none
MBAM encryption during MDT Tasksequence

    Question

  • Hi,

    hopefully someone can help me?

    I'm trying to configure my MDT Tasksequence for automatically encrypting using MBAM.

    I saw the following startmbamencryption.wsf Script:

    http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

    The instructions are a little bit confusing:

    • Do i only need to install the MBAM Client via MDT Application and running the startmbamencryption.wsf with the reg keys?
    • I want tu use TPM + PIN? Is this possible? And how?

    I want to realize automatic encryption and then (after reboot) the Client UI should ask for TPM Pin, possible?Maybe

    Maybe someone can provide screenshots or other detailed instructions?

    Thanks,

    Regards,

    ckuever

    Wednesday, March 07, 2012 8:28 PM

Answers

  • Have you the 100MB or 300MB System volume on your machine?
    It seems that most of the possible cause for error 0x803d0013 is that the system volume is not created. So please confirm this.

    Thanks
    Zero

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, March 28, 2012 11:59 AM

All replies

  • I was quite confused also before I got it to work :-)

    I did the following:

    1. Create a step to enable TPM in the beginning of the TS.

    I have following steps in the State Restore selection:

    2. Create a TS step to create the Bitlocker partition (with command line: "BdeHdCfg -target default -quiet")

    3. Create a TS step to restart the computer (to the currently installed OS)

    4. Create a TS step install MBAM client

    5. Create a package for the MBAM TS Support Package. Put 4 files in this package (ZTIUtility.vbs, StartMBAMEncryption.wsf AddMBAMRegEntries.reg, RemoveMBAMRegEntries.reg ) 

    6. Create a program in the package: with commandline:
    "cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg"

    7. Create a Install Software step in the TS to run the package you just created.

    8. Create a MBAM GPO to configure MBAM (here you can enable TPM + PIN)

    After the deployment is done and you are logged into Windows, MBAM client will ask you to create a PIN (if you enabled TPM+PIN in the GPO).

    See more info about MBAM GPO here:

    Planning and Configuring Group Policy for MBAM http://onlinehelp.microsoft.com/de-de/mdop/hh285629.aspx
    Deploying MBAM Group Policies: http://onlinehelp.microsoft.com/pt-br/mdop/hh285640.aspx

    Hope it works out for you :-)

    Thursday, March 08, 2012 11:01 AM
  • Hi,

    many thanks for your help. It works, but not perfect :-)

    How do you manage the TPM+PIN in the GPO thing? Is your Client already in the OU (where the TPM+Pin setting is applied) after domain join?

    I tried that, then encryption fails with warning that GPO settings do not allow TPM only encryption.

    I can't find a reg key for AddMBAMRegEntries.reg to set only TPM encryption?

    Or do you use some "staging OU with no GPOs applied" during encryption and then move the Client to the final OU (with TPM + Pin setting) ?

    Thanks.

    Regards,

    ckuever

    Thursday, March 08, 2012 4:46 PM
  • Hi,

    I tried that, then encryption fails with warning that GPO settings do not allow TPM only encryption.

    This means the Group Policies have already been applied to the client. You need use TPM+PIN to enable Bitlocker.

    Juke Chou
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


    Juke Chou

    TechNet Community Support

    Friday, March 09, 2012 7:55 AM
  • Hi,

    Any update?


    Juke Chou

    TechNet Community Support

    Tuesday, March 13, 2012 6:54 AM
  • Hi,

    sorry for delay. Yes encryption works, but know i have a problem when trying to set the Bitlocker PIN via MBAMClient (after TPM + PIN Gpo's applied)

    I get this error in client Eventlog:

    Description: An error occurred while sending encryption status data.
    Error code: 0x803d0013

    I already tried the DisableMachineVerification reg key from http://support.microsoft.com/kb/2612822, still not working.

    Any other suggestions?

    Is it possible that this error has something to do with the fact that we were not able to install the keyrecovery DB (customer had no SQL Enterprise license available)?

    Thanks.

    Regards,

    ckuever

    Tuesday, March 13, 2012 5:47 PM
  • can you check the application log on MBAM Admin & Monitoring server and look for asp.net warning or error messages.

    send us that information and we can help you.

    check this:

    http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

    -Manoj


    Manoj Sehgal

    Wednesday, March 14, 2012 9:50 AM
  • Hi,

    Does the suggestion provided by manojsehgal work for you?


    Juke Chou

    TechNet Community Support

    Tuesday, March 20, 2012 10:22 AM
  • Hi,

    sorry for delay, my customer didn't had time before today.

    I found ASP.NET 2.0.50727.0 1310 error in eventlog on the MBAM Server:

    100003
    SQL error occured
    13.03.2012 10:38:48
    13.03.2012 09:38:48
    830b3c1c08d54895b84e5e1b2c14ded4
    2
    1
    0
    /LM/W3SVC/2/ROOT/MBAMRecoveryAndHardwareService-1-129761050622807033
    Full
    /MBAMRecoveryAndHardwareService
    F:\inetpub\Malta BitLocker Management Solution\MBAM Recovery And Hardware Service\

    SCOOTER
        Application: MBAMComplianceStatusService
        Sql Server: 
        Database: MBAM Recovery and Hardware
        Sql ErrorCode: 53    Error Message: Netzwerkbezogener oder instanzspezifischer Fehler beim Herstellen einer Verbindung mit SQL Server. Der Server wurde nicht gefunden, oder auf ihn kann nicht zugegriffen werden. Überprüfen Sie, ob der Instanzname richtig ist und ob SQL Server Remoteverbindungen zulässt. (provider: Named Pipes-Provider, error: 40 - Verbindung mit SQL Server konnte nicht geöffnet werden)

    Does this error occurs because my customer did not install the KeyRecoveryDB (no SQL Enterprise license) ??

    This is our AddMBAMRegEntries.reg file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
    "Installed"=dword:00000001
    "KeyRecoveryOptions"=dword:00000000
    "UseKeyRecoveryService"=dword:00000001
    "KeyRecoveryServiceEndPoint"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,\
      73,00,63,00,6f,00,6f,00,74,00,65,00,72,00,3a,00,38,00,30,00,38,00,30,00,2f,\
      00,4d,00,42,00,41,00,4d,00,52,00,65,00,63,00,6f,00,76,00,65,00,72,00,79,00,\
      41,00,6e,00,64,00,48,00,61,00,72,00,64,00,77,00,61,00,72,00,65,00,53,00,65,\
      00,72,00,76,00,69,00,63,00,65,00,2f,00,43,00,6f,00,72,00,65,00,53,00,65,00,\
      72,00,76,00,69,00,63,00,65,00,2e,00,73,00,76,00,63,00,00,00
    "DeploymentTime"=dword:00000001
    "NoStartupDelay"=dword:00000001
    "DisableMachineVerification"=dword:00000001
    "HWExemptionType"=dword:00000002

    We configured this GPOs in the temporary Installation OU (in which the computer account is created after domain join): (
    http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx)

    change the GPOs for Operating System drive under BitLocker Drive Encryption.

    - Configure TPM startup to “Do not allow TPM”

    - Configure TPM startup PIN to “Allow TPM and PIN”

    - Configure TPM startup key to “Do not allow startup key with TPM”

    - Configure TPM startup key and PIN to “Do not allow startup key and PIN with TPM”

    Are these GPO settings correct? Do i also need MBAM GPO Settings at this time?

    Please clarify the necessary settings, i can't find all information needed in the whitepaper.

    Thanks for your help

    Regards,

    ckuever



    Monday, March 26, 2012 8:48 AM
  • Hi,

    first sorry for the bad formatting, i wasn't able to format the html code for some reason :-(

    Whatever, any suggestions?

    I still get Error code: 0x803d0013 on Clients.

    The Client automatically encrypts via StartMbamencryption.wsf, then the Computer Account is moved to the target OU and the final MBAM GPOs get applied.

    User starts MBAMClientui.exe, it automatically detects GPO change and prompts for PIN. After entering PIN Error code: 0x803d0013 appears and PIN isn't set corectly

    Again the question: Is it possible that all this happens because customer didn't install the KeyRecoveryDB? (no SQL Enterprise license available)

    We need to set KeyRecoveryOptions=0 and UseKeyRecoveryService=0 in AddMBAMRegEntries.reg

    RecoveryKey is correctly saved in AD via vbs Script, that's ok for customer, they only want to use MBAM for changing PIN on clients and Compliance Status reports.

    Thanks.

    Regards,

    ckuever

    Tuesday, March 27, 2012 12:05 PM
  • I think we need the SQL database:

    MBAM Setup Fails with SQL Error: Error obtaining a certificate protected by the master key
    http://blogs.technet.com/b/askcore/archive/2011/07/27/mbam-setup-fails-with-sql-error-error-obtaining-a-certificate-protected-by-the-master-key.aspx


    Thanks
    Zero

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, March 27, 2012 1:43 PM
  • Hi,

    i found the problem, and as we already suspected it's because of the missing KeyRecoveryDB.

    But this is not clarified in any documentation! It's possible to install MBAM Server without KeyRecovery DB, but then you get the error.

    In Detail:

    When I reset Configure MBAM services in GPO to not configured, users are able to set their PIN via MBAM Client.

    If I enable Configure MBAM services MBAM Client fails with 0x803d0013

    That's stupid, why it's not possible to configure only the "Status reporting service endpoint" ??

    If I configure only Status reporting service endpoint and Hardware Service Endpoint is blank, then I get error "Endpoint settings not correct" on the Client.

    Therefore last question: Is it possible to configure/use only the Reporting Endpoint/Compliance Reporting?

    Thanks.

    Regards,

    ckuever



    Wednesday, March 28, 2012 9:09 AM
  • Have you the 100MB or 300MB System volume on your machine?
    It seems that most of the possible cause for error 0x803d0013 is that the system volume is not created. So please confirm this.

    Thanks
    Zero

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, March 28, 2012 11:59 AM
  • We configured this GPOs in the temporary Installation OU (in which the computer account is created after domain join): (

    http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx)

    change the GPOs for Operating System drive under BitLocker Drive Encryption.

    - Configure TPM startup to “Do not allow TPM”

    - Configure TPM startup PIN to “Allow TPM and PIN”

    - Configure TPM startup key to “Do not allow startup key with TPM”

    - Configure TPM startup key and PIN to “Do not allow startup key and PIN with TPM

    Hello Christian,

    Im able to encrypt the machine during the MDT Task Sequence but I can´t put a PIN to the machine after it´s encrypted (putting users to set their PIN via MBAM Client).

    so Im asking you:

    - can you clear me in the GPOs that you have in your Task Sequence and than what GPOs do you have after you move the machine to the final OU? So that I can enable users to put the PIN via the MBAM Client?

    Thanks, 

    Best Regards,

    Bruno Henriques

    ps: if you can give me your email to clear some more doubts please send it to bruno.henriques@unisys.com


    Wednesday, March 28, 2012 2:30 PM
  • Just checking if any update.

    Thanks
    Zero

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, April 02, 2012 1:11 AM