MBAM start encryption without prompt during MDT
Prior to MBAM release, I was using the settings in customsettings.ini to enable Bitlocker and then during deployment it would automatically begin encrypting. I want to utilize MBAM to manage BitLocker now. So now, I am deploying the MBAM client in my task sequence in MDT and have all the group policies in place and tested out. The issue I am running into is that during deployment the client installs fine but due to the delay in receiving the policy it takes awhile for the prompt to come up asking me to start or postpone. Since I am always going to encrypt our laptops, why am I not able to use MBAM and during the task sequence have it automatically being to encypt without prompting?
September 21st, 2011 6:30pm

Hi, Your question is related to MBAM product, so I will involve a colleague to help you resolve it. Regards, Juke TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
September 22nd, 2011 8:34am

We have released a whitepaper for MBAM and MDT. Using MBAM Data Encryption With MDT http://go.microsoft.com/fwlink/?LinkId=229053 This has the steps to start encryption immedaitely using MBAM. =Manoj (MSFT)Manoj Sehgal
September 22nd, 2011 11:11pm

Thank you for the whitepaper. I have read through it and have a question. In case #2 with including the registry settings. Step 3 says "After the service has started BitLocker and the encryption process has begun." Do I leave the out-of-the-box "Enable Bitlocker" step in the Task Sequence enabled or by installing the MBAM client and adding the registry keys will it just begin instantly? If I do leave it enabled what settings within that task need to be configured? Also, is there an easy way in the sequence to verify that it has started Bitlocker and started encryption so that I am not deleting the registry keys too early?
Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2011 3:50pm

Also, I tried creating the reg file but it does not appear that the value for the "KeyRecoveryServiceEndPoint" can be in plain text. When I tried that it did not write the value at all. When I look at the provided example reg file it has the value in hex.
September 23rd, 2011 3:52pm

I followed the steps and ensured that TPM was enabled in the BIOS but when rebooting after finishing MDT deployment I received the following error: "The Bitlocker encryption kley cannot be obtained. Verify that the TPM is enabled and ownership has been taken." I checked in TPM Administration and it is enabled but not ownership has been taken. It appears that I can manually initialize the TPM but I shouldn't have to do anything manually....correct?
Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2011 7:52pm

1. Thank you for the whitepaper. I have read through it and have a question. In case #2 with including the registry settings. Step 3 says "After the service has started BitLocker and the encryption process has begun." Do I leave the out-of-the-box "Enable Bitlocker" step in the Task Sequence enabled or by installing the MBAM client and adding the registry keys will it just begin instantly? If I do leave it enabled what settings within that task need to be configured? Also, is there an easy way in the sequence to verify that it has started Bitlocker and started encryption so that I am not deleting the registry keys too early? 2. Also, I tried creating the reg file but it does not appear that the value for the "KeyRecoveryServiceEndPoint" can be in plain text. When I tried that it did not write the value at all. When I look at the provided example reg file it has the value in hex. Edit the reg file in notepad and then add the value for KeyRecoveryServiceEndPoint. Save the reg file and the you can use it. 3. I followed the steps and ensured that TPM was enabled in the BIOS but when rebooting after finishing MDT deployment I received the following error: "The Bitlocker encryption kley cannot be obtained. Verify that the TPM is enabled and ownership has been taken." I checked in TPM Administration and it is enabled but not ownership has been taken. It appears that I can manually initialize the TPM but I shouldn't have to do anything manually....correct? TPM has to be intialized before you can enable bitlocker.Manoj Sehgal
September 29th, 2011 7:12pm

Manoj, In reference to the option #2 in the MDT Whitepaper, are we leaving the default Bitlocker Task in our Task Sequence enabled or are we disabling it? The whitepaper is more like toilet paper btw. Someone needs to actually finish the document. Thanks Todd
Free Windows Admin Tool Kit Click here and download it now
October 11th, 2011 11:37am

Manoj, In reference to the option #2 in the MDT Whitepaper, are we leaving the default Bitlocker Task in our Task Sequence enabled or are we disabling it? Someone needs to actually finish the document. From the first look, this doc was rushed out the door. Thanks Todd
October 11th, 2011 6:35pm

Editing the reg file in notepad still doesn't import the service end point. the sc config mbamagent start=demand doesn't work. This document needs to be cleaned and verified that all the steps work.
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 2:27pm

we don't have to include the bit locker step to our TASK sequence. the MBAM agent will start the encryption automatically by adding few reg entries to the proper location. See this Post :- http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/9ca8b9e0-64fb-407d-8ee7-b46098dc4223/ Download the manual for the encryption process with MDT:- http://go.microsoft.com/fwlink/?LinkId=229053 Also make sure this command should not be included in the quotes: Sc config mbamagent start= demand hope it will help.Gaurav Ranjan
January 5th, 2012 8:03am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics