Backing up Recovery Keys to MBAM and AD During OSD


As we prepared for our Windows 10 roll out, we had MBAM all setup and ready to go when a wise man suggested we backup the keys to AD too.  I was a little perplexed: In my mind this is redundant since that’s what MBAM is supposed to do.  Can’t we just trust MBAM to do its thing?  But then the same wise man dropped a statement that I totally agreed with:

“I don’t want to be the one to have to explain to our CIO that we have no way of unlocking some VIP’s machine.”

Neither did I.

Here’s a high level overview of how we setup MBAM during OSD.
It’s not the best way and it’s not the only way.  It’s just a way.


  1. Export your BitLocker registry settings from a properly configured machine
  2. Edit the export, set the ‘ClientWakeupFrequency‘ to something low like 5 minutes
  3. Edit the export, set the ‘StatusReportingFrequency‘ to something low like 10 minutes
  4. Package up the .REG file as part of your MBAM client installation
    • This could either be a true Package, but I would recommend an Application that runs a wrapper to import the registry configuration; or create an MST; or add it to the original MSI.

Task Sequence Setup

  1. Wait until the machine is in real Windows, not WinPE
  2. Install the MBAM client (obviously!)
  3. Reboot
  4. Stop the MBAM service – We need to do this so that the settings we make below take effect
  5. Set the MBAM service to start automatically without delay – Want to make sure it fires as soon as possible.
  6. Import your BitLocker registry settings you exported & edited
    • This is the real meat: Since GPO’s are not applied during OSD, your GPO policies won’t reach the machine during the imaging process.  This will ensure your policies are in play as soon as possible.
    • Most places don’t set the  ‘ClientWakeupFrequency‘ and/or ‘StatusReportingFrequency‘ values to something insanely low via GPO which is why we manually edited the .REG file.  If you left them at the default values, the keys wouldn’t get escrowed for a few hours due to the way the MBAM client works.
  7. Optional but Recommended: Switch to AES-XTS-256 by setting ‘EncryptionMethodWithXtsOs‘ in ‘HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE‘ to ‘7
  8. Start the MBAM service
  9. Enable BitLocker using the MBAM Deployment Scripts
  10. Reboot the machine
  11. Continue with your normal imaging process

The Good

  • We’ve not run into machines with improper configurations.
  • Every machine is encrypted using
    • full disk encryption versus used space
    • leverages AES-XTS-256
  • Keys are quickly escrowed to both AD and MBAM.
  • It just works: Deployed with 1511, we’re moving to 1607 and IT is testing 1703.

The Bad

  • I couldn’t figure out how to perform full disk AES-XTS-256 encryption in WinPE so this has to happen when we’re in a real OS.
    • I tried setting the keys via the registry but didn’t bother editing WSF files or trying to reverse engineer what goes on in that step to see if I could make it work.
  • Encryption does NOT begin until after someone logs on.
  • Encryption takes a while (but not too long) on SSDs.

In Closing

I would really like to hear from others on this one.  Because it was – and has been working for a over a year now – we really couldn’t justify dedicating bandwidth to exploring this further.  So we left it as-is.  My brain would like to see it work ‘properly’ one day, but that’ll have to wait.

Good Providence to you!


  1. We are seeing that the Invoke MBAM Powershell script fails during the task sequence. So we have the following in TS:
    1. Convert BIOS to UEFI
    2. Set Registry value for XTS_AES256
    3. Pre-provision Bitlocker
    4. Apply OS
    5. Persist TPM Owner with the script SaveWinPETpmOwnerAuth.wsf
    6. Apply Drivers/Apps
    7. Install MBAM with Dec 2016 Patches
    8. Invoke MBAM Script – Invoke-MbamClientDeployment.ps1
    The error we get is …
    Device \\?\Volume{5ab4c757-6eb2-46e3-bc48-86087aaadf77}\ is already encrypted but not protected. The key protectors will be enabled..
    The operating system reported error 1: Incorrect function.
    When i run the manage-bde -Status C: – I get the following
    BitLocker Version : 2.0
    Conversion Status: Used Space only Encrypted
    Encryption Method: XTS-AES 256
    Protection Status: Protection Off
    Lock Status: Unlocked
    Indentification Field: Unknown


  2. Hi There, in case you are still looking for it: The first release of Windows 10 WinPE didn’t understand XTS-AES 256
    For MBAM you have to adapt the scripts (for example: the MBAM one) to use the XTS-AES256 instead of the defaults (XTS-AES128)

    For Vinod’s issue: Preprovisioning is just encryption for your hard disk. the setting up of the protectors happens in Full Windows (Either through the MBAM Agent or through the Enable BitLocker TS step for AD)

    if in need of help my twitter handle is @IwisVC, always happy to help


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s