MBAM - TPM and PIN - can it be optional?
-
Tuesday, November 13, 2012 5:39 PM
I am trying to use one policy to use TPM only by default, but allow the use of a PIN for a subset of computers. Is this possible?
The standard/original Bitlocker policies allow you to set values of "Allow startup PIN with TPM" but this is not an option in the MDOP/MBAM policies - it is either "TPM Only" or "TPM+PIN." But I do not want to force PIN for all, just allow it for some. I've been able to successfully enable the "Allow startup PIN with TPM" which allows me to run the manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN> command successfully. I see the TPM and PIN key placed in the protectors list and the TPM removed. When I reboot, the computer asks for the PIN at startup and it works. The problem is that when I get logged into Windows, the MBAM client removes the TPM and PIN key and replaces it with the TPM only one. I've found that disabling the MBAM client preserves the TPM and PIN key. Shortly after enabling the MBAM client service the TPM and PIN key is replaced. I even get a GUI message from the MBAM client that says "the encryption policy of your computer has changed. The PIN is no longer necessary and has been removed." How to I prevent the MBAM client from doing this? I don't want to disable the client as reporting and other management functions would be lost. Must I have two separate Group Policies with differing target groups of computers? one for the PIN group and one for the non-PIN group? That adds a good deal of overhead that I'm hoping to avoid.
I am working with Windows 7 64-bit computers exclusively. Currently I have the following group policy settings and corresponding registry entries:
Computer Configuration > Policies > Administrative Templates >
Windows Components/BitLocker Drive Encryption/Operating System Drives
Require additional authentication at startup Enabled
Allow BitLocker without a compatible TPM Disabled
Settings for computers with a TPM:
Configure TPM startup: Allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled
Allow BitLocker without a compatible TPM Disabled
Settings for computers with a TPM:
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup PIN: Allow startup PIN with TPMWindows Components/MDOP MBAM (BitLocker Management)/Client Management
Configure MBAM services Enabled
MBAM Recovery and Hardware service endpoint: https://myserver:myport/MBAMRecoveryAndHardwareService/CoreService.svc
Select BitLocker recovery information to store: Recovery password and key package
Enter client checking status frequency in (minutes): 90
MBAM Status reporting service endpoint: https://myserver:myport/MBAMComplianceStatusService/StatusReportingService.svc
Enter status report frequency in (minutes): 240Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drive
Configure TPM platform validation profile Enabled
-All default, except removed PCR 5
Operating system drive encryption settings Enabled
Select protector for operating system drive:
Allow enhanced PINs for startup Enabled
Configure minimum PIN length for startup 6Windows Components/MDOP MBAM (BitLocker Management)/Removable Drive
Control use of BitLocker on removable drives Enabled
Allow users to apply BitLocker protection on removable data drives Enabled
Allow users to suspend and decrypt BitLocker protection on removable data drives EnabledUser Configuration (Enabled)
No settings defined.Registry keys created because of MBAM policies
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"UseEnhancedPin"=dword:00000001
"MinimumPIN"=dword:00000006
"RDVConfigureBDE"=dword:00000001
"RDVAllowBDE"=dword:00000001
"RDVDisableBDE"=dword:00000001
"EnableNonTPM"=dword:00000000
"UsePartialEncryptionKey"=dword:00000000
"UsePIN"=dword:00000002
"UseAdvancedStartup"=dword:00000001
"EnableBDEWithNoTPM"=dword:00000000
"UseTPM"=dword:00000002
"UseTPMPIN"=dword:00000002
"UseTPMKey"=dword:00000000
"UseTPMKeyPIN"=dword:00000000[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement]
"UseMBAMServices"=dword:00000001
"UseKeyRecoveryService"=dword:00000001
"UseStatusReportingService"=dword:00000001
"KeyRecoveryServiceEndPoint"=hex string here
"KeyRecoveryOptions"=dword:00000001
"ClientWakeupFrequency"=dword:0000005a
"StatusReportingServiceEndpoint"=hex string here"StatusReportingFrequency"=dword:000000f0
"ShouldEncryptOSDrive"=dword:00000001
"OSDriveProtector"=dword:00000001Though it does have the Bitlocker policies in there, I've also tried this without them and have the same problem. Before I had the Bitlocker policies I wasn't even able to remove the TPM only key without suspending encryption and then when I tried to re-enable I got a message that policies prevented the configuration.
All Replies
-
Tuesday, November 13, 2012 10:28 PMTry setting one policy to one OU and the other policy to another one...The requirement for PIN or not is controlled completely by policy. Ensure the correct policy is being applied to the machines in questions gpresult /r
PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon
-
Wednesday, November 14, 2012 2:11 AM
Rorymon,
Thanks for the reply. While the two separate OUs could work, it's not a great solution for me. because the computers that need the different configuration are going to be in the same OU. So I'm afraid that I'm going to have to apply two different policies on the same OU and use Security Filtering with computers in a group to exclude in one case and apply in the other. I was hoping that I could simply enable the PIN on those that want it and not use it for the others. This is possible with the standard Bitlocker policies, but it seems not be with MBAM unless I am wrong. I'm hoping there is a way of which I'm not aware.
Rob
-
Friday, November 16, 2012 9:17 AM
Hello Rob,
Is this the exact error message "the encryption policy of your computer has changed. The PIN is no longer necessary and has been removed"?
Some useful articles for your reference:
Planning Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx
Deployment Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx
Operations Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspxThanks,
Spencer
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Friday, November 16, 2012 8:58 PM
Spencer,
While I have not written the message down, I'm certain that message is what it says. MBAM says that the policy has changed and the pin is no longer required. Then when you check the manage-bde -protectors -get c: you see that it's TPM no longer TPM and PIN.
I've seen those articles before. Does one of them contain a reference to this issue that I've missed?
Thanks,
Rob
Rob
-
Thursday, November 22, 2012 10:15 AM
Rob,
You can do one more thing. Create two separate security groups in that OU. Create two separate GPO with the appropriate settings. Assign the GPOs to the particular security group.
Later add the machines to the respective security group accordingly.
Gaurav Ranjan
- Proposed As Answer by Rorymon Thursday, November 22, 2012 8:36 PM
-
Friday, November 23, 2012 6:48 PM
Not trying to be difficult here, but I was already aware I could create two different policies as my initial inquiry mentioned. The whole goal was not to have to do so because of the overhead and extra work. In non-MBAM policies I can do it with one policy, because I can make PIN optional. It seems to me that I'm unable to get by with only one policy using MBAM. The additional problem that this creates that I didn't mention above is that having no ability to make PIN optional also means that the PIN must be set manually in order to start encryption. We want to script pin creation but you can't set a pin on a drive that is not yet encrypted and you can't start encryption without a PIN on a mandatory TPM+PIN policy...
I do appreciate attempts to help, but it seems I'm going to be stuck doing this a harder and more manual way then I had hoped... Still open to hearing how I've missed something if I have...
-
Friday, November 23, 2012 9:07 PMI'm not aware of a way to automate the PIN programnatically. Sorry, I marked mine as answer for the original question. Not necessarily with your caveat that you didn't want to do it that way for other reasons.
PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon
-
Monday, November 26, 2012 3:35 PM
For anyone interested... this is the message that pops up about the PIN being removed...
Rob
-
Tuesday, November 27, 2012 8:15 AM
Rob,
Can you please tell me how you have changed the protector from TPM&PIN to TPM only.I am currently dwelling with changing the protector type to TPM only so that it will not ask for PIN during startup.
I have changed the GPO to set for TPM only and it gets applied to the machine too. But still it demands for the PIN during startup.
How should I get rid off that? Does it requires some configuration to the registries?
Any help would be greatly appreciated.
Gaurav Ranjan
-
Tuesday, November 27, 2012 2:16 PM
Gaurav,
Basically it is the policies I mentioned in my first post and the MBAM client does the work of removing the PIN. Feel free, however, to contact me directly via my contact info in my profile if you have more questions.
Rob
-
Tuesday, November 27, 2012 2:21 PMThe policy is not playing the trick for me. I have checked with that setting.
finally i found my way! Deleted the protector with manage-bde command and at next wake up frequency, MBAM re-assign a protector (TPM only) to the encrypted drive.Gaurav Ranjan
-
Tuesday, November 27, 2012 2:29 PM
I will also try with the Registry changes and will update it soon.
In between, I am getting stucked in one more scenario. I have reset my TPM and my machine entered the recovery mode. I logged in my machine with the recovery key. But at every start i have to enter the recovery key if i will not initialise the TPM. But if i will initialise the TPM by manual process, MBAM will not have the TPM information. How we can make the MBAM to own the TPM once again.
Does MBAM owns the TPM for the second time? or else we have to do some other information.
Gaurav Ranjan
-
Tuesday, November 27, 2012 2:51 PM
Gaurav,
I thought Manoj already answered this for you on this thread: http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/343bec4a-7b47-498b-a177-643002a59bea
And as far as I can tell, Manoj is the foremost expert... if he wasn't able to help you then I'm sure I can't. In fact I was hoping Manoj would reply to my thread. :)
Rob
-
Tuesday, November 27, 2012 3:07 PM
Yes Rob,
Manoj is the MBAM Technical Expert at Microsoft. I had got few opportunities to interact directly with him.
But for the last month, he is not replying to any more threads. I don't know why. might be he is vry much busy with the MBAM 2.0 Release which I think is due in January (expected).
Gaurav Ranjan
.png)
