How to enable BitLocker by using MBAM as part of a Windows deployment
Important
These instructions don't apply to Configuration Manager BitLocker Management. The Invoke-MbamClientDeployment.ps1
PowerShell script isn't supported for use with BitLocker Management in Configuration Manager. This includes escrowing of BitLocker recovery keys during a Configuration Manager task sequence.
Starting with Configuration Manager, version 2103, Configuration Manager BitLocker Management no longer uses the MBAM key recovery services site to escrow keys. Attempting to use the Invoke-MbamClientDeployment.ps1
PowerShell script with Configuration Manager, version 2103 or later can result in serious problems with the Configuration Manager site. Known problems include creation of a large amount of policy targeted to all devices, which can cause policy storms. This behavior leads to severe degradation of performance in Configuration Manager primarily in SQL and with management points. For more information, see Using the MBAM agent to escrow BitLocker recovery keys generates excessive policies in Configuration Manager, version 2103.
BitLocker Management starting with Configuration Manager, version 2203 natively supports escrowing the BitLocker key during a task sequence with the Enable BitLocker task sequence task via the option Automatically store the recovery key in: > The Configuration Manager database. For more information, see Escrow BitLocker recovery password to the site during a task sequence.
Stand-alone MBAM integration with Configuration Manager was only supported through Configuration Manager, version 1902. Since Configuration Manager, version 1902 is out of support, using stand-alone MBAM and the Invoke-MbamClientDeployment.ps1
PowerShell script with currently supported versions of Configuration Manager is no longer supported. For more information, see Versions of Configuration Manager that MBAM supports. Customers using stand-alone MBAM with Configuration Manager should migrate to Configuration Manager BitLocker Management.
This article explains how to enable BitLocker on a user's computer by using Microsoft BitLocker Administration and Monitoring (MBAM) as part of your Windows imaging and deployment process.
Note
If you see a black screen at restart after the Install phase concludes indicating that the drive can't be unlocked, see Earlier Windows versions don't start after "Setup Windows and Configuration Manager" step if Pre-Provision BitLocker is used with Windows 10, version 1511.
Prerequisites
An existing Windows image deployment process - Microsoft Deployment Toolkit (MDT), Microsoft System Center Configuration Manager, or some other imaging tool or process - must be in place
TPM must be enabled in the BIOS and visible to the OS
MBAM server infrastructure must be in place and accessible
The system partition required by BitLocker must be created
The machine must be domain joined during imaging before MBAM fully enables BitLocker
To enable BitLocker using MBAM 2.5 SP1 as part of a Windows deployment
Enable BitLocker during Windows deployment with the Invoke-MbamClientDeployment.ps1
PowerShell script
In MBAM 2.5 SP1, the recommended approach to enable BitLocker during a Windows Deployment is by using the Invoke-MbamClientDeployment.ps1
PowerShell script.
The
Invoke-MbamClientDeployment.ps1
script enacts BitLocker during the imaging process. When required by BitLocker policy, the MBAM agent immediately prompts the domain user to create a PIN or password when the domain user first logs on after imaging.Easy to use with MDT, System Center Configuration Manager, or standalone imaging processes
Compatible with PowerShell 2.0 or higher
Encrypt OS volume with TPM key protector
Fully support BitLocker pre-provisioning
Optionally encrypt FDDs
Escrow TPM OwnerAuth
- For Windows 7, MBAM must own the TPM for escrow to occur.
- For Windows 8.1, Windows 10 RTM and Windows 10 version 1511, escrow of TPM OwnerAuth is supported.
- For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. When it provisions the TPM, Windows doesn't keep the TPM owner password. For more information, see TPM owner password.
Escrow recovery keys and recovery key packages
Report encryption status immediately
New WMI providers
Detailed logging
Robust error handling
You can download the Invoke-MbamClientDeployment.ps1
script from MBAM client deployment scripts. This download is the main script that your deployment system calls to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
WMI deployment methods for MBAM
To support enabling BitLocker by using the Invoke-MbamClientDeployment.ps1
PowerShell script, MBAM 2.5 SP1 includes the following WMI methods:
MBAM_Machine
WMI class
PrepareTpmAndEscrowOwnerAuth
: Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM isn't owned and autoprovisioning isn't on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting.Note
For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. For more information, see TPM owner password.
Parameter Description RecoveryServiceEndPoint A string specifying the MBAM recovery service endpoint. Here's a list of common error messages:
Common return values Error message S_OK
0 (0x0)The method was successful. MBAM_E_TPM_NOT_PRESENT
2147746304 (0x80040200)TPM isn't present in the computer or is disabled in the BIOS configuration. MBAM_E_TPM_INCORRECT_STATE
2147746305 (0x80040201)TPM isn't in the correct state (enabled, activated, and owner installation allowed). MBAM_E_TPM_AUTO_PROVISIONING_PENDING
2147746306 (0x80040202)MBAM can't take ownership of TPM because autoprovisioning is pending. Try again after autoprovisioning is completed. MBAM_E_TPM_OWNERAUTH_READFAIL
2147746307 (0x80040203)MBAM can't read the TPM owner authorization value. The value might be removed after a successful escrow. On Windows 7, if others own the TPM, MBAM can't read the value. MBAM_E_REBOOT_REQUIRED
2147746308 (0x80040204)The computer must be restarted to set TPM to the correct state. You might need to manually reboot the computer. MBAM_E_SHUTDOWN_REQUIRED
2147746309 (0x80040205)The computer must be shut down and turned back on to set TPM to the correct state. You might need to manually reboot the computer. WS_E_ENDPOINT_ACCESS_DENIED
2151481349 (0x803D0005)The remote endpoint denied access. WS_E_ENDPOINT_NOT_FOUND
2151481357 (0x803D000D)The remote endpoint doesn't exist or couldn't be located. **WS_E_ENDPOINT_FAILURE
2151481357 (0x803D000F)The remote endpoint couldn't process the request. WS_E_ENDPOINT_UNREACHABLE
2151481360 (0x803D0010)The remote endpoint wasn't reachable. WS_E_ENDPOINT_FAULT_RECEIVED
2151481363 (0x803D0013)A message containing a fault was received from the remote endpoint. Make sure you connect to the correct service endpoint. WS_E_INVALID_ENDPOINT_URL 2151481376 (0x803D0020) The endpoint address URL isn't valid. The URL must start with http
orhttps
.ReportStatus
: Reads the compliance status of the volume and sends it to the MBAM compliance status database by using the MBAM status reporting service. The status includes cipher strength, protector type, protector state, and encryption state. If it fails, an error code is returned for troubleshooting.Parameter Description ReportingServiceEndPoint A string specifying the MBAM status reporting service endpoint. Here's a list of common error messages:
Common return values Error message S_OK
0 (0x0)The method was successful WS_E_ENDPOINT_ACCESS_DENIED
2151481349 (0x803D0005)The remote endpoint denied access. WS_E_ENDPOINT_NOT_FOUND
2151481357 (0x803D000D)The remote endpoint doesn't exist or couldn't be located. WS_E_ENDPOINT_FAILURE
2151481357 (0x803D000F)The remote endpoint couldn't process the request. WS_E_ENDPOINT_UNREACHABLE
2151481360 (0x803D0010)The remote endpoint wasn't reachable. WS_E_ENDPOINT_FAULT_RECEIVED
2151481363 (0x803D0013)A message containing a fault was received from the remote endpoint. Make sure you connect to the correct service endpoint. WS_E_INVALID_ENDPOINT_URL
2151481376 (0x803D0020)The endpoint address URL isn't valid. The URL must start with http
orhttps
.
MBAM_Volume
WMI class
EscrowRecoveryKey
: Reads the recovery numerical password and key package of the volume and sends them to the MBAM recovery database by using the MBAM recovery service. If it fails, an error code is returned for troubleshooting.Parameter Description RecoveryServiceEndPoint A string specifying the MBAM recovery service endpoint. Here's a list of common error messages:
Common return values Error message S_OK
0 (0x0)The method was successful FVE_E_LOCKED_VOLUME
2150694912 (0x80310000)The volume is locked. FVE_E_PROTECTOR_NOT_FOUND
2150694963 (0x80310033)A numerical password protector wasn't found for the volume. WS_E_ENDPOINT_ACCESS_DENIED
2151481349 (0x803D0005)The remote endpoint denied access. WS_E_ENDPOINT_NOT_FOUND
2151481357 (0x803D000D)The remote endpoint doesn't exist or couldn't be located. WS_E_ENDPOINT_FAILURE
2151481357 (0x803D000F)The remote endpoint couldn't process the request. WS_E_ENDPOINT_UNREACHABLE
2151481360 (0x803D0010)The remote endpoint wasn't reachable. WS_E_ENDPOINT_FAULT_RECEIVED
2151481363 (0x803D0013)A message containing a fault was received from the remote endpoint. Make sure you connect to the correct service endpoint. WS_E_INVALID_ENDPOINT_URL
2151481376 (0x803D0020)The endpoint address URL isn't valid. The URL must start with http
orhttps
.
Deploy MBAM by using Microsoft Deployment Toolkit (MDT) and PowerShell
In MDT, create a new deployment share or open an existing deployment share.
Note
You can use the
Invoke-MbamClientDeployment.ps1
PowerShell script with any imaging process or tool. This section shows how to integrate it by using MDT, but the steps are similar to integrating it with any other process or tool.Caution
If you use BitLocker preprovisioning in Windows PE, and want to maintain the TPM owner authorization value, you must add the
SaveWinPETpmOwnerAuth.wsf
script in Windows PE immediately before the installation restarts into the full OS. If you don't use this script, you'll lose the TPM owner authorization value on restart.Copy
Invoke-MbamClientDeployment.ps1
to<DeploymentShare>\Scripts
. If you're using pre-provisioning, copy theSaveWinPETpmOwnerAuth.wsf
file into<DeploymentShare>\Scripts
.Add the MBAM 2.5 SP1 client application to the Applications node in the deployment share.
- Under the Applications node, select New Application.
- Select Application with Source Files. Select Next.
- In Application Name, type "MBAM 2.5 SP1 Client". Select Next.
- Browse to the directory containing
MBAMClientSetup-<Version>.msi
. Select Next. - Type "MBAM 2.5 SP1 Client" as the directory to create. Select Next.
- Enter
msiexec /i MBAMClientSetup-<Version>.msi /quiet
at the command line. Select Next. - Accept the remaining defaults to complete the New Application wizard.
In MDT, right-click the name of the deployment share and select Properties. Select the Rules tab. Add the following lines:
SkipBitLocker=YES``BDEInstall=TPM``BDEInstallSuppress=NO``BDEWaitForEncryption=YES
Select OK to close the window.
Under the Task Sequences node, edit an existing task sequence used for Windows Deployment. If you want, you can create a new task sequence by right-clicking the Task Sequences node, selecting New Task Sequence, and completing the wizard.
On the Task Sequence tab of the selected task sequence, do these steps:
Under the Preinstall folder, enable the optional task Enable BitLocker (Offline) if you want BitLocker enabled in WinPE, which encrypts used space only.
To persist TPM OwnerAuth when using pre-provisioning, allowing MBAM to escrow it later, do the following:
Find the Install Operating System step
Add a new Run Command Line step after it
Name the step Persist TPM OwnerAuth
Set the command line to
cscript.exe "%SCRIPTROOT%/SaveWinPETpmOwnerAuth.wsf"
Note
For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. When provisioning the TPM, Windows doesn't keep the TPM owner password. For more information, see TPM owner password.
In the State Restore folder, delete the Enable BitLocker task.
In the State Restore folder under Custom Tasks, create a new Install Application task and name it Install MBAM Agent. Select the Install Single Application radio button and browse to the MBAM 2.5 SP1 client application created earlier.
In the State Restore folder under Custom Tasks, create a new Run PowerShell Script task (after the MBAM 2.5 SP1 Client application step) with the following settings (update the parameters as appropriate for your environment):
Name: Configure BitLocker for MBAM
PowerShell script:
Invoke-MbamClientDeployment.ps1
Parameters:
Parameter Requirement Description -RecoveryServiceEndpoint
Required MBAM recovery service endpoint. -StatusReportingServiceEndpoint
Optional MBAM status reporting service endpoint. -EncryptionMethod
Optional Encryption method (default: AES 128). -EncryptAndEscrowDataVolume
Switch Specify to encrypt data volumes and escrow data volume recovery keys. -WaitForEncryptionToComplete
Switch Specify to wait for the encryption to complete. -DoNotResumeSuspendedEncryption
Switch Specify that the deployment script won't resume suspended encryption. -IgnoreEscrowOwnerAuthFailure
Switch Specify to ignore TPM owner-auth escrow failure. It should be used in scenarios where MBAM isn't able to read the TPM owner-auth. For example, if TPM auto provisioning is enabled. -IgnoreEscrowRecoveryKeyFailure
Switch Specify to ignore volume recovery key escrow failure. -IgnoreReportStatusFailure
Switch Specify to ignore status reporting failure.
To enable BitLocker using MBAM 2.5 or earlier as part of a Windows deployment
Install the MBAM client. For instructions, see How to deploy the MBAM client by using a command line.
Join the computer to a domain (recommended).
If the computer isn't joined to a domain, the recovery password isn't stored in the MBAM Key Recovery service. By default, MBAM doesn't allow encryption to occur unless the recovery key can be stored.
If a computer starts in recovery mode before the recovery key is stored on the MBAM Server, no recovery method is available, and the computer has to be reimaged.
Open a command prompt as an administrator, and stop the MBAM service.
Set the service to Manual or On demand by typing the following commands:
net stop mbamagent
sc config mbamagent start= demand
Set the registry values so that the MBAM client ignores the group policy settings and instead sets encryption to start the time Windows is deployed to that client computer.
Caution
This step describes how to modify the Windows registry. Using Registry Editor incorrectly can cause serious issues that can require you to reinstall Windows. We can't guarantee that issues resulting from the incorrect use of Registry Editor can be resolved. Use Registry Editor at your own risk.
Set the TPM for Operating system only encryption, run Regedit.exe, and then import the registry key template from
C:\Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg
.In Regedit.exe, go to
HKLM\SOFTWARE\Microsoft\MBAM
, and configure the settings that are listed in the following table.Note
You can set group policy settings or registry values related to MBAM here. These settings override previously set values.
Registry entry Configuration settings DeploymentTime 0 = Off
1 = Use deployment time policy settings (default) - use this setting to enable encryption at the time Windows is deployed to the client computer.UseKeyRecoveryService 0 = Don't use key escrow. The next two registry entries aren't required in this case.
1 = Use key escrow in Key Recovery system (default)
This setting is recommended, which enables MBAM to store the recovery keys. The computer must be able to communicate with the MBAM Key Recovery service. Verify that the computer can communicate with the service before you proceed.KeyRecoveryOptions 0 = Uploads Recovery Key only
1 = Uploads Recovery Key and Key Recovery Package (default)KeyRecoveryServiceEndPoint Set this value to the URL for the server running the Key Recovery service, for example, https://<computer name>/MBAMRecoveryAndHardwareService/CoreService.svc
.
The MBAM client restarts the system during the MBAM client deployment. When you're ready for this restart, run the following command at a command prompt as an administrator:
net start mbamagent
When the computers restarts, and the BIOS prompts you, accept the TPM change.
During the Windows client operating system imaging process, when you're ready to start encryption, open a command prompt as an administrator, and type the following commands to set the start to Automatic and to restart the MBAM client agent:
sc config mbamagent start= auto
net start mbamagent
To delete the bypass registry values, run Regedit.exe, and go to the
HKLM\SOFTWARE\Microsoft
registry entry. Right-click the MBAM node, and then select Delete.