If you are using MDOP and BitLocker then you are more than likely aware of MBAM. Microsoft BitLocker Administration and Monitoring (MBAM) is a tool used amongst other things, for storing the BitLocker keys used in your Enterprise. This means that you can have a central repository for your MBAM client agents to talk to, and they do this via Group Policy settings.
To make things simple, once your computers are BitLocker protected and have the MBAM client agent installed, and the MBAM Group Policy settings are pointing to your MBAM server, then the info (recovery key etc) will make their way up to the MBAM database. This means that we can use a script in Windows PE to connect to the SQL server and pull the needed information, why ? well during a Refresh (reinstallation of Windows) on your BitLockered computers, you need to unlock the BitLockered drive and then suspend it (so that you can read/write) and to do so you need to provide the recovery key. To get this key we make a connection to the SQL database on the MBAM server and request the information.
Note: you'll need the ADO connector added to your boot image in order to make a connection in Windows PE to your SQL server, to do that, create a MDT boot image as described here and make sure 'ADO' is selected otherwise you'll get ADODB.connection errors in WinPE.
First of all you'll need a script, let's call it Get_RecoveryKey_from_MBAM.wsf, place the script in a sub directory of your scripts dir in your MDT Toolkit Files package
<job id="GetBitLockerKey">
<script language="VBScript" src="..\ZTIUtility.vbs"/>
<script language="VBScript" src="..\ZTIDataAccess.vbs"/>
<script language="VBScript">
Dim ConString
Dim RsTemp
Dim MachineID
Dim RecoveryKey
Dim oEnv
Set oEnv=CreateObject("Microsoft.SMS.TSEnvironment")
Set WShell=CreateObject("WScript.Shell")
Set fso=CreateObject("Scripting.FileSystemObject")
Wshell.Run "%comspec% /C manage-bde.exe -protectors -get d: > x:\BLInfo.txt",1,true
Set InfoFile=fso.OpenTextFile("x:\BLInfo.txt")
Do While Not InfoFile.AtEndOfStream
Filerow=InfoFile.ReadLine
If InStr(FileRow,"Password")<>0 Then'And InStr(FileRow,"Numerical Password")=0
Password=InfoFile.ReadLine
' msgbox "Numerical Password:" &Password
Exit Do
End If
Loop
Password=Mid(Password,12,36)
'PARAMETERS
ConString="Provider=SQLOLEDB.1;Data Source=mbam,1433;Initial Catalog=MBAM Recovery and Hardware;User ID=OSD;Password=Password123"
'MAIN
SQL="SELECT RecoveryKey FROM RecoveryAndHardwareCore.Keys WHERE RecoveryKeyID='" &Password &"'"
Set RsTemp=GetRs(SQL)
RecoveryKey=RsTemp("RecoveryKey")
oEnv("RecoveryKey")=RecoveryKey
msgbox "RecoveryKey retrieved from MBAM is:" &RecoveryKey
Function GetRs(SQL)
Dim Con
Dim Rs
Set Con=CreateObject("ADODB.Connection")
Con.Open(ConString)
Set Rs=Con.Execute(SQL)
GetRs=Rs
End Function
</script>
</job>
ok so what does this script do ?
the script makes a call to the SQL database on our MBAM server (Data Source=mbam) specifies the Database (MBAM Recovery and Hardware) and the user/password we need to connect with (User ID=OSD;Password=Password123) like so:-
This requires SQL Server Authentication to be setup in SQL Server and Windows authenticationmode (mixed) so you'll need to configure this on your MBAM server (right click on your SQL server in SQL Management Studio, choose properties, security).
and configure the OSD user in SQL like so with access to the MBAM Recovery and Hardware database
In your Refresh task sequence you'll need to add a few new steps to get the key from your MBAM server, the first step is called Get Recovery Key from MBAM SQL in WinPE.
Note:- We only try to get the key if a Protected Volume (Encrypted) is detected (Guide here), there's no need for us to get the key if the drive is already unlocked so checking that its Protected is an important step.
Now that we have the key from MBAM it has been nicely placed in a variable for us called RecoveryKey, we unlock the drive using the following command in the next step called Unlock Bitlockered Drive
The next step simply Suspends the Bitlockered drive
manage-bde d: -protectors -disable
Ok that's the explanation, how can you test it ?
First of all you'll need to Deploy a computer with Windows 7 and BitLocker encryption on it . Once done, install the MBAM client agent on the computer (see link 2 below or install it manually).
In addition to the above you'll want MBAM configured (local group policies and MBAM server side).. Once done, login to your Windows 7 computer and start an Administrative Command Prompt.
type the following:-
manage-bde -protectors -get c:
it will return something like the following if BitLockered
the Password listed is our Recovery Key. To verify that this value is in our MBAM database simply login to the Database using SQL Management Studio and expand the MBAM Recovery and Hardware database. Expand it so that you can see the tables and choose the RecoveryAndHardwareCore.Keys table. Right click the Table and choose Select top 1000 Rows. Verify that the password revealed from our Windows 7 command prompt is present in our MBAM database.
As you can see from the screenshot, the RecoveryKey is indeed listed and that means you are now ready to test the script in WinPE and to test a Refresh scenario ! If the key does NOT appear (and the MBAM client agent can take time to send this info, up to 90 minutes or more...) then simply restart the MBAM client agent service (BitLocker Management Client Service) on your Windows 7 client, wait a minute and try again.
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
If you are using MDOP and BitLocker then you are more than likely aware of MBAM. Microsoft BitLocker Administration and Monitoring (MBAM) is a tool used amongst other things, for storing the BitLocker keys used in your Enterprise. This means that you can have a central repository for your MBAM client agents to talk to, and they do this via Group Policy settings.
To make things simple, once your computers are BitLocker protected and have the MBAM client agent installed, and the MBAM Group Policy settings are pointing to your MBAM server, then the info (recovery key etc) will make their way up to the MBAM database. This means that we can use a script in Windows PE to connect to the SQL server and pull the needed information, why ? well during a Refresh (reinstallation of Windows) on your BitLockered computers, you need to unlock the BitLockered drive and then suspend it (so that you can read/write) and to do so you need to provide the recovery key. To get this key we make a connection to the SQL database on the MBAM server and request the information.
Note: you'll need the ADO connector added to your boot image in order to make a connection in Windows PE to your SQL server, to do that, create a MDT boot image as described here and make sure 'ADO' is selected otherwise you'll get ADODB.connection errors in WinPE.
First of all you'll need a script, let's call it Get_RecoveryKey_from_MBAM.wsf, place the script in a sub directory of your scripts dir in your MDT Toolkit Files package
<job id="GetBitLockerKey"> <script language="VBScript" src="..\ZTIUtility.vbs"/> <script language="VBScript" src="..\ZTIDataAccess.vbs"/> <script language="VBScript"> Dim ConString Dim RsTemp Dim MachineID Dim RecoveryKey Dim oEnv Set oEnv=CreateObject("Microsoft.SMS.TSEnvironment") Set WShell=CreateObject("WScript.Shell") Set fso=CreateObject("Scripting.FileSystemObject") Wshell.Run "%comspec% /C manage-bde.exe -protectors -get d: > x:\BLInfo.txt",1,true Set InfoFile=fso.OpenTextFile("x:\BLInfo.txt") Do While Not InfoFile.AtEndOfStream Filerow=InfoFile.ReadLine If InStr(FileRow,"Password")<>0 Then'And InStr(FileRow,"Numerical Password")=0 Password=InfoFile.ReadLine ' msgbox "Numerical Password:" &Password Exit Do End If Loop Password=Mid(Password,12,36) 'PARAMETERS ConString="Provider=SQLOLEDB.1;Data Source=mbam,1433;Initial Catalog=MBAM Recovery and Hardware;User ID=OSD;Password=Password123" 'MAIN SQL="SELECT RecoveryKey FROM RecoveryAndHardwareCore.Keys WHERE RecoveryKeyID='" &Password &"'" Set RsTemp=GetRs(SQL) RecoveryKey=RsTemp("RecoveryKey") oEnv("RecoveryKey")=RecoveryKey msgbox "RecoveryKey retrieved from MBAM is:" &RecoveryKey Function GetRs(SQL) Dim Con Dim Rs Set Con=CreateObject("ADODB.Connection") Con.Open(ConString) Set Rs=Con.Execute(SQL) GetRs=Rs End Function </script> </job>ok so what does this script do ?
the script makes a call to the SQL database on our MBAM server (Data Source=mbam) specifies the Database (MBAM Recovery and Hardware) and the user/password we need to connect with (User ID=OSD;Password=Password123) like so:-
ConString="Provider=SQLOLEDB.1;Data Source=mbam,1433;Initial Catalog=;User ID=OSD;Password=Password123"
This requires SQL Server Authentication to be setup in SQL Server and Windows authentication mode (mixed) so you'll need to configure this on your MBAM server (right click on your SQL server in SQL Management Studio, choose properties, security).
and configure the OSD user in SQL like so with access to the MBAM Recovery and Hardware database
In your Refresh task sequence you'll need to add a few new steps to get the key from your MBAM server, the first step is called Get Recovery Key from MBAM SQL in WinPE.
Note:- We only try to get the key if a Protected Volume (Encrypted) is detected (Guide here), there's no need for us to get the key if the drive is already unlocked so checking that its Protected is an important step.
Now that we have the key from MBAM it has been nicely placed in a variable for us called RecoveryKey, we unlock the drive using the following command in the next step called Unlock Bitlockered Drive
The next step simply Suspends the Bitlockered drive
Ok that's the explanation, how can you test it ?
First of all you'll need to Deploy a computer with Windows 7 and BitLocker encryption on it . Once done, install the MBAM client agent on the computer (see link 2 below or install it manually).
In addition to the above you'll want MBAM configured (local group policies and MBAM server side).. Once done, login to your Windows 7 computer and start an Administrative Command Prompt.
type the following:-
manage-bde -protectors -get c:
it will return something like the following if BitLockered
the Password listed is our Recovery Key. To verify that this value is in our MBAM database simply login to the Database using SQL Management Studio and expand the MBAM Recovery and Hardware database. Expand it so that you can see the tables and choose the RecoveryAndHardwareCore.Keys table. Right click the Table and choose Select top 1000 Rows. Verify that the password revealed from our Windows 7 command prompt is present in our MBAM database.
As you can see from the screenshot, the RecoveryKey is indeed listed and that means you are now ready to test the script in WinPE and to test a Refresh scenario ! If the key does NOT appear (and the MBAM client agent can take time to send this info, up to 90 minutes or more...) then simply restart the MBAM client agent service (BitLocker Management Client Service) on your Windows 7 client, wait a minute and try again.
good luck !
Related reading:
1. Microsoft BitLocker Administration and Monitoring (MBAM) - http://www.microsoft.../mdop/mbam.aspx
2. Deploying the MBAM agent using ConfigMgr - http://technet.micro...indows/hh328534
3. How can I determine if the drive is Encrypted (Protected) or not during a BitLocker task sequence in WinPE ? http://myitforum.com...e-in-winpe.aspx
4. Is the TPM Chip Enabled or Disabled in the Bios on my Dell system ? http://myitforum.com...ell-system.aspx
5. How can I determine if there's a TPM chip on my Dell system needed for BitLocker ? http://myitforum.com...-bitlocker.aspx
Share this post
Link to post
Share on other sites