I have deployed MBAM Server+SQL & agent to one of the client machine in testing environment.
I am able to encrypt the laptop & status is now showing as Complaint in Reporting console.Now the main issue is :
1.What will be status of the laptop if i decrypt the drives ?
2. What if ,I Rejoined a encrypted machine into domain ?
3.What If I ,Renamed a computer which has MBAM drive encryption ?
4.Can i delete the hostname from MBAM Compliance report if the host is not reported for more than X days?
Also suggest various test scenarios.
Awaiting for our reply.
- Edited by David Athukuni Thursday, September 26, 2013 11:24 AM -
Thanks for the reply ..I have noted all the points which is answered by you so planned to perform some test & see the result.
I have performed the following scenario
- re-named MBAM encrypted machine & joined into domain.
- restarted the MBAM Client services.
- The new hostname is reflected in DataBase as well as reporting server but after a day
The entry which I m seeing in MBAM database tables is not matching with the MBAM client service restart, SO I just wanted to knw after renaming the hostname ,what all entries needs to be changed in the registry so that it can be reflected in the SQL Server database with minimum latency.
Thanks for the reply , however in my case I have updated my hostname yesterday & it was not reflecting in the report as well as database.
I have disconnected the laptop from the domain & re-connected it today morning.
Restarted the MBAM service & it got reflected into the database as well as report,however the last updated date & time does not match in the database as its showing some weird entries.
Hence need to know the configuartion settings for the MBAM agent to communicate with the SQL server.
MBAM Agent does not communicates with the SQL server. It is the MBAM web server which send requests to the SQL server.
We don't need to change any configurations for the MBAM agent. and there is a frequency time set for the communication of the MBAM Agent with MBAM Web Server. By default for recovery settings it is 90 minutes and for compliance settings it is 720 minutes.
I would really recommend to implement MBAM 2.0 at this time, and skip 1.0, if you just could upgrade your MDOP lisence. I haven´t configure 1.0 myself, but what I´ve heard from collegues, 1.0 would require lot of tweaking to get it work, so it´s not walk-in-the-park setup :)
2.0 version should be more reliable, and client not so buggy.
Thanks for the reply :)
I have set the Complaince setting (status reporting frequency) to 90 mins.
Also I was trying to exclude some computer from MBAM encryption by refer this article but unable to understand the policy for this.
Pls. advice on this.
I have enabled Hardware Compatiblity for Dell E6330 laptop models to Compatible status.
No If have 5 laptops in which I want to exclude 2 laptop from encryption , how to do this ?
You need to enable the policy "Configure user exemption policy" and can define any of the settings for Phone Number, Mailing Address or Website URL. This message user will get to request for the exemption.
you need to create a MBAM GPO and filter it out to a following security group of which the exempted computer will be a member of.
So when you change the compatibility of the machine to compatible, user will be prompted for the encryption. User will click on the request for the exemption and will get a message to contact the MBAM Administrator by the mean defined in the exemption policy. After the submit of the request MBAM Admin will decide whether to exempt the user from encryption or not.
Method for the exemption:-
- Create a domain security group
- Configure the user exemption policies to exempt user from encryption
- Set a time limit for the exemption.
- Filter out the exemption policy to the created domain security group. add the user as a member of this particular security group.
For more help you can go through this particular link:-
Sure I will test this scenario & update you.
But by reading above steps its signifies that a user is exempted from encryption.
1.Suppose if a user "David" is exempted from Mbam encryption & one my collegue or a helpdesk resource logins for troubleshooting -- Will encryption be forced on that laptop ?
I have implemented MBAM 2.0 Sp1 is production on distributed servers in India location .
1.Is there any chances,we can deploy IIS + SQL is US office so that agent will not communicate in India site Locally it will have its own repository .
We have single forest-single domain with multiple site.
2.Also would like to know whether MBAM can function in cross-forest infra....ABC.com to XYZ.com