Windows 8 comes with the option to pre-provision the disk for use with BitLocker, allowing only the used-space to be encrypted, thus reducing the encryption time a lot.

Problem occur when enterprises want to use the Microsoft Bitlocker Administration and Monitoring (MBAM) toolkit from the Microsoft Desktop Optimization Pack (MDOP) to store BitLocker recovery keys, and track compliance. MBAM 2.0 sp1 does not support used-space encryption as per the release notes, forcing enterprises to either drop MBAM or perform full encryption of the disk, which can be a time consuming task depending on disk size and CPU performance.

After spending quite some time investigating this, reading multiple blogs, articles etc. only to find other people with the same dilemma, and vague hints to how to overcome this, I managed to get this to work.

The scenario:

  • Windows 8.1 is deployed using bare-metal deployment through SCCM 2012R2
  • Hardware has been prepared, meaning that the TPM has been enabled and activated in BIOS
  • MBAM servers have been installed and integrated into SCCM as per the documentation
  • MBAM Group policy’s has been created, forcing Bitlocker for the OS drive, and backing up TPM password to Active Directory.

When deploying a new computer using the bare-metal task sequence, we want the OS disk to be pre-provisioned using used-space-only encryption, allowing for encryption as image is applied to disk.

Once the Windows 8 image has been installed, we want MBAM to set protectors, and backing up the recovery keys to Active Directory.

TPM backup

After trying several different methods for having MBAM back up the TPM Hash to the MBAM database , I would always end up with either missing the TPM hash or the TPM being in legacy mode.

If MBAM is to backup the hash key, it has to be the owner of the TPM and this will force the TPM into legacy mode in Windows. This is not a scenario that I like due to possible 3.rd party security solutions relying on the TPM.

As a result of this I opted for the solution where Windows takes ownership of the TPM, and the Hash key is backed up to Active Directory.

The Task Sequence

Ok enough background information, lets look at the implementation I ended up with.

First step is to pre-provision the disk. For this we can use the “Manage-bde –on” command.

2014-03-11 14_36_25-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

I use the %OSDisk% variable to specify the disk to be encrypted. This variable must be set in the Partition Disk step:

2014-03-11 14_42_58-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection 2014-03-11 14_43_15-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Next comes the part that was causing me all the headaches, we need to inject local policies into the target OS so these are in place at first boot. If these settings are not set, backup of the TPM to Active Directory will fail, and sometimes lead to TPM being left in legacy mode.

2014-03-11 14_36_57-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

The SetTPMPolicy.wcf script contains a subset of the settings that are specified in the BitLocker and MBAM Group Policy’s´for forcing AD backup and encryption type.

Once the operating system is installed, we need to install the MBAM agent and trigger it to apply protectors and backup the recovery keys.

The installation of the agent is performed by an application that deploys the MBAMClient.msi located on the MDOP installation media.

2014-03-11 14_37_26-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Finally, to trigger MBAM to apply protectors we execute a script that will stop the MBAM agent service and set local registry keys to specify MBAM endpoint, and disable the delayed startup, before starting the service again. MBAM will now read its temporary settings from registry, and finalize the encryption and backup the recovery keys.

2014-03-11 14_37_44-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

The StartMBAMEncryption.wsf script that I use is inspired by the script originally made by David Hornbaker from the Deployment Guys, and later modified by alexsemi (found here: The Deployment Guys and here: AlexSemi’s Blog).

One of the modifications that I have made, is to make the script wait for the encryption and backup to complete before exiting. I experienced several occasions where a reboot just after starting the encryption would cause the backup to fail.

The scripts used in this task sequence is attached to this post, and can be downloaded and placed in a package along with the ZTIUtility.vbs script from the MDT 2013 toolkit.

Scripts can be downloaded here: [download id=”199″]


Although not supported by MBAM directly, it is possible to use MBAM along with Used-Space-Only encryption.