Bitlocker Disk Encryption with MBAM 2.5 : How to get encryption started quickly as soon as machine is joined to domain.

This custom solution is performed while creating/capturing an Image which is loaded with all applications and drivers and you don’t have any automated way of deploying Images or have machines on slow links and major challenge of having corporate laptops / tablets which less frequently connect to domain.

Terms:

MBAM - Microsoft Bitlocker Administration and Management

TPM : Trusted Platform Module

WMI : Windows Management and Instrumentation

Commands:

TPMinit

Manage-bde

bdehdcfg

Work to be done before capturing / Sysprepping Image :

1. Turn On TPM

2. Install MBAM Agent

3. Import Registry Key with GPO settings

4. Import registry key NoStartUpDelay

5. Creating 300MB partition

Step 1 : Turning on TPM

TPM can be turned On in multiple ways:

i) Manually using BIOS

II) Using TPM.MSC console

III) Using commands like :

-Manage-bde -TPM -TurnOn

-TPMINIT.exe (Works with cmd and powershell)

-Initialize-tpm (Powershell)

IV) Script from vendors using WMI

In this activity we used WMI to enable TPM and in large environment we should have hardware shipped with TPM enabled as it just takes off overhead of enabling TPM.

Step 2: Installing MBAM Client Agent

It is a straight forward step where we just need to install agent as part of Image

MBAM Client Agent is part of MDOP – MBAM Solution.

Step 3: Import Registry Key with GPO settings

Here we are Importing registry setting which was exported from Working domain joined encrypted machine with MBAM Bitlocker :

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]

"DisallowStandardUserPINReset"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement]

"UseFddEnforcePolicy"=dword:00000001

"FddEnforcePolicyPeriod"=dword:00000000

"UseOsEnforcePolicy"=dword:00000001

"OsEnforcePolicyPeriod"=dword:00000000

"ShouldEncryptOSDrive"=dword:00000001

"OSDriveProtector"=dword:00000001

"UseMBAMServices"=dword:00000001

"UseKeyRecoveryService"=dword:00000001

"KeyRecoveryServiceEndPoint"=hex(2):

"KeyRecoveryOptions"=dword:00000001

"ClientWakeupFrequency"=dword:0000005a

"UseStatusReportingService"=dword:00000001

"StatusReportingServiceEndpoint"=hex(2):

"StatusReportingFrequency"=dword:0000005a

"ShouldEncryptFixedDataDrive"=dword:00000001

"AutoUnlockFixedDataDrive"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement\Configuration]

"CustomerExperienceImprovementProgram"=dword:00000000

Step 4. Import registry key with NoStartupDelay to this location

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "NoStartupDelay"=dword:00000001

Step 5 : Creating 300 / 350 MB partition :

To do this we added as script (eg: DiskPartition.cmd) to Runonce registry key so that whenever machine will boot for the first time it will create partition and then reboot it.

Script syntax:

@echo off

:: PARTITION

%windir%\sysnative\bdehdcfg.EXE -driveinfo

if ERRORLEVEL 0 %windir%\sysnative\bdehdcfg.EXE -target default -quiet

Registry Location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

You need to create String value with Path of .cmd file location:

Last additional step is to Create a shortcut for MBAMClientUI.exe and place it on desktop of User (To achieve this you can use Copy profile option in answer file to copy Default Profile) or you can directly client on MBAMClientUI.exe

This magic step is need to start encryption as soon as machine is on Domain.

Default Location: C:\ProgramFiles\Microsoft\MDOP MBAM\MBAMCLientUI.exe.

You will see icon like this or a pointer in Notification area:

After all this is done you can do Sysprep and capture the Image.

Using Event Viewer to see Encryption Process:

Application and Services Logs > Microsoft > Windows > BitLocker-DrivePreprationTool

- Here we can see if Drive is ready for Encryption after running manage-bde command- For this step to be successful we need to make sure machine is power connected.

Application and Services Logs > Microsoft > Windows > MBAM - Operational

Event ID 1 : This event shows if MBAM policies were applied successfully, if not then we need to check Admin Log.

Event ID 19: This event shows successful connection towards MBAM Recovery and Hardware service which are the URL’s configured by GPO.

Event ID 3: This event provides information of encryption data

Event ID 29: This the event which shows that Recovery Key Escrowing status

You will see this screen if Power cord is not connected and recommendation is to have power cord connected all time during encryption process:

Manage-bde –status : This command displays encryption status of the Drive /s:

This command also has different switches which provides more information. E.g.: Key protectors and Passwords and works only with elevated command prompt

Additional Information:

Recovery Triggers:

Device Lockout feature in Windows 8, Windows RT, Windows 8.1 andWindows RT 8.1. On PCs that use either BitLocker or Device Encryption when an attack is detected the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the Interactive logon: Machine account lockout threshold Group Policy setting located in \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options in the Local Group Policy Editor, or use the MaxFailedPasswordAttempts policy of Exchange ActiveSync (also configurable through Windows Intune), to limit the number of failed password attempts before the device goes into Device Lockout.

Changing the boot order to boot another drive in advance of the hard drive. Having the CD or DVD drive before the hard drive in the BIOS boot order and then

inserting or removing a CD or DVD. Failing to boot from a network drive before booting from the hard drive. Docking or undocking a portable computer. In some instances (depending on the

computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.

Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.

Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.

Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM.

Turning off, disabling, deactivating, or clearing the TPM. Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade,

causing the related boot measurements to change. Forgetting the PIN when PIN authentication has been enabled. Updating option ROM firmware. Upgrading TPM firmware. Adding or removing hardware; for example, inserting a new card in the computer,

including some PCMIA wireless cards. Removing, inserting, or completely depleting the charge on a smart battery on a

portable computer. Changes to the master boot record on the disk. Changes to the boot manager on the disk. Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to

prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden,

BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software.

Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.

Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including PCR[1] would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.

Note Some computers have BIOS settings that skip measurements to certain PCRs, such as PCR[2]. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.

Moving the BitLocker-protected drive into a new computer. Upgrading the motherboard to a new one with a new TPM. Losing the USB flash drive containing the startup key when startup key authentication

has been enabled. Failing the TPM self-test. Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with

the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.

Changing the usage authorization for the storage root key of the TPM to a non-zero value.

Note The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.

Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).

Pressing the F8 or F10 key during the boot process. Adding or removing add-in cards (such as video or network cards), or upgrading

firmware on add-in cards. Using a BIOS hot key during the boot process to change the boot order to something

other than the hard drive.

Recovery Guide:

https://technet.microsoft.com/en-us/library/dn383583.aspx

MBAM Evaluation:

https://technet.microsoft.com/en-us/library/dn645332(v=vs.85).aspx

MBAM Deployment using Task Sequence:

http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

Lenovo BIOS WMI Guide

https://support.lenovo.com/sa/en/documents/ht100612

Author:

Junaid Ahmad Jan