Using MBAM to start BitLocker Encryption in a Task Sequence

The script has been updated to abort if the TPM is not Active and to create Endorsement Key Pair if it does not exist on the TPM.


Microsoft BitLocker Administration and Monitoring (MBAM) provides features to manage BitLocker encryption of computers in an enterprise.  More information on MBAM can be found here.

BitLocker creates recovery information at the time of encryption and MBAM stores that information in the recovery data store. While MBAM can update its recovery data store when the agent is installed on a system that is already encrypted, it is preferable to have MBAM control the encryption process.  MBAM Encryption is controlled by Group Policy.  Group Policy is not applied during a SCCM Task Sequence.  It is possible to have MBAM start encryption during the task sequence, the techniques are described in the following whitepaper Using MBAM Data Encryption With MDT

Manually starting BitLocker Encryption with MBAM

Manually starting encryption with MABM requires five steps:

  1. Install the MBAM Agent. 
  2. Stop the MBAM agent
  3. Import registry settings that will instruct the agent to start encryption.
  4. Wait for encryption to start
  5. Remove the most of the imported registry settings

Installing MBAM Agent

The MBAM agent can be installed during Windows 7 Image creation. 

To install MBAM during the deployment, just create a SCCM package/program to install the agent.

Creating the registry import files.

Create a .reg file that contains the required MBAM entries. There is a template in Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg. This template will become the basis for the AddMBAMRegEntries.reg file.

Do the following on an unencrypted system with the MBAM Agent installed(from an elevated command prompt):

  1. Net Stop MBAMAGENT
  2. reg import “c:\Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg”
  3. using regedit make the following changes:
    1. Change the KeyRecoveryServiceEndPoint key to have the URL of the MBAM recovery server.
    2. Add NoStartupDelay as a DWORD with a value of one.
  4. Export the MBAM key to a file (AddMBAMRegEntries.reg)

Next, create a .reg file to remove the entries

  1. Copy AddMBAMRegEntries.reg to RemoveMBAMRegEntries.reg
  2. Open RemoveMBAMEntries.reg in notepad
  3. Delete the line: "Installed"=dword:00000001
  4. for all the other keys in the file replace everything after the equals sign with a minus sign (E.G. "NoStartupDelay"=dword:00000001 becomes "NoStartupDelay"=-)
  5. Save RemoveMBAMRegEntries.reg

Note: More information on creating and editing .reg files is available here.

At this point test that the .reg files are correct by starting the MBAM agent (net Start MBAMAGENT), encryption will begin within a couple of minutes.  After encryption begins, run the removeMBAMEntries.reg file to remove the unneeded entries.

For encryption to begin, the MBAM agent needs to talk to the server.  If this server communication fails the encryption will not start.  If there is a problem, verify that the URL is correct and the MBAM server is functioning correctly.

Sample AddMBAMRegEntries.reg file

Windows Registry Editor Version 5.00


Sample RemoveMBAMRegEntries.reg file

Windows Registry Editor Version 5.00



Automating the process with a script

StartMBAMEncryption.wsf is a MDT 2010 style script that will automate the last four steps   To use this script create a folder that contains StartMBAMEncryption.wsf, ZTIUtility.vbs from the MDT toolkit, and the two .reg files created above. 

To start Encryption run the following from an elevated command prompt:

cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg

How does the script work?

Make sure that MBAM is installed, do a WMI query for the MBAMAGENT service. If the service does not exist, fail.

    Set oServices = objWMI.ExecQuery("Select * from win32_service where name='MBAMAgent'")
    TestAndFail (oServices.count = 1), 10005, "MBAM Client Agent is not installed"

The service exists,  stop the service.  Using the result of the previous query, call the StopService method.  Note that the query will return at most one item.

    'Stop the service
    for each oService in oServices

Use the REG IMPORT command to import the  AddMBAMRegEntries.reg file, this will give the MBAM agent instruction to start encryption.

    sCMD = "Reg IMPORT """ & sAddRefFilePath & """"
    iRetVal = oUtility.RunWithHeartbeat(sCMD)
    TestAndFail iretVal, 10006, "Importing AddRegFile: " & sAddRefFilePath

Now, using the result of the original WMI query again, start the MBAM agent

    ' Restart the MBAMAgent Service
    for each oService in oServices

Since BitLocker information is in a different Namespace, the script must create a connection to that Namespace.

    strConnectionStr1 = "winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!root\cimv2\Security\MicrosoftVolumeEncryption" 
    On Error resume Next
    Set objWMIBDE = GetObject(strConnectionStr1)
    on error goto 0
    TestAndFail Err, 10007, "Unable to connect to Bitlocker WMI Object -  bitlocker not installed"

Using the object just created, query for a Win32_EncryptableVolume for the C: drive. Once that object is obtained, go into a loop sleeping 30 seconds, updating the Task Sequence progress bar, and checking to see if the encryption is in progress.  Note that the script is checking for both in progress (EncryptionStatus = 2) and Encrypted (EncryptionStatus = 1).  This loop will wait 10 minutes for the encryption to start.  In testing the encryption has started within 2 minutes.

    iCount = 0
    iLoopCount = 0
    oLogging.CreateEntry "Waiting for Encryption to Start", LogTypeInfo
      oLogging.ReportProgress "Waiting For Encryptiont to Start",  iLoopCount/20
      wscript.Sleep 30000
      Set colEnVol = objWMIBDE.ExecQuery("Select * from Win32_EncryptableVolume where DriveLetter='C:'")
      for each oEncVol in colEnVol
      oEncVol.GetConversionStatus iEncryptionStatus, iPercentComplete

      ILoopCount = iLoopCount + 1
      If iLoopCount >= 20 then
        TestAndFail False, 10008, "Timeout: Encryption did not start"
      End If
    Loop Until ((iEncryptionStatus = 1) or (iEncryptionStatus = 2))
    oLogging.ReportProgress "Encryptiont Started", 100
    oLogging.CreateEntry "Encryptiont Started", LogTypeInfo

All that is left to do is cleanup the registry by importing the removeMBAMEntries.reg file

    sCMD = "Reg IMPORT """ & sRemoveRegFilePath & """"
    iRetVal = oUtility.RunWithHeartbeat(sCMD)
    TestAndFail iretVal, 10009, "Importing RemoveRegFile: " & sRemoveRegFilePath


Creating the MBAM Support Task Sequence Package

Create a new folder and add the two .reg files created above, a copy of ZTIUTILITY.VBS from the MDT scripts package, and StartMBAMEncryption.wsf.  In you SCCM console, create a new package, and program.  The program command line will be:

cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg  

Or, to wait until encryption is finished, before the task sequence continues, the program command line will be:

  cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg /WaitForEncryption:true


Changes to the Task Sequence

TPM Issues

The Trusted Platform Module (TPM) must be visible to the OS and enabled.  making the TPM visible, varies by hardware vendor and system.  There is a script that will check if the TPM is visible Here.    For information on how to enable the TPM from a task sequence see the table below.




Disk Partitioning

BitLocker requires an unencrypted partition that will hold the Boot files and boot database.  This partition has to be at least 100MB, but it is recommended that it be 300MB.  A 300MB partition will allow recovery environment (WinRE) to be copied to the unencrypted drive.  WinRE is automatically copied when BitLocker is enabled if there is enough space on the boot partition.

For Bare Metal deployments, the partition can be created during the Partition Disk step.

  1. Create a 300MB primary partition and mark it Active (Make Bootable)  
  2. Create a primary partition that uses 100% of the remaining disk  Assign a variable to this disk (OSDISK)
  3. Change the Apply Operating System step to put the Operating System on the disk specified in the variable OSDISK





For refresh from XP or Windows 7 system that does not have a separate boot partition, use the following steps:


The following steps should be added before the step that installs the MBAM support package created above.

Using ZTIBDE.WSF (from MDT)

Add a Run Command Line step that runs ZTIBDE.WSF

Cscript %ScriptRoot%\ztibde.wsf

Using BdeHDCfg

Add a Run Command Line step  with the following command line:

BdeHdCfg -target default -quiet

This will create a 300MB partition for the boot files.  

Add a Reboot System step following this step.

Additional information on BitLocker, Configuration Manager 2007, and disk partitions can be found on the Configuration manager Support Team blog

Join the Domain

The computer system must be in a Domain in order for MBAM to escrow the BitLocker Keys. 

Joining a domain is required for this process to work correctly.

Enabling BitLocker

To enable BitLocker, simply add an install software step to install the package/program created above.  It is recommended that this be one of the last steps in the Task Sequence because encrypting the disk will consume many system resources until the disk is fully encrypted.

Waiting for Encryption to Finish

To ensure the highest security level, the system should not be released to a user until the disk is completely encrypted.  The /WaitForEncryption:True option will force the script to wait up to 5 hours for the encryption to finish.  If the encryption doesn’t finish within 5 hours, the fact will be logged but the script will not abort.  This option can be useful if there are business requirements that the system be fully encrypted before any data is restored.

cscript StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg /WaitForEncryption:true

This post was contributed by David Hornbaker, a Senior Consultant with Microsoft Services - U.S. East Region.  

Special thanks to Manoj Sehgal, Senior Support Escalation Engineer, Platforms core, Microsoft Services, and William Lees, Principal SDE, Microsoft Corporation, for their assistance with this post.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use