Deploying BitLocker / MBAM (TPM+PIN) with SCCM 2007 OSD

I was reading on technet about bitlocker and possibilities to manage this central and deploying it centrally. I was looking for possibilities to deploy it with SCCM and found on technet nice article I would like to share with you.
This blog post will give a high level overview on how to deploy BitLocker TPM+PIN with MBAM within OSD in a SCCM07 environment. This guide will also detail how to start encryption as soon as MBAM talks with the service endpoint (while still deploying the OS). The benefits of this are encryption will finish sooner and it does not wait to start encryption until the user has selected a pin. Also added is integrating Dart 7 into the process.

1. When building your image, you need to set up your local MBAM GPO policies to specify things such as the MBAM service and reporting endpoints as well as things such encryption strength. There are two things you need to set here first that sounds counterintuitive but is a must if deployment is going to be successful within OSD.
2. Make sure you set the protector type to TPM only and not TPM+PIN. This will cause BitLocker to not start encryption until the pin is set (Which is exactly what we don’t want to have happen)
3. This one is optional if you are not adding DART, but if you enable Deny write access to fixed drives not protected by BitLocker, you will not be able to copy the Dart wim to the boot partition. You need to make sure you set it to Not Configured or Disabled.
4. When deploying your image via an OSD task sequence you need to do the following steps:
5. Upgrade your BIOS if it does not have remote TPM activation available (optional, only needed on older models that need remote TPM activation)
6. Activate the TPM. You can do this in an automated fashion using tools provided by OEM vendors.
7. Create the boot partition using bdehdcfg.exe. If you are going to use DART, you want to make sure the boot partition is 600MB. Otherwise 300MB is good. Below is an example of the command:
Bdehdcfg.exe –target c: shrink –size 600 –quiet
8. Copy the prepared Dart 7 wim to the newly created boot partition in a folder called recovery\windowsre (optional).
9. Run reagentc.exe to set the location of the dart wim. Below is an example of the command if you want F1 to be optional bootkey (optional).
Reagentc.exe /setreimage /path <path to winreimage> /target c:\winndows /bootkey
10. Run reagent.exe /enable to enable the new settings we just specified (optional).
11. You need to run a script that checks for and ejects a cd if there is one present.
12. You need to now import the MBAM override registry keys to tell the system to start the encryption process. First stop the MBAM service and import the following.
“KeyRecoveryServiceEndPoint”=<url to MBAM endpoint>
“Installed”=dword: 00000001
13. Start the MBAM service and reboot (through personal testing, I’ve found that having it restart greatly increases success. Just one of those things…).
14. If all goes well, upon restart and communication with the MBAM service endpoint, the machine should start encrypting. Check the event logs to verify communication. Also use manage-bde -status to see if encryption has started.
15. But wait! You are not finished yet. We need to finish setting up MBAM to properly work as expected. First we need to delete the MBAM override keys that were listed up in step 2, section h.
16. Second you need to set the protector type in the MBAM GPO to TPM+PIN or else the user won’t get prompted to enter a pin. You can use the Security Compliance Manager solution accelerator to import the new GPO’s.
This was a high level guide to getting BitLocker with MBAM working in a zero touch scenario with SCCM 07. This guide was specific to getting BitLocker working with TPM+PIN and showcased some of the caveats of getting it to work in that environment. The DART integration was just a bonus 🙂