MBAM (Microsoft Bitlocker Administration and Monitoring) is a fantastic tool for managing your Bitlocker Recovery Keys and your TPM Passwords. There is, however, an issue when using MBAM to manage these items if you are using Bitlocker Pre-Provisioning during Operating System Deployment (OSD).
The issue stems from the Pre-Provisioning taking ownership of the TPM chip and not being able to pass it along into the full OS, which prevents MBAM from escrowing the TPM password into the MBAM database. To resolve this, you must be using MBAM 2.5 SP1 and running two scripts as part of the OSD process. The scripts and other information can be found in Microsoft TechNet here.
Below are the new steps that are needed to handle the Pre-Provisioning with MBAM 2.5 SP1.
There are two new scripts that need to be put into a package and/or the MDT Toolkit Scripts folder.
SaveWinPETpmOwnerAuth.wsf
This script makes sure that when the TPM is owned during pre-provisioning that it can still be escrowed by MBAM later in the Task Sequence.
Invoke-MbamClientDeployment.ps1
This is the new script to make MBAM encrypt.
The Invoke-MbamClientDeployment.ps1 script simply takes place of the old StartMBAMEncryption.wsf script:
The parameters for the updated script look like this: -RecoveryServiceEndpoint “http://server.firm.com/MBAMRecoveryAndHardwareService/CoreService.svc” –IgnoreEscrowOwnerAuthFailure
The Persist TPM Info script goes here in your OSD Task Sequence:
Immediately after the OS is applied and before the first reboot.
The TPM step looks like this:
Here I have it as part of the SCRIPTROOT; but you could make it its own Package as well.