none
MBAM 1.0 test-cases

    Question

  • Hi,

    I have deployed MBAM Server+SQL & agent to one of the client machine in testing environment.
    I am able to encrypt the laptop & status is now showing as Complaint in Reporting console.Now the main issue is :

    1.What will be status of the laptop if i decrypt the drives ?

    2. What if ,I Rejoined a encrypted machine into domain ?

    3.What If I ,Renamed a computer which has MBAM drive encryption ?

    4.Can i delete the hostname from MBAM Compliance report if the host is not reported for more than X days?

    Also suggest various test scenarios.

    Awaiting for our reply.

    Thanks,
    David.


    Tuesday, September 24, 2013 10:27 AM

Answers

  • 1.What will be status of the laptop if i decrypt the drives ?  - Encryption Required.

    2. What if ,I Rejoined a encrypted machine into domain ? If it is joined to the same domain, there will not be any issue.

    3.What If I ,Renamed a computer which has MBAM drive encryption ? - There will be new entry for the machine with the new name. But it will not have the TPM hash password, Recovery key information. Those two will remain intact with the older one. Only you will get a new machine entry in the database.

    4.Can i delete the hostname from MBAM Compliance report if the host is not reported for more than X days? - You cannot delete any entry from the database.


    Gaurav Ranjan

    • Marked as answer by David Athukuni Tuesday, October 01, 2013 9:12 AM
    Saturday, September 28, 2013 10:18 AM

All replies

  • 1.What will be status of the laptop if i decrypt the drives ?  - Encryption Required.

    2. What if ,I Rejoined a encrypted machine into domain ? If it is joined to the same domain, there will not be any issue.

    3.What If I ,Renamed a computer which has MBAM drive encryption ? - There will be new entry for the machine with the new name. But it will not have the TPM hash password, Recovery key information. Those two will remain intact with the older one. Only you will get a new machine entry in the database.

    4.Can i delete the hostname from MBAM Compliance report if the host is not reported for more than X days? - You cannot delete any entry from the database.


    Gaurav Ranjan

    • Marked as answer by David Athukuni Tuesday, October 01, 2013 9:12 AM
    Saturday, September 28, 2013 10:18 AM
  • Hi Gaurav,

    Thanks for the reply ..I have noted all the points which is answered by you so planned to perform some test & see the result.

    I have performed the following scenario

    • re-named MBAM encrypted machine & joined into domain.
    • restarted the MBAM Client services.
    • The new hostname is reflected in DataBase as well as reporting server but after a day

    The entry which I m seeing in MBAM database tables is not matching with the MBAM client service restart, SO I just wanted to knw after renaming the hostname ,what all entries needs to be changed in the registry so that it can be reflected in the SQL Server database with minimum latency.

    Thanks,

    David .

    Tuesday, October 01, 2013 9:12 AM
  • you don't need to make any changes on the registry part. MBAM agent will itself take care of all of the things.....

    Gaurav Ranjan

    Tuesday, October 01, 2013 10:00 AM
  • Hey Gaurav,

    Thanks for the reply , however in my case I have updated my hostname yesterday & it was not reflecting in the report as well as database.

    I have disconnected the laptop from the domain & re-connected it today morning.

    Restarted the MBAM service & it got reflected into the database as well as report,however the last updated date & time does not match in the database as its showing some weird entries.

    Hence need to know the configuartion settings for the MBAM agent to communicate with the SQL server.

    Thanks,

    David.

    Tuesday, October 01, 2013 10:34 AM
  • MBAM Agent does not communicates with the SQL server. It is the MBAM web server which send requests to the SQL server.

    We don't need to change any configurations for the MBAM agent. and there is a frequency time set for the communication of the MBAM Agent with MBAM Web Server. By default for recovery settings it is 90 minutes and for compliance settings it is 720 minutes.


    Gaurav Ranjan

    Monday, October 07, 2013 6:11 AM
  • I would really recommend to implement MBAM 2.0 at this time, and skip 1.0, if you just could upgrade your MDOP lisence. I haven´t configure 1.0 myself, but what I´ve heard from collegues, 1.0 would require lot of tweaking to get it work, so it´s not walk-in-the-park setup :)

    2.0 version should be more reliable, and client not so buggy.
    Monday, October 07, 2013 7:11 PM
  • Hi Gaurav,

    Thanks for the reply :)

    I have set the Complaince setting (status reporting frequency) to 90 mins.

    Also I was trying to exclude some computer from MBAM encryption by refer this article but unable to understand the policy for this. 

    http[dot]//technet[dot]microsoft[dot]com/en-us/librarry/jj571559[dot]aspx

    Pls. advice on this.

    I have enabled Hardware Compatiblity for Dell E6330 laptop models to Compatible status.

    No If have 5 laptops in which I want to exclude 2 laptop from encryption , how to do this ?

    Thanks,

    David.

    Tuesday, October 08, 2013 11:08 AM
  • You need to enable the policy "Configure user exemption policy" and can define any of the settings for Phone Number, Mailing Address or Website URL. This message user will get to request for the exemption.

    you need to create a MBAM GPO and filter it out to a following security group of which the exempted computer will be a member of.

    So when you change the compatibility of the machine to compatible, user will be prompted for the encryption. User will click on the request for the exemption and will get a message to contact the MBAM Administrator by the mean defined in the exemption policy. After the submit of the request MBAM Admin will decide whether to exempt the user from encryption or not.

    Method for the exemption:-

    - Create a domain security group
    - Configure the user exemption policies to exempt user from encryption
    - Set a time limit for the exemption.
    - Filter out the exemption policy to the created domain security group. add the user as a member of this particular security group.

    For more help you can go through this particular link:-

    http://technet.microsoft.com/en-us/library/jj571516.aspx

    Let us know if it has solved your problem so that other can be benefited from it. 


    Gaurav Ranjan

    Wednesday, October 09, 2013 12:59 PM
  • Hi Gaurav,

    Sure I will test this scenario & update you.

    But by reading above steps its signifies that a user is exempted from encryption.

    1.Suppose if a user "David" is exempted from Mbam encryption & one my collegue or a helpdesk resource logins for troubleshooting -- Will encryption be forced on that laptop ?

    Thanks.

    David.

    Thursday, October 10, 2013 7:31 AM
  • You can create exemption both for computer and user. But if an exemption has been created for a user and another user logs on that machine, MBAM will prompt to start the encryption.


    Gaurav Ranjan

    Thursday, October 10, 2013 8:12 AM