none
MBAM encryption of C & D drives RRS feed

  • Question

  • Now that MBAM 2.0 supports the encryption of the D partition with autounlock, is it possible to have the encryption done using MDT.

    The only script that I can find on the Deployment Guys will only do the system disk

    Thursday, May 30, 2013 8:57 AM

Answers

  • No problem Keith:

    Using MBAM 2.5 for encryption, SCCM2007 to build systems

    We have 2 partitions on Win 7 (only 1 on Win 8.1)

    Win 8.1 C: encrypts fine

    On Win 7 C: also encrypts but D: does not.

    Apparently we have to prompt the user to enter a password for fixed disks to start encryption and report to MBAM.

    This line from Manoj Sehgal sums up the issue and offers a resolution which seems a bit of a lash up:

    “As I said earlier, MBAM by design, requires a password to be entered for fixed data drives. If you do not use MBAM, original bitlocker will allow you to encrypt the drives using auto-unlock. Also if you do this, MBAM compliance reports will not report your fixed drives as encrypted since MBAM requires password as a protector. One thing you can do is: For deployment, you can use auto-unlock with original bitlocker GPOs. Once done enable MBAM GPO, which will only prompt the user to supply a password for data drives. In this way you accomplish your goal for deployment and also get correct MBAM reporting for your data drives”

    https://social.technet.microsoft.com/Forums/windows/en-US/9638f396-98e8-4b71-80cb-01c510b56f9e/how-to-skip-the-mbam-client-password-page-for-fixed-drives?forum=w7itprosecurity

    Thanks for anything on this,

    Carl


    Carl Barrett | Twitter: @Mosquat

    Tuesday, January 27, 2015 8:06 AM

All replies

  • For me, using Manage-BDE after the encryption of C Drive worked, should be further tested, though...

    Or.

    Thursday, May 30, 2013 10:22 AM
  • After C is encrypted I tried running

    manage-bde -on D:

    But I get this error

    Volume D: [Data Drive]

    [Data Volume]

    ERROR: An error occurred (code 0x8031002e):

    BitLocker Drive Encryption cannot encrypt the specified drive because an encryption key is not available. Add a key protector to encrypt this drive.

    From Manage-BDE it will not allow me to set the D drive to use TPM

    If I open MBAMClientUI.exe and click start it works fine. I need to find a way to make this happen automatically.

    Any ideas?

    

    

    Friday, May 31, 2013 10:09 AM
  • According to http://technet.microsoft.com/en-us/library/jj647767.aspx, you may need to set a protector for the data volume first:

    manage-bde -protectors -add -pw D:
    manage-bde -on D:

    MBAMClientUI.exe may be doing that for you behind the scenes.

    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    Friday, May 31, 2013 3:48 PM
    Answerer
  • Thanks for the suggestion.

    I have tried as suggested however I am prompted to provide a password

    When using the MBAMClientUI.exe there is no prompt for a password.

    Any idea why?

    Sunday, June 2, 2013 10:30 AM
  • I'm sure it's handling something behind the scenes for you, trick is to figure out what.

    Have you seen this blog post over at Deployment Guys: http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx   I think it's for MBAM 1.0 based on when it was posted, but the scripts might be able to be modified or give you a hint in the right direction of what you need to do.


    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    Sunday, June 2, 2013 2:43 PM
    Answerer
  • Yep, thats the script that I am using - it only deals with the C drive....it will not deal with the D

    Monday, June 3, 2013 9:37 AM
  • The script is set for C: specifically.. have you tried changing it to D:?

    Set colEnVol = objWMIBDE.ExecQuery("Select * from Win32_EncryptableVolume where DriveLetter='C:'") 


    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    Monday, June 3, 2013 10:16 PM
    Answerer
  • I have tried that but unfortunately it doesn't work.

    Once the system is deployed with only the C drive encrypted I could deal with it using a script however it doesn't appear to be possible.

    Its mad that there is no command line to start the encryption process off. The MBAMClientUI doesn't appear to be able to be scripted to hit the start button!

    Thursday, June 20, 2013 5:07 PM
  • I think the problem is that BitLocker is managing the OS disk differently from the Data disks. For instance the TPM chip is only used to protect the OS disk, Data disks do not involve the TPM chip. Therefore the process to initiate the encryption on a Data disk is different from the OS disk.
    MBAM and BitLocker are all based on Group Policy. Have you checked that maybe there aren't some policies that would allow the encryption of the D: drive automatically?


    • Edited by Nic Zarrilli Friday, June 21, 2013 8:27 AM spelling
    Friday, June 21, 2013 8:24 AM
  • Yes, I have checked the group policies and there is nothing there to start the process off automatically.

    All the engineer needs to do is launch MBAMClientUI.exe and hit Start - but I need to remove the manual process as we are not getting the compliance levels required.

    Friday, June 21, 2013 2:17 PM
  • Now I haven't tried the MBAM console so I am not really sure if that is avaialble but have you tried to see if there is anything you can do centrally? If you can then maybe there is a way to write a MBAM console script to launch the kick off automatically for any pending computer. 
    Monday, June 24, 2013 9:34 AM
  • Did this ever get resolved?  I'm seeing the same issue here...I think we can probably do something but its pretty poor if we have to lash something up to make this work....

    Carl Barrett | Twitter: @Mosquat

    Monday, January 26, 2015 8:42 AM
  • TL DR. Can you summarize what the question is?

    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Monday, January 26, 2015 10:37 PM
    Moderator
  • No problem Keith:

    Using MBAM 2.5 for encryption, SCCM2007 to build systems

    We have 2 partitions on Win 7 (only 1 on Win 8.1)

    Win 8.1 C: encrypts fine

    On Win 7 C: also encrypts but D: does not.

    Apparently we have to prompt the user to enter a password for fixed disks to start encryption and report to MBAM.

    This line from Manoj Sehgal sums up the issue and offers a resolution which seems a bit of a lash up:

    “As I said earlier, MBAM by design, requires a password to be entered for fixed data drives. If you do not use MBAM, original bitlocker will allow you to encrypt the drives using auto-unlock. Also if you do this, MBAM compliance reports will not report your fixed drives as encrypted since MBAM requires password as a protector. One thing you can do is: For deployment, you can use auto-unlock with original bitlocker GPOs. Once done enable MBAM GPO, which will only prompt the user to supply a password for data drives. In this way you accomplish your goal for deployment and also get correct MBAM reporting for your data drives”

    https://social.technet.microsoft.com/Forums/windows/en-US/9638f396-98e8-4b71-80cb-01c510b56f9e/how-to-skip-the-mbam-client-password-page-for-fixed-drives?forum=w7itprosecurity

    Thanks for anything on this,

    Carl


    Carl Barrett | Twitter: @Mosquat

    Tuesday, January 27, 2015 8:06 AM
  • Hi,

    I'm using MBAM 2.5 on W10 Clients.

    With MBAM GPO, C:\ drive is automaticly crypted with TPM without user interactivity.
    I've also force computer to crypt D:\ drive.
    Unfortunatly (if i'm right), we cannot use TPM for non system drive so thought the GPO, Bitlocker ask/force/display to user a message to notice him to :
            - have to crypt D drive
            - Setup a recovery password

    My GPO also force RO access to non crypted D drive and user cannot postpone D drive encryption

    • Edited by Thierry Bon Friday, December 22, 2017 3:50 PM
    Friday, December 22, 2017 3:48 PM