Scenario
As we prepared for our Windows 10 roll out, we had MBAM all setup and ready to go when a wise man suggested we backup the keys to AD too. I was a little perplexed: In my mind this is redundant since that’s what MBAM is supposed to do. Can’t we just trust MBAM to do its thing? But then the same wise man dropped a statement that I totally agreed with:
“I don’t want to be the one to have to explain to our CIO that we have no way of unlocking some VIP’s machine.”
Neither did I.
Here’s a high level overview of how we setup MBAM during OSD.
It’s not the best way and it’s not the only way. It’s just a way.
Prerequisites:
- Export your BitLocker registry settings from a properly configured machine
- Edit the export, set the ‘ClientWakeupFrequency‘ to something low like 5 minutes
- Edit the export, set the ‘StatusReportingFrequency‘ to something low like 10 minutes
- Package up the .REG file as part of your MBAM client installation
- This could either be a true Package, but I would recommend an Application that runs a wrapper to import the registry configuration; or create an MST; or add it to the original MSI.
Task Sequence Setup
- Wait until the machine is in real Windows, not WinPE
- Install the MBAM client (obviously!)
- Reboot
- Stop the MBAM service – We need to do this so that the settings we make below take effect
- Set the MBAM service to start automatically without delay – Want to make sure it fires as soon as possible.
- Import your BitLocker registry settings you exported & edited
- This is the real meat: Since GPO’s are not applied during OSD, your GPO policies won’t reach the machine during the imaging process. This will ensure your policies are in play as soon as possible.
- Most places don’t set the ‘ClientWakeupFrequency‘ and/or ‘StatusReportingFrequency‘ values to something insanely low via GPO which is why we manually edited the .REG file. If you left them at the default values, the keys wouldn’t get escrowed for a few hours due to the way the MBAM client works.
- Optional but Recommended: Switch to AES-XTS-256 by setting ‘EncryptionMethodWithXtsOs‘ in ‘HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE‘ to ‘7‘
- Start the MBAM service
- Enable BitLocker using the MBAM Deployment Scripts
- Reboot the machine
- Continue with your normal imaging process
The Good
- We’ve not run into machines with improper configurations.
- Every machine is encrypted using
- full disk encryption versus used space
- leverages AES-XTS-256
- Keys are quickly escrowed to both AD and MBAM.
- It just works: Deployed with 1511, we’re moving to 1607 and IT is testing 1703.
The Bad
- I couldn’t figure out how to perform full disk AES-XTS-256 encryption in WinPE so this has to happen when we’re in a real OS.
- I tried setting the keys via the registry but didn’t bother editing WSF files or trying to reverse engineer what goes on in that step to see if I could make it work.
- Encryption does NOT begin until after someone logs on.
- Encryption takes a while (but not too long) on SSDs.
In Closing
I would really like to hear from others on this one. Because it was – and has been working for a over a year now – we really couldn’t justify dedicating bandwidth to exploring this further. So we left it as-is. My brain would like to see it work ‘properly’ one day, but that’ll have to wait.
Good Providence to you!