In the first part of this multipart series, we discussed the objectives of this exercise and the required components. The first part also covered the TPM settings required for BitLocker encryption and for the MBAM agent to take ownership of the TPM, the BIOS configuration utility (CCTK) and the actual commands used to configure the TPM. The first post finished by referencing David Hornbaker’s post describing how to use the StartMBAMEncryption script and how to customize the registry import files used by that script for a specific MBAM Server environment.
In Part 2 we covered creating and configuring the group policies required to enable MBAM clients to communicate with the MBAM server, and how often the MBAM client communicates with the MBAM server. We also covered optional policy settings designed to hide the default BitLocker Drive Encryption Control Panel applet from end users.
In Part 3 of this multipart post, we covered the required packages and programs to automate MBAM client distribution and OS partition encryption. Three packages\programs were covered:
1. BIOS Configuration Utility (CCTK) files package. The program associated with this package simply copies the package files and folder hierarchy to a permanent location on the OS partition.
2. MBAM Client (agent) installer package. The program associated with this package performs a silent install of the MBAM agent.
3. StartMBAMEncryption script package. The program associated with this package runs the StartMBAMEncryption.wsf script.
In Part 4 of this multipart post, we covered the tasks used in the task sequence that accomplish the following:
· Partition the hard disk
· Copy the Windows 7 image to the drive
· Install device drivers
· Join the computer to the domain
· Copy the CCTK executables to c:\windows\cctk
· Set the BIOS setup password
· Enable the TPM
· Activate the TPM
· Reboot the computer
· Clear the BIOS setup password
· Install the MBAM Agent
· Encrypt the OS partition using the MBAM agent
Note: This OSD task sequence assumes the target is a new or re-purposed machine. There is no User State data to migrate.
In the fifth part of this multipart post, I will cover following:
· How the MBAM agent installation and drive encryption tasks look from the client side.
· The steps the user must take to set the BitLocker PIN.
· How to verify the MBAM Agent was installed (and verify that the Group Policy to hide the BitLocker Drive Encryption applet in Control Panel is working).
· How to verify drive C: is encrypted.
· How to use the MBAM Server console to verify the TPM Owner password file was pushed by the MBAM agent to the MBAM Server.
· How to use a SQL query to verify the MBAM Agent pushed the TPM Owner password file to the MBAM database.
· How to use the Event viewer on the client to verify the MBAM group policy was applied and that the MBAM Agent successfully communicated the drive encryption status to the MBAM Server.
· How to use the BitLocker Recovery console and the MBAM Server console to verify the MBAM Agent stored the drive Recovery Key in the MBAM database.
A quick recap of the objectives never hurts:
- Provision a laptop with a Windows 7 operating system using SCCM OSD
- Using an automated BIOS configuration utility, place the Trusted Protection Module (TPM) in the proper state for MBAM to take ownership.
- Install the MBAM agent and configure the agent to communicate with the MBAM server.
- Instruct the MBAM agent to take ownership of the TPM.
- Instruct the MBAM agent to encrypt the OS partition using BItLocker.
- At first logon, the laptop user should be prompted to enter a BitLocker PIN.
Note: This environment uses Dell laptops as test machines. CCTK.exe, the BIOS configuration utility used in this example, is specific to Dell hardware.
MBAM from the Client Machine’s Perspective
After the last reboot in the task sequence, the MBAM agent is installed.
The picture isn’t as clear as I would like, but the dialog says “Running Action: Install MBAM”
Shortly thereafter, the dialog changes to “Running Action: Install StartEncryption”
On the test machine there was some delay at this point, as much as three minutes. If the machine’s TPM is not Enabled and Activated, the task sequence will error out here. The first indicator of success is the drive light coming on solid and staying on. No reboots or any other warning, the screen just changes to the logon prompt:
From the user perspective, press CTRL-ALT-DEL and logon.
Instead of the usual background, the user may see the System Center wallpaper:
Notice the notification balloon in the lower right corner; the drive is encrypting.
If the user logged on immediately after the task sequence completes, as I did here, there is no prompt for a BitLocker PIN yet. This is due the policy requiring the PIN has yet to be applied. By default, it could take up to two hours for the policy to apply. A couple of workarounds are:
- Reboot the machine after BitLocker encryption starts. This will not affect BitLocker, it will continue to encrypt the drive after rebooting.
- Run gpupdate /force.
- Wait for Group Policy application before logging on.
I wanted to see what would happen if I hurried through the process. Of course, I jumped through all kinds of hoops to hurry the process. I ran gpupdate /force and even logged off and logged on. Eventually I was rewarded with this:
If I waited for a while (maybe an hour or so) at the logon prompt at the end of the task sequence, this is what I saw when logging on for the first time:
It does not matter what the background is, or when the dialog is displayed, either way the Group Policy requiring a BitLocker PIN has been applied.
NOTE: A bit of explanation here. For this process to work, the drive encryption *must* start prior to the policy requiring a PIN is applied, otherwise BitLocker will not start encrypting the drive until a PIN is entered. Our objective is to automate as much of this process as possible. ConfigMgr will prevent the workstation from processing Group Policies until after the task sequence is complete. This is something to keep in mind if the reader is attempting to use this task sequence with a MDT 2012 task sequence, which does allow the workstation to process policies.
When prompted, enter a PIN
Note: The policy applied allows both letters and numbers in the PIN.
After confirming the PIN, click Create PIN.
I entered an @ in my password. Just letters and numbers are allowed:
After re-entering a valid password and clicking Create PIN, a success dialog is displayed.
The PIN is used at a warm or cold boot, and when bringing the machine out of hibernation. The PIN is *NOT* used when waking a sleeping machine. This will cramp my ConfigMgr style, any task sequence or update requiring a reboot will require user intervention from now on.
Verifying Agent Installation and Drive Encryption
Yes, when Bill Evans first logged on, he saw a notification balloon stating that the drive was being encrypted. However, if Bill had waited until the following morning to logon, he would have missed that notification. To verify, open Control Panel.
Note: This screen shot verifies two things. First, we can tell the MBAM Agent has been installed because the name of the BitLocker applet is BitLocker Encryption Options, not the default BitLocker applet named BitLocker Drive Encryption.Second, the fact that the default applet is hidden verifies that the Group Policy described in part two of this multipart post is hiding the default BitLocker applet as desired.
Now, open the BitLocker Encryption Options applet. The information displayed verifies drive C:, the OS partition, has been encrypted.
Note: Clicking the Manage your PIN link allows the user to change the PIN at any time. The user is *not* prompted for the old PIN or any other kind of identification. The same process is used to recover drives where the PIN is unknown, forgotten, or changed without the owner’s knowledge. There is only one PIN per machine. The first person that logs on after the policy requiring a PIN is applied gets to choose the PIN.
Verifying the Password Hash was pushed to the MBAM Server
If the TPM ownership was already taken before the MBAM Agent attempted to take ownership, there are no errors, the script moves on and encrypts the drive. To verify the agent took ownership, check for the Owner password file on the MBAM server and/or query the MBAM database on the SQL Server.
Check for the Owner Password File on the MBAM Server
From the MBAM server site, click Manage TPM and enter the computer’s domain and computer name. If the MBAM agent took ownership, the MBAM Server will return the TPM Owner Password file as seen here:
Note: This test does not endanger any data on the encrypted drive.
Querying the MBAM Recovery and Hardware Database
On the SQL Server where the MBAM Recovery and Hardware database resides, logon as a SQL administrator and open the SQL Server Management Studio.
Navigate to the MBAM Recovery and Hardware database. Expand the Tables node, right click the RecoveryAndHardwareCore.Machines table and select Return Top 1000 Rows. Find the entry for the name of the computer. The example below shows that MBAMTEST10 did not copy its password hash to the MBAM server properly, but MBAMTEST24 did. (24thtime’s the charm!)
Note: *Do NOT* try to manually enter failed password file hash entries!
Verifying the Recovery Key is Stored on the MBAM Server
On the client side, look for two Event log entries. First, Event ID 1, MBAM group policy settings have been applied successfully.
Without the Group Policy settings, the MBAM agent does not know to which server it should report its status. Next, Event ID 3, the encryption status was communicated to the MBAM Server successfully.
To check for the Recovery Key on the server, you’ll need to get the machine to display the Recovery Key ID. If you’ve enabled a BitLocker PIN, you can press ESC at the PIN prompt to enter the Recovery Console.
Note: Doing this will not endanger any data on the disk.
Now write down the Recovery Key ID. Only the first eight characters are required. Again, this is not going to put any of your data in danger. This is just a test.
Note: At this point, we have all the information we need for the database population test. You can press ESC to exit the Recovery console, or just reboot. Enter the correct PIN at boot and you are back in business on the test machine.
Go to the MBAM Server console, click Drive Recovery and enter the eight-character Recovery Key ID, then click Submit.
If the MBAM agent worked properly, the drive recovery key is displayed in the console:
This verifies the MBAM agent successfully stored the driver recovery key in the MBAM database.
Part 5 of this multipart post covered the following:
- How the MBAM agent installation and drive encryption look from the client side
- The steps the user must take to set the BitLocker PIN
- How to verify the MBAM Agent was installed (and verify the Group Policy to hide BitLocker Drive Encryption applet in Control Panel is working)
- How to verify drive C: is encrypted.
- How to use the MBAM Server console to verify the TPM Owner password file was pushed by the MBAM agent to the MBAM Server.
- How to use a SQL query to verify the MBAM Agent pushed the TPM Owner password file to the MBAM Server
- How to use the Event viewer on the client to verify the MBAM group policy has been applied and that the MBAM Agent has successfully communicated the drive encryption status to the MBAM Server.
- How to use the BitLocker Recovery console and the MBAM Server console to verify the MBAM Agent has stored the drive Recovery Key in the MBAM database.
Part 6 of this multipart post will cover common MBAM deployment issues and resolutions.
Credit Where Credit is Due Department
“If I have seen further it is by standing on the shoulders of giants”
This multipart post references material found at the following websites:
Using MBAM to start BitLocker Encryption in a Task Sequence
Enable TPM in task sequence with SCCM and CCTK
How to Enable Trusted Platform Module Using a ConfigMgr 2007 Task Sequence
No author credited
Check to see if the TPM is enabled
BitLocker/MBAM–Endorsement Keys and TPM Ownership
Customising Windows 7 deployments – part 5
This posting is provided “AS IS” with no warranties and confers no rights.