How to Enable BitLocker by Using MBAM as Part of a Windows Deployment

  • Article

Important

These instructions do not pertain to Configuration Manager BitLocker Management. The Invoke-MbamClientDeployment.ps1 PowerShell script is not supported for use with BitLocker Management in Configuration Manager. This includes escrowing of BitLocker recovery keys during a Configuration Manager task sequence.

Furthermore, starting with Configuration Manager, version 2103, Configuration Manager BitLocker Management no longer uses the MBAM key recovery services site to escrow keys. Attempting to use the Invoke-MbamClientDeployment.ps1 PowerShell script with Configuration Manager, version 2103 or newer can result in serious problems with the Configuration Manager site. Known problems include creation of a large amount of policy targeted to all devices which can cause policy storms. This will lead to severe degradation of performance in Configuration Manager primarily in SQL and with Management Points. For more information, see Using the MBAM Agent to escrow BitLocker recovery keys generates excessive policies in Configuration Manager, version 2103.

BitLocker Management starting with Configuration Manager, version 2203 natively supports escrowing the BitLocker key during a task sequence with the Enable BitLocker task sequence task via the option Automatically store the recovery key in: > The Configuration Manager database. For more information, see Escrow BitLocker recovery password to the site during a task sequence.

Also note that stand-alone MBAM integration with Configuration Manager was only supported through Configuration Manager, version 1902. Since Configuration Manager, version 1902 is out of support, using stand-alone MBAM and the Invoke-MbamClientDeployment.ps1 PowerShell script with currently supported versions of Configuration Manager is no longer supported. For more information, see Versions of Configuration Manager that MBAM supports. Customers using stand-alone MBAM with Configuration Manager should migrate to Configuration Manager BitLocker Management.

This topic explains how to enable BitLocker on an end user's computer by using MBAM as part of your Windows imaging and deployment process. If you see a black screen at restart (after Install phase concludes) indicating that the drive cannot be unlocked, see Earlier Windows versions don't start after "Setup Windows and Configuration Manager" step if Pre-Provision BitLocker is used with Windows 10, version 1511.

Prerequisites:

  • An existing Windows image deployment process – Microsoft Deployment Toolkit (MDT), Microsoft System Center Configuration Manager, or some other imaging tool or process – must be in place

  • TPM must be enabled in the BIOS and visible to the OS

  • MBAM server infrastructure must be in place and accessible

  • The system partition required by BitLocker must be created

  • The machine must be domain joined during imaging before MBAM fully enables BitLocker

To enable BitLocker using MBAM 2.5 SP1 as part of a Windows deployment

  1. In MBAM 2.5 SP1, the recommended approach to enable BitLocker during a Windows Deployment is by using the Invoke-MbamClientDeployment.ps1 PowerShell script.

    • The Invoke-MbamClientDeployment.ps1 script enacts BitLocker during the imaging process. When required by BitLocker policy, the MBAM agent immediately prompts the domain user to create a PIN or password when the domain user first logs on after imaging.

    • Easy to use with MDT, System Center Configuration Manager, or standalone imaging processes

    • Compatible with PowerShell 2.0 or higher

    • Encrypt OS volume with TPM key protector

    • Fully support BitLocker pre-provisioning

    • Optionally encrypt FDDs

    • Escrow TPM OwnerAuth For Windows 7, MBAM must own the TPM for escrow to occur. For Windows 8.1, Windows 10 RTM and Windows 10 version 1511, escrow of TPM OwnerAuth is supported. For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See TPM owner password for further details.

    • Escrow recovery keys and recovery key packages

    • Report encryption status immediately

    • New WMI providers

    • Detailed logging

    • Robust error handling

    You can download the Invoke-MbamClientDeployment.ps1 script from Microsoft.com Download Center. This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.

    WMI deployment methods for MBAM: The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the Invoke-MbamClientDeployment.ps1 PowerShell script.

    MBAM_Machine WMI Class PrepareTpmAndEscrowOwnerAuth: Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM is not owned and auto-provisioning is not on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting.

    Note For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See TPM owner password for further details.

Parameter Description
RecoveryServiceEndPoint A string specifying the MBAM recovery service endpoint.

Here is a list of common error messages:

Common return values Error message
S_OK
0 (0x0)		 The method was successful.
MBAM_E_TPM_NOT_PRESENT
2147746304 (0x80040200)		 TPM is not present in the computer or is disabled in the BIOS configuration.
MBAM_E_TPM_INCORRECT_STATE
2147746305 (0x80040201)		 TPM is not in the correct state (enabled, activated and owner installation allowed).
MBAM_E_TPM_AUTO_PROVISIONING_PENDING
2147746306 (0x80040202)		 MBAM cannot take ownership of TPM because auto-provisioning is pending. Try again after auto-provisioning is completed.
MBAM_E_TPM_OWNERAUTH_READFAIL
2147746307 (0x80040203)		 MBAM cannot read the TPM owner authorization value. The value might have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others.
MBAM_E_REBOOT_REQUIRED
2147746308 (0x80040204)		 The computer must be restarted to set TPM to the correct state. You might need to manually reboot the computer.
MBAM_E_SHUTDOWN_REQUIRED
2147746309 (0x80040205)		 The computer must be shut down and turned back on to set TPM to the correct state. You might need to manually reboot the computer.
WS_E_ENDPOINT_ACCESS_DENIED
2151481349 (0x803D0005)		 Access was denied by the remote endpoint.
WS_E_ENDPOINT_NOT_FOUND
2151481357 (0x803D000D)		 The remote endpoint does not exist or could not be located.
**WS_E_ENDPOINT_FAILURE
2151481357 (0x803D000F)		 The remote endpoint could not process the request.
WS_E_ENDPOINT_UNREACHABLE
2151481360 (0x803D0010)		 The remote endpoint was not reachable.
WS_E_ENDPOINT_FAULT_RECEIVED
2151481363 (0x803D0013)		 A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.
WS_E_INVALID_ENDPOINT_URL 2151481376 (0x803D0020) The endpoint address URL is not valid. The URL must start with “http” or “https”.

ReportStatus: Reads the compliance status of the volume and sends it to the MBAM compliance status database by using the MBAM status reporting service. The status includes cipher strength, protector type, protector state and encryption state. If it fails, an error code is returned for troubleshooting.

Parameter Description
ReportingServiceEndPoint A string specifying the MBAM status reporting service endpoint.

Here is a list of common error messages:

Common return values Error message
S_OK
0 (0x0)		 The method was successful
WS_E_ENDPOINT_ACCESS_DENIED
2151481349 (0x803D0005)		 Access was denied by the remote endpoint.
WS_E_ENDPOINT_NOT_FOUND
2151481357 (0x803D000D)		 The remote endpoint does not exist or could not be located.
WS_E_ENDPOINT_FAILURE
2151481357 (0x803D000F)		 The remote endpoint could not process the request.
WS_E_ENDPOINT_UNREACHABLE
2151481360 (0x803D0010)		 The remote endpoint was not reachable.
WS_E_ENDPOINT_FAULT_RECEIVED
2151481363 (0x803D0013)		 A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.
WS_E_INVALID_ENDPOINT_URL
2151481376 (0x803D0020)		 The endpoint address URL is not valid. The URL must start with “http” or “https”.

MBAM_Volume WMI Class EscrowRecoveryKey: Reads the recovery numerical password and key package of the volume and sends them to the MBAM recovery database by using the MBAM recovery service. If it fails, an error code is returned for troubleshooting.

Parameter Description
RecoveryServiceEndPoint A string specifying the MBAM recovery service endpoint.

Here is a list of common error messages:

Common return values Error message
S_OK
0 (0x0)		 The method was successful
FVE_E_LOCKED_VOLUME
2150694912 (0x80310000)		 The volume is locked.
FVE_E_PROTECTOR_NOT_FOUND
2150694963 (0x80310033)		 A Numerical Password protector was not found for the volume.
WS_E_ENDPOINT_ACCESS_DENIED
2151481349 (0x803D0005)		 Access was denied by the remote endpoint.
WS_E_ENDPOINT_NOT_FOUND
2151481357 (0x803D000D)		 The remote endpoint does not exist or could not be located.
WS_E_ENDPOINT_FAILURE
2151481357 (0x803D000F)		 The remote endpoint could not process the request.
WS_E_ENDPOINT_UNREACHABLE
2151481360 (0x803D0010)		 The remote endpoint was not reachable.
WS_E_ENDPOINT_FAULT_RECEIVED
2151481363 (0x803D0013)		 A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.
WS_E_INVALID_ENDPOINT_URL
2151481376 (0x803D0020)		 The endpoint address URL is not valid. The URL must start with “http” or “https”.

  1. Deploy MBAM by using Microsoft Deployment Toolkit (MDT) and PowerShell

    1. In MDT, create a new deployment share or open an existing deployment share.

      Note
      The Invoke-MbamClientDeployment.ps1 PowerShell script can be used with any imaging process or tool. This section shows how to integrate it by using MDT, but the steps are similar to integrating it with any other process or tool.

      Caution
      If you are using BitLocker pre-provisioning (WinPE) and want to maintain the TPM owner authorization value, you must add the SaveWinPETpmOwnerAuth.wsf script in WinPE immediately before the installation reboots into the full operating system. If you do not use this script, you will lose the TPM owner authorization value on reboot.

    2. Copy Invoke-MbamClientDeployment.ps1 to <DeploymentShare>\Scripts. If you are using pre-provisioning, copy the SaveWinPETpmOwnerAuth.wsf file into <DeploymentShare>\Scripts.

    3. Add the MBAM 2.5 SP1 client application to the Applications node in the deployment share.

      1. Under the Applications node, click New Application.

      2. Select Application with Source Files. Click Next.

      3. In Application Name, type “MBAM 2.5 SP1 Client”. Click Next.

      4. Browse to the directory containing MBAMClientSetup-<Version>.msi. Click Next.

      5. Type “MBAM 2.5 SP1 Client” as the directory to create. Click Next.

      6. Enter msiexec /i MBAMClientSetup-<Version>.msi /quiet at the command line. Click Next.

      7. Accept the remaining defaults to complete the New Application wizard.

    4. In MDT, right-click the name of the deployment share and click Properties. Click the Rules tab. Add the following lines:

      SkipBitLocker=YES``BDEInstall=TPM``BDEInstallSuppress=NO``BDEWaitForEncryption=YES

      Click OK to close the window.

    5. Under the Task Sequences node, edit an existing task sequence used for Windows Deployment. If you want, you can create a new task sequence by right-clicking the Task Sequences node, selecting New Task Sequence, and completing the wizard.

      On the Task Sequence tab of the selected task sequence, perform these steps:

      1. Under the Preinstall folder, enable the optional task Enable BitLocker (Offline) if you want BitLocker enabled in WinPE, which encrypts used space only.

      2. To persist TPM OwnerAuth when using pre-provisioning, allowing MBAM to escrow it later, do the following:

        1. Find the Install Operating System step

        2. Add a new Run Command Line step after it

        3. Name the step Persist TPM OwnerAuth

        4. Set the command line to cscript.exe "%SCRIPTROOT%/SaveWinPETpmOwnerAuth.wsf" Note: For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See TPM owner password for further details.

      3. In the State Restore folder, delete the Enable BitLocker task.

      4. In the State Restore folder under Custom Tasks, create a new Install Application task and name it Install MBAM Agent. Click the Install Single Application radio button and browse to the MBAM 2.5 SP1 client application created earlier.

      5. In the State Restore folder under Custom Tasks, create a new Run PowerShell Script task (after the MBAM 2.5 SP1 Client application step) with the following settings (update the parameters as appropriate for your environment):

        • Name: Configure BitLocker for MBAM

        • PowerShell script: Invoke-MbamClientDeployment.ps1

        • Parameters:

          -RecoveryServiceEndpoint

          Required

          MBAM recovery service endpoint

          -StatusReportingServiceEndpoint

          Optional

          MBAM status reporting service endpoint

          -EncryptionMethod

          Optional

          Encryption method (default: AES 128)

          -EncryptAndEscrowDataVolume

          Switch

          Specify to encrypt data volume(s) and escrow data volume recovery key(s)

          -WaitForEncryptionToComplete

          Switch

          Specify to wait for the encryption to complete

          -DoNotResumeSuspendedEncryption

          Switch

          Specify that the deployment script will not resume suspended encryption

          -IgnoreEscrowOwnerAuthFailure

          Switch

          Specify to ignore TPM owner-auth escrow failure. It should be used in the scenarios where MBAM is not able to read the TPM owner-auth, e.g. if TPM auto provisioning is enabled

          -IgnoreEscrowRecoveryKeyFailure

          Switch

          Specify to ignore volume recovery key escrow failure

          -IgnoreReportStatusFailure

          Switch

          Specify to ignore status reporting failure

To enable BitLocker using MBAM 2.5 or earlier as part of a Windows deployment

  1. Install the MBAM Client. For instructions, see How to Deploy the MBAM Client by Using a Command Line.

  2. Join the computer to a domain (recommended).

    • If the computer is not joined to a domain, the recovery password is not stored in the MBAM Key Recovery service. By default, MBAM does not allow encryption to occur unless the recovery key can be stored.

    • If a computer starts in recovery mode before the recovery key is stored on the MBAM Server, no recovery method is available, and the computer has to be reimaged.

  3. Open a command prompt as an administrator, and stop the MBAM service.

  4. Set the service to Manual or On demand by typing the following commands:

    net stop mbamagent

    sc config mbamagent start= demand

  5. Set the registry values so that the MBAM Client ignores the Group Policy settings and instead sets encryption to start the time Windows is deployed to that client computer.

    Caution   This step describes how to modify the Windows registry. Using Registry Editor incorrectly can cause serious issues that can require you to reinstall Windows. We cannot guarantee that issues resulting from the incorrect use of Registry Editor can be resolved. Use Registry Editor at your own risk.

    1. Set the TPM for Operating system only encryption, run Regedit.exe, and then import the registry key template from C:\Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg.

    2. In Regedit.exe, go to HKLM\SOFTWARE\Microsoft\MBAM, and configure the settings that are listed in the following table.

      Note   You can set Group Policy settings or registry values related to MBAM here. These settings will override previously set values.

      Registry entry Configuration settings

      DeploymentTime

      0 = Off

      1 = Use deployment time policy settings (default) – use this setting to enable encryption at the time Windows is deployed to the client computer.

      UseKeyRecoveryService

      0 = Do not use key escrow (the next two registry entries are not required in this case)

      1 = Use key escrow in Key Recovery system (default)

      This is the recommended setting, which enables MBAM to store the recovery keys. The computer must be able to communicate with the MBAM Key Recovery service. Verify that the computer can communicate with the service before you proceed.

      KeyRecoveryOptions

      0 = Uploads Recovery Key only

      1 = Uploads Recovery Key and Key Recovery Package (default)

      KeyRecoveryServiceEndPoint

      Set this value to the URL for the server running the Key Recovery service, for example, http://<computer name>/MBAMRecoveryAndHardwareService/CoreService.svc.

  6. The MBAM Client will restart the system during the MBAM Client deployment. When you are ready for this restart, run the following command at a command prompt as an administrator:

    net start mbamagent

  7. When the computers restarts, and the BIOS prompts you, accept the TPM change.

  8. During the Windows client operating system imaging process, when you are ready to start encryption, open a command prompt as an administrator, and type the following commands to set the start to Automatic and to restart the MBAM Client agent:

    sc config mbamagent start= auto

    net start mbamagent

  9. To delete the bypass registry values, run Regedit.exe, and go to the HKLM\SOFTWARE\Microsoft registry entry. Right-click the MBAM node, and then click Delete.

Deploying the MBAM 2.5 Client

Planning for MBAM 2.5 Client Deployment

Got a suggestion for MBAM?