MBAM encryption during MDT Tasksequence
Hi, hopefully someone can help me? I'm trying to configure my MDT Tasksequence for automatically encrypting using MBAM. I saw the following startmbamencryption.wsf Script: http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx The instructions are a little bit confusing: Do i only need to install the MBAM Client via MDT Application and running the startmbamencryption.wsf with the reg keys?I want tu use TPM + PIN? Is this possible? And how? I want to realize automatic encryption and then (after reboot) the Client UI should ask for TPM Pin, possible?Maybe Maybe someone can provide screenshots or other detailed instructions? Thanks, Regards, ckuever
March 7th, 2012 3:28pm

I was quite confused also before I got it to work :-) I did the following: 1. Create a step to enable TPM in the beginning of the TS. I have following steps in the State Restore selection: 2. Create a TS step to create the Bitlocker partition (with command line: "BdeHdCfg -target default -quiet") 3. Create a TS step to restart the computer (to the currently installed OS) 4. Create a TS step install MBAM client 5. Create a package for the MBAM TS Support Package. Put 4 files in this package (ZTIUtility.vbs, StartMBAMEncryption.wsf AddMBAMRegEntries.reg, RemoveMBAMRegEntries.reg )  6. Create a program in the package: with commandline: "cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg" 7. Create a Install Software step in the TS to run the package you just created. 8. Create a MBAM GPO to configure MBAM (here you can enable TPM + PIN) After the deployment is done and you are logged into Windows, MBAM client will ask you to create a PIN (if you enabled TPM+PIN in the GPO). See more info about MBAM GPO here: Planning and Configuring Group Policy for MBAM http://onlinehelp.microsoft.com/de-de/mdop/hh285629.aspx Deploying MBAM Group Policies: http://onlinehelp.microsoft.com/pt-br/mdop/hh285640.aspx Hope it works out for you :-)
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2012 6:01am

Hi, many thanks for your help. It works, but not perfect :-) How do you manage the TPM+PIN in the GPO thing? Is your Client already in the OU (where the TPM+Pin setting is applied) after domain join? I tried that, then encryption fails with warning that GPO settings do not allow TPM only encryption. I can't find a reg key for AddMBAMRegEntries.reg to set only TPM encryption? Or do you use some "staging OU with no GPOs applied" during encryption and then move the Client to the final OU (with TPM + Pin setting) ? Thanks. Regards, ckuever
March 8th, 2012 11:46am

Hi, I tried that, then encryption fails with warning that GPO settings do not allow TPM only encryption. This means the Group Policies have already been applied to the client. You need use TPM+PIN to enable Bitlocker. Juke Chou TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
March 9th, 2012 2:55am

Hi, Any update?Juke Chou TechNet Community Support
March 13th, 2012 2:54am

Hi, sorry for delay. Yes encryption works, but know i have a problem when trying to set the Bitlocker PIN via MBAMClient (after TPM + PIN Gpo's applied) I get this error in client Eventlog: Description: An error occurred while sending encryption status data. Error code: 0x803d0013 I already tried the DisableMachineVerification reg key from http://support.microsoft.com/kb/2612822, still not working. Any other suggestions? Is it possible that this error has something to do with the fact that we were not able to install the keyrecovery DB (customer had no SQL Enterprise license available)? Thanks. Regards, ckuever
Free Windows Admin Tool Kit Click here and download it now
March 13th, 2012 1:47pm

can you check the application log on MBAM Admin & Monitoring server and look for asp.net warning or error messages. send us that information and we can help you. check this: http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx -Manoj Manoj Sehgal
March 14th, 2012 5:50am

Hi, Does the suggestion provided by manojsehgal work for you? Juke Chou TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2012 6:22am

Hi, sorry for delay, my customer didn't had time before today. I found ASP.NET 2.0.50727.0 1310 error in eventlog on the MBAM Server: 100003 SQL error occured 13.03.2012 10:38:48 13.03.2012 09:38:48 830b3c1c08d54895b84e5e1b2c14ded4 2 1 0 /LM/W3SVC/2/ROOT/MBAMRecoveryAndHardwareService-1-129761050622807033 Full /MBAMRecoveryAndHardwareService F:\inetpub\Malta BitLocker Management Solution\MBAM Recovery And Hardware Service\ SCOOTER Application: MBAMComplianceStatusService Sql Server: Database: MBAM Recovery and Hardware Sql ErrorCode: 53 Error Message: Netzwerkbezogener oder instanzspezifischer Fehler beim Herstellen einer Verbindung mit SQL Server. Der Server wurde nicht gefunden, oder auf ihn kann nicht zugegriffen werden. berprfen Sie, ob der Instanzname richtig ist und ob SQL Server Remoteverbindungen zulsst. (provider: Named Pipes-Provider, error: 40 - Verbindung mit SQL Server konnte nicht geffnet werden) Does this error occurs because my customer did not install the KeyRecoveryDB (no SQL Enterprise license) ?? This is our AddMBAMRegEntries.reg file: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "Installed"=dword:00000001 "KeyRecoveryOptions"=dword:00000000 "UseKeyRecoveryService"=dword:00000001 "KeyRecoveryServiceEndPoint"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,\ 73,00,63,00,6f,00,6f,00,74,00,65,00,72,00,3a,00,38,00,30,00,38,00,30,00,2f,\ 00,4d,00,42,00,41,00,4d,00,52,00,65,00,63,00,6f,00,76,00,65,00,72,00,79,00,\ 41,00,6e,00,64,00,48,00,61,00,72,00,64,00,77,00,61,00,72,00,65,00,53,00,65,\ 00,72,00,76,00,69,00,63,00,65,00,2f,00,43,00,6f,00,72,00,65,00,53,00,65,00,\ 72,00,76,00,69,00,63,00,65,00,2e,00,73,00,76,00,63,00,00,00 "DeploymentTime"=dword:00000001 "NoStartupDelay"=dword:00000001 "DisableMachineVerification"=dword:00000001 "HWExemptionType"=dword:00000002 We configured this GPOs in the temporary Installation OU (in which the computer account is created after domain join): ( http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx) change the GPOs for Operating System drive under BitLocker Drive Encryption. - Configure TPM startup to Do not allow TPM - Configure TPM startup PIN to Allow TPM and PIN - Configure TPM startup key to Do not allow startup key with TPM - Configure TPM startup key and PIN to Do not allow startup key and PIN with TPM Are these GPO settings correct? Do i also need MBAM GPO Settings at this time? Please clarify the necessary settings, i can't find all information needed in the whitepaper. Thanks for your help Regards, ckuever
March 26th, 2012 4:48am

Hi, first sorry for the bad formatting, i wasn't able to format the html code for some reason :-( Whatever, any suggestions? I still get Error code: 0x803d0013 on Clients. The Client automatically encrypts via StartMbamencryption.wsf, then the Computer Account is moved to the target OU and the final MBAM GPOs get applied. User starts MBAMClientui.exe, it automatically detects GPO change and prompts for PIN. After entering PIN Error code: 0x803d0013 appears and PIN isn't set corectly Again the question: Is it possible that all this happens because customer didn't install the KeyRecoveryDB? (no SQL Enterprise license available) We need to set KeyRecoveryOptions=0 and UseKeyRecoveryService=0 in AddMBAMRegEntries.reg RecoveryKey is correctly saved in AD via vbs Script, that's ok for customer, they only want to use MBAM for changing PIN on clients and Compliance Status reports. Thanks. Regards, ckuever
Free Windows Admin Tool Kit Click here and download it now
March 27th, 2012 8:05am

I think we need the SQL database: MBAM Setup Fails with SQL Error: Error obtaining a certificate protected by the master key http://blogs.technet.com/b/askcore/archive/2011/07/27/mbam-setup-fails-with-sql-error-error-obtaining-a-certificate-protected-by-the-master-key.aspx Thanks Zero Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 27th, 2012 9:43am

Hi, i found the problem, and as we already suspected it's because of the missing KeyRecoveryDB. But this is not clarified in any documentation! It's possible to install MBAM Server without KeyRecovery DB, but then you get the error. In Detail: When I reset Configure MBAM services in GPO to not configured, users are able to set their PIN via MBAM Client. If I enable Configure MBAM services MBAM Client fails with 0x803d0013 That's stupid, why it's not possible to configure only the "Status reporting service endpoint" ?? If I configure only Status reporting service endpoint and Hardware Service Endpoint is blank, then I get error "Endpoint settings not correct" on the Client. Therefore last question: Is it possible to configure/use only the Reporting Endpoint/Compliance Reporting? Thanks. Regards, ckuever
Free Windows Admin Tool Kit Click here and download it now
March 28th, 2012 5:09am

Have you the 100MB or 300MB System volume on your machine? It seems that most of the possible cause for error 0x803d0013 is that the system volume is not created. So please confirm this.Thanks Zero Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 28th, 2012 7:59am

We configured this GPOs in the temporary Installation OU (in which the computer account is created after domain join): ( http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx) change the GPOs for Operating System drive under BitLocker Drive Encryption. - Configure TPM startup to Do not allow TPM - Configure TPM startup PIN to Allow TPM and PIN - Configure TPM startup key to Do not allow startup key with TPM - Configure TPM startup key and PIN to Do not allow startup key and PIN with TPM Hello Christian, Im able to encrypt the machine during the MDT Task Sequence but I cant put a PIN to the machine after its encrypted (putting users to set their PIN via MBAM Client). so Im asking you: - can you clear me in the GPOs that you have in your Task Sequence and than what GPOs do you have after you move the machine to the final OU? So that I can enable users to put the PIN via the MBAM Client? Thanks, Best Regards, Bruno Henriques ps: if you can give me your email to clear some more doubts please send it to bruno.henriques@unisys.com
Free Windows Admin Tool Kit Click here and download it now
March 28th, 2012 10:30am

Just checking if any update.Thanks Zero Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
April 1st, 2012 9:11pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics