none
Windows 10 1511 Bitlocker XTS-AES algorithm and MBAM 2.5 SP1 RRS feed

  • Question

  • Can I still use MBAM 2.5 SP1 agent with Windows 10 1511 as it now contains a new encryption algorithm?

    Friday, November 13, 2015 10:45 AM

Answers

  • Microsoft released MBAM 2.5 SP1 hotfixes 2 (HF02) in September 2016, which adds the following functionality:

    • Adds support for the BitLocker XTS-AES encryption type
    • In the self-service portal, automatically inserts the dashes in the recovery key ID

    you can download the hotfix from here

    https://support.microsoft.com/en-us/kb/3168628

    cheers

    niall


    Step by Step Configuration Manager Guides > https://www.windows-noob.com/forums/topic/13288-step-by-step-guides-system-center-configuration-manager-current-branch/

    • Proposed as answer by KazzanMVP Wednesday, November 9, 2016 10:40 AM
    • Marked as answer by Nic Zarrilli Wednesday, November 9, 2016 11:35 AM
    Tuesday, November 8, 2016 1:14 PM

All replies

  • Can I still use MBAM 2.5 SP1 agent with Windows 10 1511 as it now contains a new encryption algorithm?

    You can and if you use the new 1511 .admx templates you can set this in GPO:

    Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) Enabled 
    Select the encryption method for operating system drives: XTS-AES 256-bit

    But you cannot select XTS-AES 256-bit in the the MBAM GPO section:

    Windows Components/MDOP MBAM (BitLocker Management)

    Choose drive encryption method and cipher strength Enabled 
    Select the encryption method: AES 256-bit

    This only shows the methods available for < Win 10 1511.

    In this case the encryption works correctlly using XTS but compliance data will show as non-compliant because they do not match.

    Similar problem during build when using invoke-mbamclientdeployment.ps1 as this also does not allow you to set XTS.

    Tuesday, February 23, 2016 5:13 PM
  • Yes you can use the XTS-AES algorithm.

    It is correct that MBAM is unaware of this new algorithm, but the computer will still report back as compliant if you do not specify the required algorithm in GPO.

    It this policy is left unconfigured, the default algorithm for the OS is used. In the case of Windows 10 1511 XTS-AES128. 

    Reports will show "Unknown" in the Policy:Cipher strength field, and for the drive, the cipher strength value will be left blank.

    As for the invoke-mbamclientdeployment.ps1 script, just make sure that you add the following parameter "-EncryptionMethod UNSPECIFIED" this will make the script use the default algorithm. This is also true if you use the pre-provision step in your task sequence.


    Henrik Rading - Senior Consultant, Deployment Specialist

    Wednesday, March 23, 2016 2:30 PM
  • I have this issue myself now.

    Any update on this issue half a year later? any news on the next MBAM (3.0?) perhaps?

    Tuesday, August 9, 2016 7:55 AM
  • Microsoft released MBAM 2.5 SP1 hotfixes 2 (HF02) in September 2016, which adds the following functionality:

    • Adds support for the BitLocker XTS-AES encryption type
    • In the self-service portal, automatically inserts the dashes in the recovery key ID

    you can download the hotfix from here

    https://support.microsoft.com/en-us/kb/3168628

    cheers

    niall


    Step by Step Configuration Manager Guides > https://www.windows-noob.com/forums/topic/13288-step-by-step-guides-system-center-configuration-manager-current-branch/

    • Proposed as answer by KazzanMVP Wednesday, November 9, 2016 10:40 AM
    • Marked as answer by Nic Zarrilli Wednesday, November 9, 2016 11:35 AM
    Tuesday, November 8, 2016 1:14 PM
  • Whilst the client adds support for XTS-AES this does not fix the compliance issue as the latest admx still does not include XTS options under "Choose drive encryption method and cipher strength".
    • Edited by Dooley Do Friday, January 6, 2017 12:46 PM
    Friday, January 6, 2017 12:45 PM
  • you can set this using the normal bitlocker Setting.

    /Oliver

     
    Friday, January 6, 2017 10:04 PM
  • Yes, you can set it under the normal bitlocker Settings, but based on my tests with MBAM (with December Servicing Release) the compliance info is still not correct since the settings for XTS are still missing from the MDOP MBAM GPO settings.

    Another issue is the fact that the Cipher Strength field in the MBAM reports are empty if you encrypt using XTS and also if you do not define anything under "Choose drive encryption method and cipher strength" the "Policy: Cipher Strength" is empty as well

    The issue with the reports is mentioned in the release notes:

    https://technet.microsoft.com/en-us/itpro/mdop/mbam-v25/release-notes-for-mbam-25-sp1


    Carl

    Saturday, January 14, 2017 7:29 AM
  • Hi Carl,

    the mbam gpo is not a Win10 only gpo , that´s why you can´t specify XTS as an ecryption method. The gpo still has to work with older OS versions too :-)

    The report can be tweaked / customized if you want cause everything is in the database.

    /Oliver 

    Saturday, January 14, 2017 2:32 PM
  • Of course it has to work with older OS versions, but they could do the same thing as they did with the normal bitlocker settings, add a win10 setting with the XTS options. 

    I hope microsoft comes out with real support for XTS soon, including working reports (showing the cipher strength) and an MBAM .admx including settings for XTS. Anyone know if this is happening anytime soon?

    • Edited by CalleW Sunday, January 15, 2017 12:13 PM
    Sunday, January 15, 2017 11:58 AM
  • As for the invoke-mbamclientdeployment.ps1 script, just make sure that you add the following parameter "-EncryptionMethod UNSPECIFIED" this will make the script use the default algorithm.

    So let me make this clear, is that really the way to enable XTS-AES?

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Thursday, February 2, 2017 8:46 PM
  • There is an updated deployment script with the December 2016 Servicing release that adds support for XTS-AES encryption. https://www.microsoft.com/en-us/download/details.aspx?id=54439

    just specify XTSAES256 as encryption method.

    In your Task sequence just before invoking the preprovision bitlocker step, set the following registry key to use XTS-AES encryption.

    HKLM:\Software\Policies\Microsoft\FVE\EncryptionMethodWithXtsOs (dword)

    These are the possible values:

    AES-CBC 128bit – value 3
    AES-CBC 256bit – value 4
    AES-XTS 128bit – value 6
    AES-XTS 256bit – value 7

    hope this helps...


    Henrik Rading - Senior Consultant, Deployment Specialist



    Thursday, February 2, 2017 9:23 PM
  • There is an updated deployment script with the December 2016 Servicing release that adds support for XTS-AES encryption. https://www.microsoft.com/en-us/download/details.aspx?id=54439

    just specify XTSAES256 as encryption method.

    In your Task sequence just before invoking the preprovision bitlocker step, set the following registry key to use XTS-AES encryption.

    HKLM:\Software\Policies\Microsoft\FVE\EncryptionMethodWithXtsOs (dword)

    These are the possible values:

    AES-CBC 128bit – value 3
    AES-CBC 128bit – value 4
    AES-XTS 128bit – value 6
    AES-XTS 256bit – value 7

    hope this helps...


    Henrik Rading - Senior Consultant, Deployment Specialist


    Just a small typo ;) value 4 is AES-CBC 256-bit

    Thursday, February 2, 2017 10:21 PM
  • Thank god you´re here guys! :)

    How about, is there any automated way to swap / change on existing computers, or is this only useful for OSD/new computer scenario?

    BTW: for OSD guys, setting AES-XTS 256bit will go like this: cmd /c REG ADD "HKLM\Software\Policies\Microsoft\FVE" /v "EncryptionMethodWithXtsOs" /t REG_DWORD /d "7"


    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!


    Friday, February 3, 2017 8:35 AM
  • For changing encryption in existing computers, you would have to run a script that decrypts the drive and encrypts it again. Make sure the GPOs for setting encryption method is in place before encrypting again.

    To start the encryption after successful decryption, you can just let the MBAM agent handle it on policy evaluation, or do it in your script using the manage-bde.exe or PowerShell cmdlets.


    Henrik Rading - Senior Consultant, Deployment Specialist

    Friday, February 3, 2017 3:16 PM
  • There is an updated deployment script with the December 2016 Servicing release that adds support for XTS-AES encryption. https://www.microsoft.com/en-us/download/details.aspx?id=54439


    What a mess. They forgot to update script version inside the PS, it´s still 2.5.1. like the old one. And there is still that unnecassarry GPO check which fails the script.

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!


    Saturday, February 4, 2017 9:48 AM
  • Oliver, I see that the December 2016 servicing release for MDOP includes an update the to MBAM GPO to include description update for XTS but after pulling down the new template, I still don't see that the ADMX file has been updated to include setting XTS for Windows 10.  Not sure I understand the point of updating the ADML file if the ADMX still does not include the setting in questions.  What am I missing?

    Thanks in advance!

    Saturday, February 4, 2017 6:24 PM
  • Actually if anyone can answer that, I would appreciate it.
    Saturday, February 4, 2017 6:34 PM
  • Not sure I understand the point of updating the ADML file if the ADMX still does not include the setting in questions.  What am I missing?

    Thanks in advance!

    Always update both ADML and ADMX together, they must match! Make sure you are using latest Win10 1607 templates too. As Oliver has writen here in multiple threads, XTS must be configured in Bitlocker GPO node, not MBAM node.

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Sunday, February 5, 2017 8:50 AM
  • Yes, thank you, I know that the ADML and ADMX files must match.  However, they don't in the current December servicing release for MBAM.  That is what I find odd.  Why update the descriptions in the ADML if the ADMX template still does not include the correlating settings.
    Monday, February 6, 2017 7:05 PM
  • Yes, thank you, I know that the ADML and ADMX files must match.  However, they don't in the current December servicing release for MBAM.  That is what I find odd.  Why update the descriptions in the ADML if the ADMX template still does not include the correlating settings.

    Did MS publish both .adml and .admx in December release?

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Tuesday, February 7, 2017 7:30 AM
  • If you take a look at the release notes for the december update, only the descriptions are updated.

    The GPO description and the Invoke-MbamClientDeployment.ps1 MBAM deployment script for Bitlocker XTS-AES support are updated. The Microsoft Download Center provides the following download and installation instructions

    Source: https://support.microsoft.com/en-us/help/3198158/december-2016-servicing-release-for-microsoft-desktop-optimization-pack


    Henrik Rading - Senior Consultant, Deployment Specialist

    Tuesday, February 7, 2017 7:37 AM
  • Can the regkey above used without MBAM? Just with ConfigMgr 1610 and AD Bitlocker key management?
    Tuesday, April 25, 2017 3:00 PM
  • Hi,

    those keys are not mbam related. Standard GPO keys.

    /Oliver

    Wednesday, April 26, 2017 8:38 PM
  • I need that to be done during OSD just before Pre-provision BitLocker
    Wednesday, April 26, 2017 8:42 PM