MBAM has to own the TPM to store the password. During a task sequence, follow the steps below. The steps assume pre-provisioning, but the concept is the same even if you don't use it. If the machine is already encrypted and you want MBAM to store the
password, you will have to clear the TPM and reboot. Note that this requires physical presence - someone will have to hit F1 in the preboot screen. See below for info on how to clear it via PowerShell. The reason you want the TPM OwnerAuth password is
that if a user types their PIN too many times in preboot, the TPM may put the machine into BitLocker Recovery and lock itself for some period of time (depends on manufacturer). To unlock it faster after you have supplied the BitLocker Recovery Password
and are in the OS, you have to go to tpm.msc and choose Reset TPM Lockout, supplying the TPM Owner Auth password. If MBAM stores it, you can get this info from the Helpdesk portal.
To configure MBAM to own the TPM and store OwnerAuth passwords
On the client computer, open an elevated Windows PowerShell command prompt.
Type the following Windows PowerShell commands:
$tpm=get-wmiobject -class Win32_Tpm -namespace root\cimv2\security\microsofttpm
Gets an instance of the TPM WMI class.
Disables TPM auto-provisioning.
Clears the TPM.
Restart the computer, and then confirm that you want to clear the TPM.
For the task sequence to get MBAM to own it out of the box, do the following:
Capture and sysprep a WIM as you normally would.
Mount the captured WIM using
dism /mount-wim /wimfile:C:\WimImages\Win7.wim
Load the WIM registry -
Open regedit and browse to hklm\WimRegistry\system\controlset001\services\TPM\WMI and add the two reg keys that
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tpm\WMI: NoAutoProvision [REG_DWORD]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tpm\WMI: NoDisableOwnerClear [REG_DWORD]
Unload the WIM registry -
reg unload HKLM\WimRegistry
Commit changes to the WIM and unmount -
dism /unmount-wim /mountdir:C:\AIKMount
Went to MDT 2012 Update 1 and my deployment share.
Edited the ZTIBDE.wsf script in MDT to tell it not to take ownership of the TPM.
In that script, replace the TPMValidate function with what I have below (I just commented out the SetTPMOwner lines)
Function TpmValidate ()
Dim iRetVal, sCmd, sTpmOwnerPassword
iRetVal = Success
'// Set oTpm to valid instance
iRetVal = GetTpmInstance()
TestAndFail iRetVal, 6734, "Get TPM Instance"
'// Set global booleans for TPM state. Error bubble handled by subs
iRetVal = GetTpmEnabled()
TestAndFail iRetVal, 6735, "Check to see if TPM is enabled"
iRetVal = GetTpmActivated()
TestAndFail iRetVal, 6736, "Check to see if TPM is activated"
iRetVal = GetTpmOwner()
TestAndFail iRetVal, 6737, "Check to see if TPM is owned"
iRetVal = GetTpmOwnershipAllowed()
TestAndFail iRetVal, 6738, "Check to see if TPM Ownership is allowed"
iRetVal = GetEndorsementKeyPairPresent()
oLogging.CreateEntry "TpmEnabled: " & bTpmEnabled, LogTypeInfo
oLogging.CreateEntry "TpmActivated: " & bTpmActivated, LogTypeInfo
oLogging.CreateEntry "TpmOwned: " & bTpmOwned, LogTypeInfo
oLogging.CreateEntry "TpmOwnershipAllowed: " & bTpmOwnershipAllowed, LogTypeInfo
oLogging.CreateEntry "EndorsementKeyPairPresent: " & bEndorsementKeyPairPresent, LogTypeInfo
'// Single instance check to allow future corrective action branching.
TestAndFail bTPMEnabled, 6739, "Check to see if TPM is enabled"
TestAndFail bTPMActivated, 6740, "Check to see if TPM is activated"
TestAndFail bTpmOwned or bTpmOwnershipAllowed , 6741, "Check to see if TPM is owned and ownership is allowed"
If bTpmOwned <> True AND bTpmOwnershipAllowed = True Then
If oEnvironment.Item("TpmOwnerPassword") <> "" Then
oLogging.CreateEntry "TPM Ownership being intiated.", LogTypeInfo
'iRetVal = SetTpmOwner(oEnvironment.Item("TpmOwnerPassword"))
TestAndFail iRetVal, 6741, "TPM Owner Password set"
ElseIf oEnvironment.Item("AdminPassword") <> "" Then
oLogging.CreateEntry "TPM Ownership being intiated with [email protected]
(not [email protected]
'iRetVal = SetTpmOwner(oEnvironment.Item("AdminPassword"))
TestAndFail iRetVal, 6742, "TPM Owner [email protected]
set to [email protected]
oLogging.CreateEntry "TPM Ownership being intiated with Default [email protected]
(not [email protected]
'iRetVal = SetTpmOwner("M0nksH00d!4T3al")
TestAndFail iRetVal, 6743, "Set TPM Owner [email protected]
TpmValidate = Success
Grab the StartMBAMEncryption.wsf script from
and edit out those same lines as above.
Added the following files to an MDT application.
Set the app to run cscript.exe startmbamencryption.wsf /MBAMServiceEndPoint:http://<yourmbamserver>/MBAMRecoveryAndHardwareService/CoreService.svc
Added the MBAM agent installer as an application
Added the MBAM agent to the task sequence
Added the Start MBAM Encryption app to the task sequence
Set OSDBitLockerMode=TPM and IsBDE=True in customsettings.ini
Made sure this was a bare metal machine where the TPM was clear (for testing, you can clear it from the BIOS, just make sure it is activated).
Ran the TS on the box.
BitLocker was pre-provisioned and activated, and MBAM took ownership of the TPM which escrowed the OwnerAuth info to MBAM.