Hi all

We're running SCCM 2012 R2 CU4. All has gone well with our global migration to Windows 7 SP1 Enterprise with MBAM using our SCCM task sequence.

2 offices remain: Beijing and Shanghai. However, Chinese regulations do not permit the use of TPM chips, in fact, all laptops we buy locally have the TPM chip disabled permanently at manufacturing. So we have been trying to create a task sequence that enables BitLocker using a Startup (USB) key instead of the TPM but we're getting a task sequence error 0x80004005 during the "Enable BitLocker" step. This is proving to be more difficult than anticipated.

Can anyone offer an assistance or a link to a guide that walks us through the process for enabling BitLocker using a Startup key in the absence of a TPM chip please?

Best regards
Scott

• Edited by mr5h Tuesday, March 24, 2015 10:47 AM

It actually looks like someone has posted this before https://social.technet.microsoft.com/Forums/systemcenter/en-US/a69dd218-71f6-4782-9dcd-91b7b816852c/bitlocker-task-sequence-procedure-without-tpm

Its probably worth logging a call with your Microsoft TAM - if you don't have one, it might be worth paying for a few hours of support to get a definitive answer. There is also this blog which touches on what you are trying to do:

http://blogs.technet.com/b/pauljones/archive/2010/03/08/how-to-enable-bitlocker-with-sccm-osd.aspx

I suspect most people in your situation have gone with third party encryption tools which is why there is such a lack of information around the issue.

Cheers

Damon

• Edited by Damon A. Johns 23 hours 47 minutes ago

So Technet says this (and it appears its supported, which I was thinking it wouldn't be):

Choose the drive to encrypt

Specifies the drive to encrypt. To encrypt the current operating system drive, select Current operating system drive and then configure the key management. To specify that the Trusted Platform Module (TPM) should be used for key management, select TPM only. To specify that the startup key should be on USB only, select Startup key on USB only. To specify the key management for both the TPM and USB select TPM and startup key on USB only. To encrypt a specific drive (a non-operating system data drive) select Specific drive.

Note
If you select USB, you must have a USB drive attached to the computer when the operating system deployment is performed. The startup key is written to the USB drive.

Have you confirmed that you are using these settings? Just a heads up that domain Group Policies will not apply to a computer during an OSD Task Sequence so you can exclude that as having any influence over the process.

Cheers

Damon

• Proposed as answer by Joyce LMicrosoft contingent staff, Moderator Wednesday, April 01, 2015 8:53 AM

It actually looks like someone has posted this before https://social.technet.microsoft.com/Forums/systemcenter/en-US/a69dd218-71f6-4782-9dcd-91b7b816852c/bitlocker-task-sequence-procedure-without-tpm

Its probably worth logging a call with your Microsoft TAM - if you don't have one, it might be worth paying for a few hours of support to get a definitive answer. There is also this blog which touches on what you are trying to do:

http://blogs.technet.com/b/pauljones/archive/2010/03/08/how-to-enable-bitlocker-with-sccm-osd.aspx

I suspect most people in your situation have gone with third party encryption tools which is why there is such a lack of information around the issue.

Cheers

Damon

• Edited by Damon A. Johns Wednesday, March 25, 2015 7:56 AM

Thanks for your replies and apologies for the delay in replying.

I have been receiving help from Microsoft Premier Support who initially advised to disable the "Prepare drive for BitLocker" step but it was the disabling of this step that caused all the problems. Once I re-enabled the step, in conjunction with the additional steps (below), the task sequence completed and the drive was encrypted successfully:-

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE /v EnableBDEWithNoTPM /t Reg_Dword /d 1 /f
reg add HKLM\Software\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 2 /f
MANAGE-BDE -ON C: -RP -SK E:\ -S

We would appreciate your help with these queries please:-

1. In the event a user has their USB key lost or stolen, they can contact IT for the 48-digit recovery password. This is tedious if the user is working away from the office for a long period of time and needs a replacement USB key. We could post a replacement USB key to the user but this means we would need to securely store each machines .BEK file(s). Other than a secure network share, what is the Microsoft best practice on securely storing each machines .BEK file(s) so that we may send it to a customer to copy to a new, formatted USB key?

2. A Startup key is only one method of protection but if we can add a PIN or a password to the boot process that would provide 2 methods of protection, just like we have for our machines with a TPM. However, I understand a PIN can only be set with a TPM and when I try to add a password (manage-bde -protectors -add c: -pw) I get ERROR: An error occurred (code 0x8031006d). A password cannot be added to the operating system drive. Can we set a PIN or a password on our machines with no TPM, if so, how?

3. Microsoft Premier Support mentioned MBAM for our machines with no TPM. If we can get our machines with no TPM into our existing MBAM infrastructure then that would be the best option because we can set a PIN, use the IT Service Desk portal, use the Self-Service portal and utilise the audit reports and SCCM reports. However, when I try the Start MBAM Encryption Script step (StartMBAMEncryption.wsf) it already works on the TPM machines but fails on the non-TPM machines because the script is looking for a TPM. How can we add our machines with no TPM into MBAM please?

Thanks
Scott

• Edited by mr5h 20 hours 41 minutes ago additional info

Thanks for your replies and apologies for the delay in replying.

I have been receiving help from Microsoft Premier Support who initially advised to disable the "Prepare drive for BitLocker" step but it was the disabling of this step that caused all the problems. Once I re-enabled the step, in conjunction with the additional steps (below), the task sequence completed and the drive was encrypted successfully:-

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE /v EnableBDEWithNoTPM /t Reg_Dword /d 1 /f
reg add HKLM\Software\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 2 /f
MANAGE-BDE -ON C: -RP -SK E:\ -S

We would appreciate your help with these queries please:-

1. In the event a user has their USB key lost or stolen, they can contact IT for the 48-digit recovery password. This is tedious if the user is working away from the office for a long period of time and needs a replacement USB key. We could post a replacement USB key to the user but this means we would need to securely store each machines .BEK file(s). Other than a secure network share, what is the Microsoft best practice on securely storing each machines .BEK file(s) so that we may send it to a customer to copy to a new, formatted USB key?

2. A Startup key is only one method of protection but if we can add a PIN or a password to the boot process that would provide 2 methods of protection, just like we have for our machines with a TPM. However, I understand a PIN can only be set with a TPM and when I try to add a password (manage-bde -protectors -add c: -pw) I get ERROR: An error occurred (code 0x8031006d). A password cannot be added to the operating system drive. Can we set a PIN or a password on our machines with no TPM, if so, how?

3. Microsoft Premier Support mentioned MBAM for our machines with no TPM. If we can get our machines with no TPM into our existing MBAM infrastructure then that would be the best option because we can set a PIN, use the IT Service Desk portal, use the Self-Service portal and utilise the audit reports and SCCM reports. However, when I try the Start MBAM Encryption Script step (StartMBAMEncryption.wsf) it already works on the TPM machines but fails on the non-TPM machines because the script is looking for a TPM. How can we add our machines with no TPM into MBAM please?

Thanks
Scott

• Edited by mr5h Thursday, April 02, 2015 11:01 AM additional info

1. I can't really find anything useful on this either apart from Technet going over where you can and can't store the files. Perhaps others can comment?

2. It would appear based on this information: https://technet.microsoft.com/en-us/library/ee449438(v=ws.10).aspx that you can't set a pin or password with Bitlocker with no TPM 1.2 chip. This post also talks about your query re: using a pin with a USB start up key key https://social.technet.microsoft.com/Forums/windows/en-US/9734801b-e30c-4fcf-848c-5dabdabc23f9/windows-7-bitlocker-using-startup-pin-and-usb-flash-drive-but-without-a-tpmhow?forum=w7itprosecurity

3. It would appear that based on this information: https://social.technet.microsoft.com/Forums/windows/en-US/51aee765-d060-48a9-9fba-89120cd107d0/do-we-use-mbam-to-enable-bitlocker-on-a-machine-without-tpm-chip?forum=w7itprosecurity that you can't use MBAM on hardware with no TPM chip in conjunction with Windows 7.

Be aware that Windows 8 and 10 will support Bitlocker without TPM and USB key device. Only Windows 7 requires TPM.

Thanks for the information, we understand Windows 7 without a TPM does not support a PIN or password.

We installed the MBAM Agent 5 days ago but when we try to recover the password in the IT Service Desktop portal we get Recovery key not found which suggests it's not in the MBAM database. We've checked all reg keys in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement looks present and correct.

Any ideas why this is not working? How can we add our machines with no TPM into MBAM please?

As suspected, a different Microsoft employee confirmed Windows 7 machines without a TPM are not compatible with MBAM, Windows 8 is though.

Nevertheless, we managed to get the Enable BitLocker step to work by creating a step before that imports the required registry keys:-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"FDVPassphrase"=dword:00000001
"FDVEnforcePassphrase"=dword:00000001
"FDVPassphraseComplexity"=dword:00000002
"FDVPassphraseLength"=dword:00000008
"OSPassphrase"=dword:00000001
"OSPassphraseComplexity"=dword:00000002
"OSPassphraseLength"=dword:00000008
"OSPassphraseASCIIOnly"=dword:00000000
"OSRecovery"=dword:00000001
"OSManageDRA"=dword:00000001
"OSRecoveryPassword"=dword:00000002
"OSRecoveryKey"=dword:00000002
"OSHideRecoveryPage"=dword:00000001
"OSActiveDirectoryBackup"=dword:00000001
"OSActiveDirectoryInfoToStore"=dword:00000001
"OSRequireActiveDirectoryBackup"=dword:00000001
"EnableBDEWithNoTPM"=dword:00000001
"UsePartialEncryptionKey"=dword:00000002
"UsePIN"=dword:00000002
"UseAdvancedStartup"=dword:00000001
"UseTPM"=dword:00000000
"UseTPMKey"=dword:00000000
"UseTPMPIN"=dword:00000002
"UseTPMKeyPIN"=dword:00000002
"UseEnhancedPin"=dword:00000000
"MinimumPIN"=dword:00000006
"EncryptionMethod"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement]
"UseMBAMServices"=dword:00000001
"UseKeyRecoveryService"=dword:00000001
"KeyRecoveryServiceEndPoint"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,\
  62,00,61,00,6d,00,73,00,72,00,76,00,30,00,31,00,2e,00,70,00,69,00,6e,00,73,\
  00,65,00,6e,00,74,00,6d,00,61,00,73,00,6f,00,6e,00,73,00,2e,00,6c,00,6f,00,\
  63,00,61,00,6c,00,2f,00,4d,00,42,00,41,00,4d,00,52,00,65,00,63,00,6f,00,76,\
  00,65,00,72,00,79,00,41,00,6e,00,64,00,48,00,61,00,72,00,64,00,77,00,61,00,\
  72,00,65,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,2f,00,43,00,6f,00,72,\
  00,65,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,2e,00,73,00,76,00,63,00,\
  00,00
"KeyRecoveryOptions"=dword:00000001
"ClientWakeupFrequency"=dword:0000005a
"UseStatusReportingService"=dword:00000001
"StatusReportingServiceEndpoint"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,\
  00,62,00,61,00,6d,00,73,00,72,00,76,00,30,00,31,00,2e,00,70,00,69,00,6e,00,\
  73,00,65,00,6e,00,74,00,6d,00,61,00,73,00,6f,00,6e,00,73,00,2e,00,6c,00,6f,\
  00,63,00,61,00,6c,00,2f,00,4d,00,42,00,41,00,4d,00,43,00,6f,00,6d,00,70,00,\
  6c,00,69,00,61,00,6e,00,63,00,65,00,53,00,74,00,61,00,74,00,75,00,73,00,53,\
  00,65,00,72,00,76,00,69,00,63,00,65,00,2f,00,53,00,74,00,61,00,74,00,75,00,\
  73,00,52,00,65,00,70,00,6f,00,72,00,74,00,69,00,6e,00,67,00,53,00,65,00,72,\
  00,76,00,69,00,63,00,65,00,2e,00,73,00,76,00,63,00,00,00
"StatusReportingFrequency"=dword:000002d0
"ShouldEncryptOSDrive"=dword:00000001
"OSDriveProtector"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement\Configuration]
"CustomerExperienceImprovementProgram"=dword:00000000

Hope this helps others with a similar problem.

• Marked as answer by mr5h 18 hours 3 minutes ago

As suspected, a different Microsoft employee confirmed Windows 7 machines without a TPM are not compatible with MBAM, Windows 8 is though.

Nevertheless, we managed to get the Enable BitLocker step to work by creating a step before that imports the required registry keys:-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"FDVPassphrase"=dword:00000001
"FDVEnforcePassphrase"=dword:00000001
"FDVPassphraseComplexity"=dword:00000002
"FDVPassphraseLength"=dword:00000008
"OSPassphrase"=dword:00000001
"OSPassphraseComplexity"=dword:00000002
"OSPassphraseLength"=dword:00000008
"OSPassphraseASCIIOnly"=dword:00000000
"OSRecovery"=dword:00000001
"OSManageDRA"=dword:00000001
"OSRecoveryPassword"=dword:00000002
"OSRecoveryKey"=dword:00000002
"OSHideRecoveryPage"=dword:00000001
"OSActiveDirectoryBackup"=dword:00000001
"OSActiveDirectoryInfoToStore"=dword:00000001
"OSRequireActiveDirectoryBackup"=dword:00000001
"EnableBDEWithNoTPM"=dword:00000001
"UsePartialEncryptionKey"=dword:00000002
"UsePIN"=dword:00000002
"UseAdvancedStartup"=dword:00000001
"UseTPM"=dword:00000000
"UseTPMKey"=dword:00000000
"UseTPMPIN"=dword:00000002
"UseTPMKeyPIN"=dword:00000002
"UseEnhancedPin"=dword:00000000
"MinimumPIN"=dword:00000006
"EncryptionMethod"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement]
"UseMBAMServices"=dword:00000001
"UseKeyRecoveryService"=dword:00000001
"KeyRecoveryServiceEndPoint"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,\
  62,00,61,00,6d,00,73,00,72,00,76,00,30,00,31,00,2e,00,70,00,69,00,6e,00,73,\
  00,65,00,6e,00,74,00,6d,00,61,00,73,00,6f,00,6e,00,73,00,2e,00,6c,00,6f,00,\
  63,00,61,00,6c,00,2f,00,4d,00,42,00,41,00,4d,00,52,00,65,00,63,00,6f,00,76,\
  00,65,00,72,00,79,00,41,00,6e,00,64,00,48,00,61,00,72,00,64,00,77,00,61,00,\
  72,00,65,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,2f,00,43,00,6f,00,72,\
  00,65,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,2e,00,73,00,76,00,63,00,\
  00,00
"KeyRecoveryOptions"=dword:00000001
"ClientWakeupFrequency"=dword:0000005a
"UseStatusReportingService"=dword:00000001
"StatusReportingServiceEndpoint"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,\
  00,62,00,61,00,6d,00,73,00,72,00,76,00,30,00,31,00,2e,00,70,00,69,00,6e,00,\
  73,00,65,00,6e,00,74,00,6d,00,61,00,73,00,6f,00,6e,00,73,00,2e,00,6c,00,6f,\
  00,63,00,61,00,6c,00,2f,00,4d,00,42,00,41,00,4d,00,43,00,6f,00,6d,00,70,00,\
  6c,00,69,00,61,00,6e,00,63,00,65,00,53,00,74,00,61,00,74,00,75,00,73,00,53,\
  00,65,00,72,00,76,00,69,00,63,00,65,00,2f,00,53,00,74,00,61,00,74,00,75,00,\
  73,00,52,00,65,00,70,00,6f,00,72,00,74,00,69,00,6e,00,67,00,53,00,65,00,72,\
  00,76,00,69,00,63,00,65,00,2e,00,73,00,76,00,63,00,00,00
"StatusReportingFrequency"=dword:000002d0
"ShouldEncryptOSDrive"=dword:00000001
"OSDriveProtector"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement\Configuration]
"CustomerExperienceImprovementProgram"=dword:00000000

Hope this helps others with a similar problem.

• Marked as answer by mr5h Friday, May 01, 2015 1:40 PM