Can someone click the Postpone button in MBAM forever?
-
lunes, 31 de octubre de 2011 23:55
When a user clicks the Postpone button instead of the Encrypt button, can they just keep clicking that and they'll never have to Bitlock their drive? Or will it at some point encrypt the drive? And if there is a time limit, is it configurable?
thanks
Todas las respuestas
-
martes, 01 de noviembre de 2011 13:58
In MBAM when user clicks the Postpone button, we do not prompt for encryption again until we hit the next client wake up frequency which is 90 minutes by default.
Now if you do not wait for 90 minutes, then you will have to modify these keys in registry.On Windows 7 client open registry
HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1
2. There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client.
If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1.
Restart the MBAM Client Service and then client will talk to server in 1 minute.
Now since the user clicked Postpone encryption, you can remove one reg key
Delete: HKCU\Software\Microsoft\MBAM
Restart the MBAM client service.
I hope this helps.
Manoj Sehgal -
martes, 01 de noviembre de 2011 15:42
Yes thanks I have been playing with those settings on one of my test clients.
But will MBAM allow someone to click the Postpone Encryption button forever, there by never forcing the encryption?
-
martes, 01 de noviembre de 2011 18:25
Yes, this is possible.
User can click postpone button N number of times and never start encryption on his machine.
For this Admins has to view the MBAM reports and you will see this machine as non-compliant and then tell the user to complete the encryption once.
Manoj Sehgal- Marcado como respuesta thenning martes, 01 de noviembre de 2011 18:32
-
martes, 01 de noviembre de 2011 18:26
thats what I figured :)
thanks!
-
martes, 01 de noviembre de 2011 18:30
If this answer your question, then can you mark this thread as closed.
Thanks
Manoj Sehgal -
viernes, 13 de enero de 2012 12:38
When will the hotfix for this bug be available?
-
jueves, 03 de mayo de 2012 23:13Is there any way you can tell in the MBAM reports the reason the machine is not compliant _ for example, tpm disabled, postpone button , manual decryption? I don't see it anywhere, but that would be good information!
Dee Ramon
-
jueves, 03 de mayo de 2012 23:16Is there any way you can tell in the MBAM reports the reason the machine is not compliant _ for example, tpm disabled, postpone button , manual decryption? I don't see it anywhere, but that would be good information!
Dee Ramon
-
viernes, 04 de mayo de 2012 17:36Duh - i had to wait for the reporting to refresh, yes it does list the status as postponed in the console. Sorry for the dumb question
Dee Ramon
-
jueves, 15 de noviembre de 2012 16:47
Why can't we vote this as not helpful and not the answer? The user asked if there was a time limit and if it can keep being postponed. N number is how many? Where is it set? "For this Admins has to view the MBAM reports and you will see this machine as non-compliant and then tell the user to complete the encryption once." The grammar makes it hard to understand. Who tells the user? Are you meaning call the user and tell them to click Encrypt? That means that there is no limit to the number of times postpone can be clicked. These are questions I'm being asked by my supervisors as I'm working on setting up MBAM. The exact question I'm asking has been "answered" by a Microsoft representative and it's not even close to actually answering the question.
Also, the event viewer on a client is showing postponed but the reports aren't. Event viewer also shows that it reported successfully.
-
viernes, 16 de noviembre de 2012 4:08
TigerShark2005.
If you want that encryption should start automatically for a user and he should never get an option to click postpone, then you should use the steps mentioned in the below blog:
In MBAM v1.0, Postpone option is given to user, so that he can start encryption when he wants. There is no limit on how many times, an end user can click Postpone.
In MBAM 2.0 which is in Beta, we are working for a better solution for PostPone encryption.
I hope this might help you.
Let me know if you need more help.
Manoj Sehgal
-
viernes, 16 de noviembre de 2012 5:50I ended up setting up a collection in sccm that runs a script I wrote that encrypts the pc now- every week I dump the report for the postponed encryption and they go into that collection. They get no prompts what so ever, they just get encrypted. I had added the encryption to the task sequence but everyone complained that there wasn't enough hard drive space to copy data or install programs back to the pc, so we turned it off.
-
martes, 20 de noviembre de 2012 19:49Much better, thank you for the link too. I'm having a lot of trouble with the hardware compatibility though. After changing a record to compatible the machine still shows up as hardware unknown. One system works but the two others aren't. Is there a clean way to go back to zero? Maybe a reset button that clears the proper database tables? Also would that be enough or would I have to uninstall the MBAM agent? I'm thinking there are some specific registry settings that would need to be reset. Would I need to decrypt and encrypt the drives again?
.png)
