none
MBAM 2.0 Encryption during Task Sequence

    Question

  • The MBAM 2.0 documentation for installing the agent as part of an Operating System Deployment seems to have been simplified somewhat, however I do have a question as to why I would choose to have the MBAM agent initiate the encryption process when I have the ability to do this through the standard Enable Bitlocker option?  If I do choose to go with MBAM 2.0 as the encryption starter, do we know if MBAM 2.0 is able to start the encryption if the drive has already been pre-provisioned earlier in Windows PE?


    My Personal Blog: http://madluka.wordpress.com

    Wednesday, May 01, 2013 11:12 AM

All replies

  • If you use MBAM agent to start encryption during the TS you have the possibility to send the recovery password and package to the MBAM Server.
    Tuesday, June 11, 2013 2:18 PM
  • That isn't really what I am getting at, as I can still expedite the delivery of the keys by installing the MBAM client post-encryption in the task sequence and using a couple of registry keys to speed that up.

    My Personal Blog: http://madluka.wordpress.com

    Tuesday, June 11, 2013 3:40 PM
  • Sorry for stealing this thread - just a additional question -  I implemented a mbam client installation during TS, and without any tweaks, my test laptop seems to be encrypted automatically. But I still need to set PIN by launching mbamUI.exe (or whatever that is). Is there way to automate the PIN popup on a first sign in or something?
    Wednesday, October 02, 2013 4:45 PM
  • Have you set the GPO to require TPM + PIN?  Are you waiting for the policies to apply to the system - I believe that should eventually cause the MBAM agent to popup the PIN request.

    My Personal Blog: http://madluka.wordpress.com

    Wednesday, October 02, 2013 4:51 PM
  • If I do choose to go with MBAM 2.0 as the encryption starter, do we know if MBAM 2.0 is able to start the encryption if the drive has already been pre-provisioned earlier in Windows PE?


    My Personal Blog: http://madluka.wordpress.com

    Yes you can.  Pre-provisioning in WinPE and then install MBAM agent to enable and manage encryption works just fine.

    Mark.

    Thursday, October 03, 2013 1:15 PM
  • Have you set the GPO to require TPM + PIN?  Are you waiting for the policies to apply to the system - I believe that should eventually cause the MBAM agent to popup the PIN request.

    My Personal Blog: http://madluka.wordpress.com

    I believe the "Configure TPM startup PIN = Require startup PIN with TPM" should do the trick, or? These are my current GPO settings, but PIN request from MBAM client won´t pop-up after TS installation, in the first login.

    Monday, October 07, 2013 7:48 AM
  • Sorry for stealing this thread - just a additional question -  I implemented a mbam client installation during TS, and without any tweaks, my test laptop seems to be encrypted automatically. But I still need to set PIN by launching mbamUI.exe (or whatever that is). Is there way to automate the PIN popup on a first sign in or something?

    Hello,

    Yannara, could you describe the different step in your task sequence to encrypt the disk ?

    Thanks

    Monday, October 28, 2013 11:13 AM
  • Sorry for stealing this thread - just a additional question -  I implemented a mbam client installation during TS, and without any tweaks, my test laptop seems to be encrypted automatically. But I still need to set PIN by launching mbamUI.exe (or whatever that is). Is there way to automate the PIN popup on a first sign in or something?


    Hello,

    Yannara, could you describe the different step in your task sequence to encrypt the disk ?

    Thanks

    In my lab, this is more simple, during MDT TS, I have these steps for bitlocker:

    1. In WinPE phase, provision BitLocker 
    2. In OSPhase, MDT´s Enable Bitlocker with cscript.exe "%deployroot%\scripts\ZTIBde.wsf" /UDI
    3. Install MBAM client

    I found a policy in MBAM´s user experience, which forces postpone times to 0, which means it would be mandatory. But, when I enable it, the ClientUI.exe´s start screen becomes blank after the policy is enabled.

    Funny part is, that in a production enviroment, the MBAM client behaved differently, it had no effect on drive, the drive was clean from bitlocker and only the PIN requirement triggered the encryption, which was slow as done afterwards. Here, I had to make some registry input into TS, which disabled delay-value of MBAM policy. Now after that, production Computers also comes as suspended.

    Monday, October 28, 2013 2:36 PM
  • Ok thanks but who is the TPM Ownership ? Have you check in your database if the MBAM agent have sent the TPM Ownership Password to the MBAM Recovery Hardware database ?
    Monday, October 28, 2013 2:43 PM
  • Ok thanks but who is the TPM Ownership ? Have you check in your database if the MBAM agent have sent the TPM Ownership Password to the MBAM Recovery Hardware database ?

    Good that you pointed this out, I quicly checked that, and I don´t have those in DB.
    Monday, October 28, 2013 3:49 PM
  • Thanks, It confirm that if you don't start the encryption with the MBAM Agent the TPM Ownership password is not saved to the MBAM DB.

    I suppose, you have to start the encryption process during the TS with the MBAM Client and not with the Bitlocker ever proposed in SCCM. Read this blog, it can help you :

    http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx


    Monday, October 28, 2013 4:08 PM
  • Yes, I thought I could give it a try to install one Computer without Bitlocker steps, and then see if the tpm password would be written in DB.

    I saw that article before, and it seems quite a tricky.....

    Monday, October 28, 2013 5:08 PM
  • Is the tpm password really necassary? I´ve beeing dealing with bitlocker for a few years now, and I never had to think about tpm owner password. 
    Tuesday, October 29, 2013 6:15 AM
  • WoW! I just got the first TPM Owner password viewed in MBAM helpdesk site, after the machine has been installed via TS with OSD´s bitlocker + MBAM client installation. So MBAM client did not initiate bitlocker encryption.
    Monday, November 04, 2013 6:30 AM