Start MBAM encryption on Bitlocker pre-provisioned and Windows To Go drives.
Dave Hornbaker from Deployment Guys wrote a script some time ago, that kicks off MBAM encryption of the hard drive. It can be found here:
As time goes, there are new features in SCCM and MDT as well as in Bitlocker and MBAM.
One of two things that the original script does not address is pre-provisioned Bitlocker in SCCM 2012 SP1 (It's actually, a feature of Windows 8 and Windows PE 4). What it means, that once you started the encryption with "Pre-provision Bitlocker" (it actually calls Manage-bde -on %OSDisk% -UsedSpaceOnly), your system hard drive is encrypted right off the bat, and while applying the image, your data becomes encrypted automatically.
The second thing is Windows To Go. Here is the article, that describes how to create a pre-staged media for Windows To Go: https://technet.microsoft.com/en-us/library/jj651035.aspx. There are a couple issues with WTG and SCCM:
- Recovery key is not saved in MBAM if using this method
- Wtgcreator does not leverage pre-provisioning feature. It means, that you will have to encrypt the entire drive as a part of the process afterwards.
I'm providing two VB scripts, ZTIPrepareBDE.wsf and StartMBAMEncryption.wsf.
- ZTIPrepareBDE.wsf is the ZTIBDE.wsf script from MDT with actual encryption stripped out. Run this script in live OS from the TS first, with condition _SMSTSWTG <> “TRUE” so it won’t run on Windows To Go. It does all preparation with TPM, and it also partitions the drive cutting off 500MB for boot files, all standard stuff from Bitlocker support from MDT, which works just fine but does not support MBAM. This script requires OSDBitLockerMode=TPM and IsBDE=TRUE
- StartMBAMEncryption.wsf is the script that used to start encryption and have recovery key reported to MBAM. It takes parameter MBAMServiceEndPoint which is URL to MBAM Service End Point, it also takes OSDBitLockerPIN for WTG - if we're deploying WTG, it will set this password. No need to use the original osdbitlocker_wtg.exe. Run this script after ZTIPrepareBDE.wsf in your TS. I'd suggest to create a package and put ZTIPrepareBDE.wsf and StartMBAMEncryption.wsf from attached file as well as copies of ZTIDiskUtility.vbs, ZTIUtility.vbs and ztiRunCommandHidden.wsf from MDT Scripts folder.
I also included a version of SCCMWTGDuplicator.ps1 script that replaces WTGCreator.exe from SCCM. This script requires all boot files from WTG stick created with original WTGCreator.exe - simply copy all files to Boot directory. This script asks for WIM file with pre-staged media and lists all USB drives and then provisions them with WTG.
Enjoy and let me know if you have any questions :)
Credits go to my colleagues:
Dave Hornbaker, who created the original StartMBAMEncryption.wsf script
Michael Murgolo, who improved this script
Michael Niehaus, who inspired me on those kind of things :)
Lance Crandall, who worked with me educating me on best approaches with my script and without his input it would not be possible.