none
Enable Auto-Unlock on fixed drives RRS feed

  • Question

  • Hi,

    We have recently moved over from a centralised bitlocker policy to using MBAM. One requirement I need to enable is auto-unlocking of fixed drives.

    We are using MBAM 2.1 and the two policies I think I need to concentrate on are "Fixed data drive encryption settings" and "Configure use of passwords for fixed data drives". My OS is already encrypted in MBAM with TPM + Pin option

    First of all if I set the Configure use of passwords for fixed data drives to disabled and then set the Fixed data drive encryption settings to enabled and to "Require Auto-Unlock" my encryption of my D: drive gets a failed error. If I change this to "Allow Auto-Unlock" it still fails.

    If I then enable configure use of passwords I am then prompted to enter a password for the encryption and the encryption will succeed however it will not auto-unlock and I don't have the option to enable auto-unlock. If I try it again with "Require Auto-Unlock" then the encryption will fail.

    I have read in a few places that the Auto Unlock feature is not available with MBAM, but they are referring to an older version of MBAM (1.0) and I am slightly mystified why there would be a policy under the MBAM Group Policy tree allowing auto unlock if this was not possible. If I enable auto-unlock either to Require or Allow do I need to set the password policy in a specific way? Usually when we encrypted the fixed drives just using the bitlocker GPO we used Auto-Unlock and didn't require a password so was hoping we could do the same thing.

    Can anyone confirm whether this is indeed possible or whether I have misunderstood the purpose of that policy?

    Thanks

    David

    Saturday, April 19, 2014 3:39 PM

Answers

  • I have figured this out, firstly allowing Auto-Unlock is possible with MBAM 2.1, the issue I had was I was no allowing a 256 bit recovery key which is required for auto-unlock on the fixed drive to work.

    So my settings are, "Require Auto-Unlock" set to enabled, password is set to disabled, and Require 48-digit recovery password and "Allow 256-bit recovery key" - this is stored on the OS partition so it is secure as that needs to be encrypted to allow fixed drives to be encrypted with Auto-Unlock.

    Another thing worth knowing - I was getting a rather un-informative error message when I was originally trying to encrypt the fixed drive with auto-unlock enabled so I could never really figure out why it was working. I have now found all logs are kept here

    Event Viewer - Applications and Services Logs - Microsoft - Windows - MBAM - Admin where I got this error which pointed me in the right direction.

    An error occured while applying MBAM policies.

    Volume ID:\\?\Volume{d8d4d1ec-c2fb-11e2-be72-806e6f6e6963}\

    Error code:

    0x8031005E

    Details:

    Group Policy settings do not permit the creation of a recovery key.

    • Marked as answer by dasmitchell Tuesday, April 22, 2014 7:20 AM
    Tuesday, April 22, 2014 7:19 AM