In this article I’d like to discuss utilizing MBAM Based encryption from a Task Sequence from MDT, which can also be used in SCCM deployments. Before I go into that fully, it should be mentioned that MBAM 2.0 has been released in Beta. Microsoft’s strategy for MBAM 1.0 was to deliver a product that could scale to the largest size organizations, require the least amount of infrastructure, and could be run in any organization. The latter requirement consequently meant that MBAM could not take a dependency on System Center Configuration Manager (SCCM), so management tasks – like compliance reporting of BitLocker protected devices – would need to occur in another console. Because of customer demand, MBAM 2.0, has enabled MBAM management experiences, such as compliance reporting and hardware management, within the SCCM management console. So, stay tuned. MBAM 2.0 may provide a richer experience for the SCCM admin.
If you read our previous post about Bitlocker, you will recall that BitLocker creates recovery information at the time of encryption and MBAM clients store that information in the recovery data store. While MBAM can update its recovery data store when the agent is installed on a system that is already encrypted, it is preferable to have MBAM control the encryption process. But MBAM Encryption is controlled by Group Policy. Since Group Policy is not applied during a SCCM Task Sequence, it’s important to tread carefully to ensure the policies and MBAM client are installed correctly when installing MBAM during an OSD process so you can keep your deployment smooth and error free.
Remember that prior to enabling BitLocker on a computer with a TPM version 1.2, a user must initialize the TPM chip and ownership must be “taken.” The initialization process generates a TPM owner password, set on the TPM chip. The user must supply the TPM owner password to change the state of the TPM, such as when enabling or disabling the TPM or resetting after a TPM lockout.
MBAM supports encryption of a computer’s operating system hard drive in a fashion referred to as “TPM-only.” TPM-only encryption encrypts all data on the drive but does not require user intervention unless the state of the hardware changes. This is the mode we will be using.
For many companies, there may be no need to encrypt a machine prior to the end user accessing the system. A ‘new iron’ install of an OS may not require encryption until a user logs in and begins to populate the system with data that should be secured. When this is the case, the MBAM client can be installed during the TS, but ensure the bit locker GPO policies are not applied until the system is ready for production and given to a user. One way this can be accomplished is by placing the machine’s AD object into a holding OU that does not apply the MBAM bit locker policies, or one could link those policies to the end user’s account in AD.
The MBAM agent itself can be installed during Windows 7 Image creation. To install MBAM during the deployment, just create a SCCM package/program to install the agent. It’s recommended that you install the agent near the end of the OSD task sequence so any encryption you do start will not slow your deployment down.
First, import the MBAM client .MSI file into the MDT Application Installer by right-clicking the Applications folder in the MDT Deployment Share tree structure and running the New Application Wizard, and then add that MBAM Client application to your Task Sequence after you have installed any applications or modifications of your image.
After the client is installed you can then start the TPM-only encryption process by following these procedures and adding steps to your TS.
You’ll need to modify the registry by inserting a new registry key. This key mimics the settings a GPO would apply to the workstation so it will begin the encryption process. A registry file is deposited in the MBAM client installation directory under “C:\Program Files\Microsoft\MDOP MBAM.” Copy this file to the MDT Deployment Share in the Scripts Root Directory and then call it via the custom command as shown below.
It’s also smart to create a step in the TS to eject the CD-ROM before the MBAM Service starts. BitLocker cannot start the encryption process with a disk in the drive. If you have started your OSD with a CD to boot to the WinPE environment this is especially important.
After the service has started BitLocker and the encryption process has begun, you must remove the registry keys imported earlier in the process. This can be done by running regedit on the registry import file with a minus sign added to the keys that were imported. (e.g. the “KeyRecoveryOptions”=dword:00000001 entry becomes “KeyRecoveryOptions”=- )
Note: A “KeyRecoveryServiceEndPoint” must be custom edited in the imported .reg file. As long as the user account used during the MDT login process exists with the correct permissions for both the MDT deployment share and is a Domain User known to MBAM, then the recovery package with the TPM owner password will be pushed to the MBAM Service and be stored in the Recovery Key Database associated to a Machine ID.
If an endpoint is not provided or the user account used at MDT login is not known to MBAM, such as a local administrator account, then the TPM-Only encryption process will start but the TPM recovery information will not be sent to the MBAM recovery database. When the computer is given to the end user and joins the enterprise domain, the computer will receive MBAM group policy. The MBAM client can be silently updated if necessary, and the user can be prompted to create a PIN. From the end user perspective, adding the PIN will take seconds instead of hours because the operating system drive is already encrypted.
Microsoft’s Deployment Guys website has a post on this topic with a sample script you can play with to automate these processes and check for TPM enablement. https://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx