登录
 
主页技术资源库学习下载支持社区论坛
IT 专业人士的资源 >
MBAM - allow users to encrypt removable drives when Bitlocker icon is removed from control panel via domain user GPO

建议的答复 MBAM - allow users to encrypt removable drives when Bitlocker icon is removed from control panel via domain user GPO

  • 2012年5月3日 8:31
     
     
    登录进行投票
    0

    Hi Manoj,

    We have deployed MBAM solution in organization and set domain MBAM GPO for OS,Fixed drive and removable drives. MBAM policies works fine for OS and fixed drives anyway we want prevent members of local administar groups from turning off bitlocker so we applied this recommended solution     http://blogs.technet.com/b/askcore/archive/2010/08/13/how-to-prevent-local-administrator-from-turning-off-bitlocker.aspx 

    This workaround solved one issue but now we can't find way how optionally let users choise to encrypt their removable drives when bitlocker menu is hidden from control panel and MBAM control menu only let users to change their PIN or password. When USB stick is connected MBAM policy error was recorded as you can see below

    MBAM Removable drive policy is enabled and allow users encrypt, suspend and decrypt removable drive anyway when user connect USB drive mbam wil not force mbam wizard to let user to encrypt removable drive 

    I appreciate all solutions

    Thank you   

    Jan

    Log Name:      Microsoft-Windows-MBAM/Admin
    Source:        Microsoft-Windows-MBAM
    Date:          3.5.2012 13:04:42
    Event ID:      2
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      Description:
    An error occured while applying MBAM policies.
    Volume ID:\\?\Volume{53e9573a-909a-19e1-9331-806e6f6e6963}\

    Error code:
    0x803d0013

    Details:
    A message containing a fault was received from the remote endpoint.

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-MBAM" Guid="{1C6E854B-3DF3-4A6F-9401-F58F1D1C504D}" />
        <EventID>2</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2012-05-03T11:04:42.491920700Z" />
        <EventRecordID>10</EventRecordID>
        <Correlation />
        <Execution ProcessID="2564" ThreadID="348" />
        <Channel>Microsoft-Windows-MBAM/Admin</Channel>
        <Computer></Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="VolumeId">\\?\Volume{53e9573a-909a-19e1-9331-806e6f6e6963}\</Data>
        <Data Name="ErrorCode">0x803d0013</Data>
        <Data Name="ErrorString">A message containing a fault was received from the remote endpoint.
    </Data>
      </EventData>
    </Event>


     

全部回复

  • 2012年5月4日 7:15
    版主
     
     
    登录进行投票
    0

    Please try the following steps:

    Add a registry key on MBAM server under HKLM\Software\Microsoft\MBAM

    Dword 32-bit value called DisableMachineVerification and set to 1

    Juke Chou

    TechNet Community Support

     
  • 2012年5月4日 7:24
     
     
    登录进行投票
    0

    this is already set in mbam server registry but still no popup to encrypt attached usb stick, for test purposes i tried set mbam policy deny write access to removable drives not protected by bitlocker and this policy works fine but till no luck how force mbam client to promt users to encrypt usb stick      

    MBAM server under HKLM\Software\Microsoft\MBAM

    Dword 32-bit value called DisableMachineVerification and set to 1

    Thanks for ideas

    Jan

     
  • 2012年5月7日 10:00
     
     
    登录进行投票
    0

    Hi

    One possible cause for the issue is the Group Policies not configured properly, so I advise you delete the old Group Policies and use the latest version of GPMC from RSAT on a Win 7 client and re-configure the policies. After you have re-configured the Group Polices, please restart the clients to take effect.

    Wish the below links are helpful for you:

    http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/22b1d081-9b11-4c08-bb25-4c8cf0960208/

    http://blogs.technet.com/b/askcore/archive/2011/07/27/mbam-setup-fails-with-sql-error-error-obtaining-a-certificate-protected-by-the-master-key.aspx

    Regards,

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

     
  • 2012年5月11日 0:36
     
     建议的答复
    登录进行投票
    3

    For Removable Drives, Microsoft recommends to use this GPO.

    MDOP MBAM-->Removable Drives -->Deny Write Access to Removable Drives not protected by BitLocker.

    So when user inserts a USB stick, we will prompt him to Enable Encryption for Read + Write Access.

    If he does not choose to encrypt, then he gets Read access only.

    So when you go through BitLocker wizard, you supply a password and complete the BitLocker encrption for removable drive.

    MBAM agent will push the recovery key to SQL DB also.

    A user can change the pwd of his removable device using MBAM Control Panel applet.

    Note: MBAM will never prompt a user to start encryption for removable drives.

    Manoj Sehgal