iRetVal = oUtility.RunWithHeartbeat(sCMD)
    TestAndFail iretVal, 10006, "Importing AddRegFile: " & sAddRefFilePath

Now, using the result of the original WMI query again, start the MBAM agent

    ' Restart the MBAMAgent Service
    for each oService in oServices
      oService.StartService()
    Next

Since BitLocker information is in a different Namespace, the script must create a connection to that Namespace.

    strConnectionStr1 = "winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!root\cimv2\Security\MicrosoftVolumeEncryption" 
    On Error resume Next
    Set objWMIBDE = GetObject(strConnectionStr1)
    on error goto 0
    TestAndFail Err, 10007, "Unable to connect to Bitlocker WMI Object -  bitlocker not installed"

Using the object just created, query for a Win32_EncryptableVolume for the C: drive. Once that object is obtained, go into a loop sleeping 30 seconds, updating the Task Sequence progress bar, and checking to see if the encryption is in progress.  Note that the script is checking for both in progress (EncryptionStatus = 2) and Encrypted (EncryptionStatus = 1).  This loop will wait 10 minutes for the encryption to start.  In testing the encryption has started within 2 minutes.

    iCount = 0
    iLoopCount = 0
    oLogging.CreateEntry "Waiting for Encryption to Start", LogTypeInfo
    Do
      oLogging.ReportProgress "Waiting For Encryptiont to Start",  iLoopCount/20
      wscript.Sleep 30000
      Set colEnVol = objWMIBDE.ExecQuery("Select * from Win32_EncryptableVolume where DriveLetter='C:'")
      for each oEncVol in colEnVol
      oEncVol.GetConversionStatus iEncryptionStatus, iPercentComplete
      Next

      ILoopCount = iLoopCount + 1
      If iLoopCount >= 20 then
        TestAndFail False, 10008, "Timeout: Encryption did not start"
      End If
    Loop Until ((iEncryptionStatus = 1) or (iEncryptionStatus = 2))
    oLogging.ReportProgress "Encryptiont Started", 100
    oLogging.CreateEntry "Encryptiont Started", LogTypeInfo

All that is left to do is cleanup the registry by importing the removeMBAMEntries.reg file

    sCMD = "Reg IMPORT """ & sRemoveRegFilePath & """"
    iRetVal = oUtility.RunWithHeartbeat(sCMD)
    TestAndFail iretVal, 10009, "Importing RemoveRegFile: " & sRemoveRegFilePath

 

Creating the MBAM Support Task Sequence Package

Create a new folder and add the two .reg files created above, a copy of ZTIUTILITY.VBS from the MDT scripts package, and StartMBAMEncryption.wsf.  In you SCCM console, create a new package, and program.  The program command line will be:

cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg  

Or, to wait until encryption is finished, before the task sequence continues, the program command line will be:

  cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg /WaitForEncryption:true

  

Changes to the Task Sequence

TPM Issues

The Trusted Platform Module (TPM) must be visible to the OS and enabled.  making the TPM visible, varies by hardware vendor and system.  There is a script that will check if the TPM is visible Here.    For information on how to enable the TPM from a task sequence see the table below.

Lenovo https://support.lenovo.com/en_US/detail.page?LegacyDocID=MIGR-68488

Dell

https://en.community.dell.com/techcenter/os-applications/w/wiki/how-to-enable-trusted-platform-module-using-a-configmgr-2007-task-sequence.aspx
HP https://itbloggen.se/cs/blogs/micke/archive/2010/10/18/enable-tpm-via-task-sequence-on-hp-boxes.aspx

 

Disk Partitioning

BitLocker requires an unencrypted partition that will hold the Boot files and boot database.  This partition has to be at least 100MB, but it is recommended that it be 300MB.  A 300MB partition will allow recovery environment (WinRE) to be copied to the unencrypted drive.  WinRE is automatically copied when BitLocker is enabled if there is enough space on the boot partition.

For Bare Metal deployments, the partition can be created during the Partition Disk step.

  1. Create a 300MB primary partition and mark it Active (Make Bootable)  
  2. Create a primary partition that uses 100% of the remaining disk  Assign a variable to this disk (OSDISK)
  3. Change the Apply Operating System step to put the Operating System on the disk specified in the variable OSDISK

image

image

image

image

For refresh from XP or Windows 7 system that does not have a separate boot partition, use the following steps:

 

The following steps should be added before the step that installs the MBAM support package created above.

Using ZTIBDE.WSF (from MDT)

Add a Run Command Line step that runs ZTIBDE.WSF

Cscript %ScriptRoot%\ztibde.wsf

Using BdeHDCfg

Add a Run Command Line step  with the following command line:

BdeHdCfg -target default -quiet

This will create a 300MB partition for the boot files.  

Add a Reboot System step following this step.

Additional information on BitLocker, Configuration Manager 2007, and disk partitions can be found on the Configuration manager Support Team blog https://blogs.technet.com/b/configurationmgr/archive/2011/01/20/solution-the-enable-bitlocker-task-fails-to-run-during-a-configmgr-2007-task-sequence.aspx

Join the Domain

The computer system must be in a Domain in order for MBAM to escrow the BitLocker Keys. 

Joining a domain is required for this process to work correctly.

Enabling BitLocker

To enable BitLocker, simply add an install software step to install the package/program created above.  It is recommended that this be one of the last steps in the Task Sequence because encrypting the disk will consume many system resources until the disk is fully encrypted.

Waiting for Encryption to Finish

To ensure the highest security level, the system should not be released to a user until the disk is completely encrypted.  The /WaitForEncryption:True option will force the script to wait up to 5 hours for the encryption to finish.  If the encryption doesn’t finish within 5 hours, the fact will be logged but the script will not abort.  This option can be useful if there are business requirements that the system be fully encrypted before any data is restored.

cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg /WaitForEncryption:true

This post was contributed by David Hornbaker, a Senior Consultant with Microsoft Services - U.S. East Region.  

Special thanks to Manoj Sehgal, Senior Support Escalation Engineer, Platforms core, Microsoft Services, and William Lees, Principal SDE, Microsoft Corporation, for their assistance with this post.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use

StartMBAMEncryption.zip

Comments

  • Anonymous
    January 01, 2003
    Dave Hornbaker from Deployment Guys wrote a script some time ago, that kicks off MBAM encryption of the

  • Anonymous
    January 01, 2003
    http://deploymentbunny.com/2010/10/18/enable-tpm-via-task-sequence-on-hp-boxes/ - is working link for TPM configuration in HP boxes.

  • Anonymous
    January 01, 2003
    Dave Hornbaker from Deployment Guys wrote a script some time ago, that kicks off MBAM encryption of the

  • Anonymous
    January 01, 2003
    Matthew change the GPOs for Operating System drive under BitLocker Drive Encryption.

  • Configure TPM startup to “Do not allow TPM”
  • Configure TPM startup PIN to “Allow TPM and PIN”
  • Configure TPM startup key to “Do not allow startup key with TPM”
  • Configure TPM startup key and PIN to “Do not allow startup key and PIN with TPM” Dave
  • Anonymous
    January 01, 2003
    Hi David, Thank you for replying.  Yes, I have confirmed the URL is correct.  I am not using SSL.  When you say "start the MBAM client", so you mean start the agent, or start MBAMClientUI.exe?   Thanks, Tom

  • Anonymous
    January 01, 2003
    Sorry I haven't answered you sooner, I have been on vacation. Thomas, What I meant was, to start the MBAM client, The client should prompt you to start encryption within about an hour.  If that works, that means that the client is communicating with the server. In both of the cases it seems like the client cannot communicate with the server, most common issue I have seen are not being in the domain or the URL in the .REG file being incorrect.  Verify those things, and also verify the client will work normally as I mentioned above.  You should also check the MBAM client event logs. Dave

  • Anonymous
    January 01, 2003
    Hi Jonathan,  Exactly what path did you use for the EncryptionMethod? According to social.technet.microsoft.com/.../how-to-change-the-default-bitlocker-encryption-method-and-cipher-strength-when-using-the-enable-bitlocker-task-in-configmgr-2007.aspx The correct path is HKLMSOFTWAREPoliciesMicrosoftFVEEncryptionMethod   Dave

  • Anonymous
    January 01, 2003
    Paul,  Check to see if your joining the domain.  The most common cause for timeouts is not being in the domain. As for the timeout, it was adjusted in the latest version that I posted additional experience with the process.. Dave

  • Anonymous
    January 01, 2003
    You can use sysnative. When running in  a 64bit OS use %windir%sysnativecscript.exe to run the script.  That will force the TS to run the 64 bit version of cscript.exe By the way if you are using MDT Lite Touch, I would recommend placing the machine in an OU that doesn't get any policy, and then moving to the proper OU at the end of the TS.  That way GPO cannot interfere with the TS. Thanks Dave

  • Anonymous
    January 01, 2003
    Found a solution - Adding the following entry into the "AddMBAMRegEntries.reg" file changes the Encryption Method to 'AES 256-bit with Diffuser': [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftFVE] "EncryptionMethod"=dword:00000002

  • Anonymous
    January 01, 2003
    I got my endpoint to hex, using group policies and then export data to notepad. I tried to do everything as instructed, but after task sequence, encryption status on machine has an alert mark on OS partition. I can get rid of the alert By entering new PIN code. But still, there is no TPM password in database. Should I just open new thread about this in Social Microsoft / MBAM node?

  • Anonymous
    January 01, 2003
    Is there an updated script for MBAM 2.0 that will deal with the D drive encryption?

  • Anonymous
    January 01, 2003
    It is entered in regedit and then exported.

  • Anonymous
    January 01, 2003
    Yannara
    The script will work fine with MABM 2.5

  • Anonymous
    January 01, 2003
    Brian,  I detect that the machine is BitLocker Encrypted store that in a task sequence variable.  If encrypted disable protectors and refresh the OS.  Then in state restore if the not encrypted run the MBAM script if encrypted just enable protectors

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Hi Bruno Most likely cause is that the server URL is incorrect in the .reg file or the server cannot be contacted.  Verify the URL and verify you can connect to the server form the subnet the system is on (open the URL in IE) Dave

  • Anonymous
    January 01, 2003
    It sounds like there a problem communicating with the MBAM server.  Verify that the URL is correct in the ,REG files, that the machine is domain joined.  Try get to the MBAM server URL using IE.  Look for any IIS issues on the server, or cert issues if using SSL.  But it sounds like you have done all of this.   If you start the MBAM client without the REG file in place, does the machine eventually get policy and prompt to encrypt (may take up to 60 minutes)?  Check the MBAM event log. Dave

  • Anonymous
    January 01, 2003
    Is there a way to change the default encryption method from 128-bit to '256-bit with Diffuser'? We have a requirement to have the 256-bit encryption being used as part of the SCCM Task Sequence using MBAM. I had assumned that by adding the entry below to the AddMBAMRegEntries.reg file that this would take effect but it doesn't seem to work: "EncryptionMethod"=dword:00000002 Does anyone know if it is possible to do this using MBAM as part of a SCCM Task Sequence?

  • Anonymous
    January 01, 2003
    Bruno,  Disable 64 bit redirection on that step.  The registry entries are being written to the wrong location. Dave

  • Anonymous
    January 01, 2003
    Marc,  The script fragments within the post proper is just to explain how the script works.  There is a link to the complete script at the bottom of the post. Thanks Dave

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    An additional fixed disk could be encrypted using the builtin BitLocker support after the C: (OS drice) has been encrypted.  However, after the Task Sequence is completed and the machine gets policy, MABM will prompt for a passowrd, since MBAM requires a Password protector.

  • Anonymous
    January 01, 2003
    Doh! Of course! Awesome write up. We are planning to deploy bitlocker using MBAM to 11,000 workstations. We have started with our latest laptop roll out. .

  • Anonymous
    January 01, 2003
    I followed the steps above in reagrds to partitioning in the Tas Squence.  When I image a computer it installs the OS to the OSDISK partition but it uses the D: drive instead of creating it on the C: drive.  How can I get the TS to install the OS onto the C: drive?  What happens if I change the BDEDISK to be hidden?

  • Anonymous
    January 01, 2003
    What tool did you use to convert KeyRecoveryServiceEndPoint from an http:// string to the HEX you have up there? Putting the text in as string in Notepad doesn't seem to work.

  • Anonymous
    February 21, 2012
    Did you had any luck encrypting both C: & D: during OSD automatically ? The other partitions require a one-time password that jumps out when a user first log on while C: is encrypting

  • Anonymous
    March 13, 2012
    Hello, Thanks for the post. I've got encryption working in the Task Sequence using the above steps. We also require a differnent start up Pin on our company laptops. When the build has completed I can set a pin using the MBAM client. The issue is that the laptop never reports to the MBAM server. If I enable bitlocker manully on a laptop the I have no issues. In the event log of the laptop that does not report in to the MBAM server, there is an error message in the event log of the laptop stating that group policy does not permit TPM only. If I run manage-bde -status the protectors are set to TPm and PIn. Do you have any ideas how I can resolve this issue please? Kind regards Matt

  • Anonymous
    March 30, 2012
    Hello Guys, thanks for this posting it´s really useful! I already have this working in my lab but when I tried to put it in the production environment I end up with not encrypting the machine during the Task Sequence (MDT 2010) with the error - 10008, "Timeout: Encryption did not start" . Then I reboot the machine and apears the error message " Bitlocker could not be enabled - The bitlocker encryption key cannot be obtained...." Before I send the TS to the machine I verify that the TPM is enabled in the BIOS, so what could I check to fix this error? Any ideas? Thanks in advance! Regards, Bruno

  • Anonymous
    March 31, 2012
    Hello David, Thank you for the answer, I did that test: when your script it trying to to encrypt the drive (in the step "Waiting for Encryption to Start") I already check in regedit the URL of my .key that was imported and try it in the IE and it went good making a service connection to the MBAM Server, so it must be another thing that im not checking it out that´s blocking the connection to the server... One thing that I also noticed is if your script can´t encrypt the drive (in my case) he also cannot apply the RemoveRegFile:RemoveMBAMRegEntries.reg key, is that the normal behaviour of the script? Cheers, Bruno

  • Anonymous
    April 03, 2012
    Hello David, I noticed one thing in my tests: if I create an MDT TS for Windows 7 SP1 (x86) it encrypts fine during the TS with no problems.....but if I do it in a an MDT TS for Windows 7 SP1 (x64) I can´t encrypt the machine during the TS (it time´s out with failure "Timeout: Encryption did not start"). Did you had the same results in this scenario? What could I change to the x64 version of Windows 7 SP1 to start encrypting during the TS? Cheers, Bruno

  • Anonymous
    April 03, 2012
    The comment has been removed

  • Anonymous
    April 19, 2012
    The comment has been removed

  • Anonymous
    May 02, 2012
    The comment has been removed

  • Anonymous
    May 20, 2012
    FYI - I have had trouble getting my drives to begin encryption due to timeout and found that the script you downoad has different time settings than the broken down explanation. here's what's in the download: Do      oLogging.ReportProgress "Waiting For Encryptiont to Start",  iLoopCount*4/20      wscript.Sleep 15000 Which will set the time between tests at 15 seconds. I changed mine to the example settings above... Do      oLogging.ReportProgress "Waiting For Encryptiont to Start",  iLoopCount/20      wscript.Sleep 30000 and now my task sequence will wait long enough for encryption to start.

  • Anonymous
    June 13, 2012
    Hi David, I am definitely joining the domain. Haven't had a problem since I chnged the DL'd file back to the original settings, but I also found that I needed to use the BDEHDCFG instead of the partitioning during diskpart since I was deploying a thick image. Paul

  • Anonymous
    July 09, 2012
    The comment has been removed

  • Anonymous
    January 22, 2013
    I know this post comment section has been quiet for a while but I wanted to ask if anyone that has this working properly has run into any issues with the MBAM client in a refresh scenario?  The process outlined in this post works quite well but when I re-image a computer that is already MBAM encrypted the MBAM client stops being able to apply policy. I know this really isn't the place for a question like this but I figure maybe someone has run into it before.

  • Anonymous
    January 23, 2013
    The comment has been removed

  • Anonymous
    March 04, 2013
    I  am having problems getting the encryption process to work even after l have entered the above registry settings.  I keep getting the following error. " BitLocker  could not be enabled The BitLocker encryption key cannot be obtained. Verify that the Trusted Platform Module (TPM) is enabled and ownership has been taken. If this computer does not have a TPM, verify that the USB drive is inserted and available. C:was encrypted" I have tried with 4 different laptops to get it working but l keep getting the same thing. I would appreciate any assistance

  • Anonymous
    March 28, 2013
    David, Great write up!  Do you have updates instructions for SCCM 2012 and MDT 2012?  I have followed MOST of the steps here, but cannot find StartMBAMEncryption.wsf anywhere..  Any help would be greatly appreciated!

  • Anonymous
    May 29, 2013
    The comment has been removed

  • Anonymous
    July 09, 2013
    Does anything in this process need changed for MBAM 2.0?  I've noticed additional registry entries in 2.0.

  • Anonymous
    August 16, 2013
    The comment has been removed

  • Anonymous
    September 05, 2013
    Hey, can someone help me out with this? I am able to encrypt C with your script. It works well. After encrypting C drive I have to encrypt drive D (fixed data drive). I created a scheduled task to run on each logon or wake from sleep: strComputer = "."   Set objWMIService = GetObject("winmgmts:" & strComputer & "rootCIMV2SecurityMicrosoftVolumeEncryption")     Set volumes = objWMIService.InstancesOf("Win32_EncryptableVolume")     Set oShell = CreateObject("Wscript.shell") Do Until retval2=100  'Wscript.Echo retval2  Wscript.Sleep(60000)  For Each volume in volumes    if volume.DriveLetter = "C:" then      retval= volume.GetConversionStatus(cs,ep)      retval2=ep      'Wscript.Echo ep      'Wscript.Echo retval2    End If  Next Loop oShell.Run "manage-bde.exe -on d: -rk c:",0 WScript.Sleep(5000) oShell.Run "manage-bde.exe -autounlock -enable d:",0 WScript.Sleep(3000) oShell.Run "schtasks /Delete /TN EnableMBAM_D /F",0 WScript.Sleep(3000) wscript.quit The problem is when I enable encryption on drive D (it encrypts without problem), it is reported correctly in SQL, but I am not able to retrieve unlock key from SQL DB. Keys for C drive are exported without problem. I think this might be connected to that, C drive is started by your script, which implies using MBAM, and D is started with manage-bde. Could you pls provide a script for drive D or point me out?

  • Anonymous
    December 11, 2013
    How can I incorporate the TPM pin after I have used the registry keys to silently start encryption?

  • Anonymous
    December 12, 2013
    Would some one let me know, where I can find this "StartMBAMEncryption.log"

  • Anonymous
    February 20, 2014
    Any thoughts on using PowerShell and not VB Script?

  • Anonymous
    February 27, 2014
    I am sure someone can clean up my powershell but here is my first try at it 8o)

    Created By: Evans Conforti
    Created Date: 2/27/2014
    Updated By:
    Updated Date:
    Disclaimer: This script is provided "AS IS" with no warranties, confers no rights, and is not supported by the author.

    .Synopsis
    MBAM 2.0 Bitlocker Enterprise Encryption
    .DESCRIPTION
    Starts the MBAM 2.0 Bitlocker Enterprise Encryption process on systems.
    .EXAMPLE
    Modify the server variables and run the script.
    #>
    # Modify below as needed
    $AppDir= 'MBAM AGENT INSTALL LOCATION'
    $MBAMServer = 'MBAM SERVER NAME'
    # Modify above as needed
    # Modify Below with caution
    function Get-TPM {
    $TPMI = GWMI -Class Win32_TPM -Namespace "rootCIMV2SecurityMicrosoftTpm" -ErrorAction SilentlyContinue
    $TPMV = $TPMI.SpecVersion
    $TPME = $TPMI.IsEnabled_InitialValue
    $TPMA = $TPMI.IsActivated_InitialValue
    $TPMO = $TPMI.IsOwned_InitialValue
    if ($TPMV -notmatch "1.2") {
    Write-Host
    Write-Warning "TPM is not version 1.2! MBAM 2.0 Bitlocker Enterprise Encryption will not work with this system."
    Read-host -prompt "Press Enter to continue! "
    Exit
    }
    if ($TPME -eq $False) {
    Write-Host
    Write-Warning "TPM is not Enabled! Please Enable TPM and then re-run this script."
    Read-host -prompt "Press Enter to continue! "
    Exit
    }
    if ($TPMA -eq $False) {
    Write-Host
    Write-Warning "TPM is not Activated! Please Activate TPM and then re-run this script."
    Read-host -prompt "Press Enter to continue! "
    Exit
    }
    if ($TPMO -eq $False) {
    Write-Host
    Write-Warning "TPM is not Owned! This is normal for first time encryption."
    }
    Get-MBAMStatus
    }

  • Anonymous
    February 27, 2014
    function Get-MBAMStatus {
    $MBAMA = GWMI -Query "select * from win32_service where name='mbamagent'" -ErrorAction SilentlyContinue
    $MBAMS = $MBAMA.State
    if (!($MBAMA)) {
    Write-Host
    Write-Warning "MBAM Agent is not Installed!"
    $GOS = GWMI -Class Win32_OperatingSystem
    $OSArch = $GOS.OSArchitecture
    If ($OSArch -eq "64-bit") {
    Start-Process "$AppDirMicrosoftMBAM 2013x64MbamClientSetup.exe" -argumentlist "/qb /norestart" -Wait
    }
    If ($OSArch -eq "32-bit") {
    Start-Process -FilePath "$AppDirMicrosoftMBAM 2013x86MbamClientSetup.exe" -argumentlist "/qb /norestart" -Wait
    }
    Get-MBAMStatus
    }
    Else {
    Write-Host
    Write-Host 'MBAM Agent is' $MBAMS
    $MBAMA.StopService() | Out-Null
    New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name KeyRecoveryOption -Value 1 -PropertyType DWord -Force
    New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name UseKeyRecoveryService -Value 1 -PropertyType DWord -Force
    New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name DeploymentTime -Value 1 -PropertyType DWord -Force
    New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name NoStartupDelay -Value 1 -PropertyType DWord -Force
    New-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name KeyRecoveryServiceEndPoint -Value "http://$MBAMServer/MBAMRecoveryAndHardwareService/CoreService.svc" -PropertyType ExpandString -Force
    $MBAMA.StartService() | Out-Null
    }
    Get-EncryptableVolume
    }

    function Get-EncryptableVolume {
    $LoopCount = 1
    Do {
    $EVI = GWMI -Class Win32_EncryptableVolume -Namespace "rootcimv2SecurityMicrosoftVolumeEncryption" -ErrorAction SilentlyContinue
    $EVIS = $EVI.GetConversionStatus().ConversionStatus
    If ($EVIS -eq "0") {
    Write-Host
    Write-Host 'Waiting for Encryption to Start'
    }
    If ($EVIS -eq "1") {
    Write-Host
    Write-Host 'Encryption Finished'
    Start-Cleanup
    }
    If ($EVIS -eq "2") {
    Write-Host
    Write-Host 'Encryption Started'
    Start-Cleanup
    }
    Start-Sleep 5
    $LoopCount++
    }
    Until ($LoopCount -ge 20)
    Write-Warning "Timeout: Encryption did not start!"
    Read-host -prompt "Press Enter to continue! "
    }

    function Start-Cleanup {
    Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name KeyRecoveryOption -Force
    Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name UseKeyRecoveryService -Force
    Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name DeploymentTime -Force
    Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name NoStartupDelay -Force
    Remove-ItemProperty -Path HKLM:SOFTWAREMicrosoftMBAM -Name KeyRecoveryServiceEndPoint -Force
    Exit
    }

    Clear-Host
    Write-Host
    Write-Host 'MBAM 2.0 Bitlocker Enterprise Encryption'
    Get-TPM

  • Anonymous
    March 06, 2014
    Had an issue with $EVI.GetConversionStatus().ConversionStatus on one system so far. Even though this system when ran $EVI = GWMI -Class Win32_EncryptableVolume -Namespace "rootcimv2SecurityMicrosoftVolumeEncryption" -ErrorAction SilentlyContinue then $EVI.GetConversionStatus().ConversionStatus I kept getting a message that there was no such method GetConversionStatus(), I knew this was not true because when I interrogate (GM) the variable $EVI it shows. Anyone ever run into this?

  • Anonymous
    March 22, 2014
    I am able to run this deployment, but when I go to the HelpDesk website, Manage TPM and submit; I get the error TPM owner password file is not found. When I look up the information in the RecoveryAndHardwareCore.Machines table the TpmPasswordHash is NULL. Any ideas?

  • Anonymous
    April 24, 2014
    Dave Hornbaker from Deployment Guys wrote a script some time ago, that kicks off MBAM encryption of the

  • Anonymous
    May 08, 2014
    I want to delete the bitlocker partition through a script. So, is there a way to identify that a particular partition is bitlocker partition

  • Anonymous
    May 08, 2014
    The comment has been removed

  • Anonymous
    June 03, 2014
    Having issues with this on x64 bit.. Any ideas? Script seems to fail..

  • Anonymous
    June 12, 2014
    The comment has been removed

  • Anonymous
    October 19, 2014
    Is this solution compatible to MBAM 2.5? Is enough, if I just take sample reg files from this article and the MDT script and put them all togerher in single package, or do I need to modify something else tham my mbam server url? I feel this solution / article is too complex.

  • Anonymous
    October 25, 2014
    The comment has been removed

  • Anonymous
    October 31, 2014
    I see you're using ZTIUTILITY.VBS.Is it possible to use this method without MDT Integration?

  • Anonymous
    June 25, 2015
    On the step named "Create a .reg file that contains the required MBAM entries." Do you mean create the reg file from a laptop that has the company MBAM GP in place or create it from another source?

  • Anonymous
    June 22, 2017
    powershell:https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25

    • Anonymous
      June 22, 2017
      This is the preferred method if you have MBAM 2.5 SP1. Before SP1 you can use the script in this posting. I will be updating the script to support Windows 10 and make it easier to use in the next few days
      • Anonymous
        June 23, 2017
        David congratulations for the post, I need to activate the bitlocker with MBAM for all office machines without requiring the user to enable it. I'll wait for your next post. Will save my life.My machines with Windows 10
      • Anonymous
        June 23, 2017
        David, is it possible to enable the bitlocker without the need to show the screen to the end user? In this method it is done in a task sequence, but it is possible to do it without being in the implementation?Example: Today we have machines with windows 10, but are already in use, and would like to encrypt without the need for an action of the end user