none
MBAM - Rename/Reimage of Machine and the Database Records

    Question

  • Hello,

    I am currently testing MBAM in our environment to get ready for the BitLocker roll out. Everything is working fine, but I had a functionality question because I can see this becoming an issue later on in the project.

    What I am Testing: I want to know, what happens to the Key and TPM records on the Database if I change the "Client2" machine that is already owned and encrypted by MBAM to a new name "Client2-1".

    I have done this so far in my environment, and what I can see is that the new machine shows a record as well as the old machine. The old machine has a TPM Password stored, but the new record doesn't. I even used the SQL Server Management Studio to have a look at the "RecoveryAndHardwareCore.Machines" table. In this table the record for "Client2" has a value for "TpmPasswordHash" that corresponds to the machine's TPM. The record for "Client2-1" has a "NULL" value.

    I would have thought that the server would notice, maybe through a similar GUID or some static reference, that these machines are similar and treat the records accordingly.

    I can't find anything online about whether the database cleans itself of old records or updates records to new machine names or what. And along with that, I guess I would ask the question, "If this is the wrong way to go about reimaging/renaming machines that are BitLocked, then what is the right way?"

    Thanks,

    Dustin Estes


    Dustin Estes

    Tuesday, March 05, 2013 9:19 PM

Answers

All replies

  • Anyone have an idea?

    Dustin Estes

    Thursday, March 07, 2013 3:26 PM
  • Hello, is there seriously no one that can answer this question???

    I have attempted a rename in my environment and it has done nothing to update the record in the database. Does this now mean that as the environment changes I have to keep track of the change of machine names so I can trace all the way back to what computer name the record was put in as?


    Dustin Estes

    Wednesday, March 20, 2013 6:14 PM
  • MBAM stores TPM hash information only once when MBAM initialize the TPM chip on a machine.

    Since TPM initialization is one time requirement for BitLocker/MBAM, we save this information as an entry in SQL for the client which actually initialized TPM.

    If you want TPM hash information to be in SQL, do this:

    1. Clear TPM from BIOS.

    2. Image your machine with WIndows with new computer name.

    3. Install MBAM agent on client and let MBAM reinitialize TPM and store the information in MBAM SQL DB.

    Note:

    If you do not have TPM hash information for a machine in MBAM, you can still clear TPM from TPM Management Console (tpm.msc).

    BitLocker Recovery Password is only required to unlock the volume which is stored in MBAM.

    http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

    MBAM Cleanup Tool:

    http://gallery.technet.microsoft.com/MBAM-Compliance-Data-5ba28187#content


    Manoj Sehgal

    Thursday, March 21, 2013 6:00 PM