locked
Microsoft Bitlocker Administration and Monitoring (MBAM 2.5) RRS feed

  • Question

  • Hi Sir

    I would like to ask, what are the disadvantages of using Microsoft Bitlocker Administration and Monitoring (MBAM 2.5)?

    Is there an important points, which I have to take care before applying this ?

    Regards  


    Thursday, February 22, 2018 11:38 AM

All replies

  • It has plenty of advantages including centralizing the recovery keys, its ease of implementation when combined with GPOs and the ease of delegation for handling operations related to encryption.

    In terms of disadvantages, the only one I can think of is the fact that it won't enforce encryption for those who are outside of your company but this is not a problem as the encryption will be triggered once they are back on site.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Thursday, February 22, 2018 12:09 PM
  • Hi

    I have configured test MBAM environment. I have installed three servers and deployed everything successfully .

    But for applying the policy on the client as test, any action should be done on the Active directory domain server and is there any alternative solution to avoid doing any action on the active directory domain server because it works as a production server. 

    Regards

    Friday, February 23, 2018 8:04 AM
  • not sure I fully comprehend the question and remarks made , but if you have a test-environment shouldn't there also be a test-ADDS / DC / domain ?

    When using MBAM , the use of GPO's is necessary and as such implementing a GPO specific to BitLocker /MBAM is required . You could always remote into the DC and update the necessary definitions using GPMC installed , configured and available on a management workstation 

    Friday, February 23, 2018 8:39 AM
  • Can I use virtual machine (windows 10-) as a client and do the the needed test on it?
    Friday, February 23, 2018 10:27 AM
  • nope , at least if you are going to use BitLocker to protect your OS-, and volume :

    " BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 8, Windows 8.1, Windows Server 2012 or Windows Server 2012 R2. "

    .. excerpt from BitLocker FAQ ( this article )

    Besides , you would still need to have the necessary GPO('s ) in place

    Friday, February 23, 2018 11:48 AM
  • Another question also:

    I have deployed all servers, features that needed for MBAM. Now I have to apply the policies on the MBAM client.
    I have copied/deployed the policy templates to the dedicated server .

    Now how can the AD server communicate with this server, which has the policy templates to apply them on the target end user/computer?

     
    Monday, February 26, 2018 2:01 PM
  • Another question also:

    I have deployed all servers, features that needed for MBAM. Now I have to apply the policies on the MBAM client.
    I have copied/deployed the policy templates to the dedicated server .

    Now how can the AD server communicate with this server, which has the policy templates to apply them on the target end user/computer?

     
    I'm assuming you are asking how to setup the necessary GPO for MBAM . If you are able to manage the GPO's from this machine , you should be able to make use of the necessary admx files and start configuring the necessary definitions . This article should help you on the way ..
    Tuesday, February 27, 2018 8:02 AM
  • Hi Sir

    In regards to deploy MBAM client. Is it possible to install it through MBAMClientSetup.exe and directly on the client computer? Not remotly.

    Sure . Perhaps the information in this article helps you configure a way to push and configure the installation ( assuming you do not want to visit each and every machine that needs to be managed via MBAM ) 
    Tuesday, February 27, 2018 8:04 AM
  • I have already followed this article. But my question is: after doing everything on the workstation management computer/server and change some policies. How can Active directory server get these policies from the workstation management server/computer to apply them after that on the target computer.


     
    Tuesday, February 27, 2018 8:24 AM
  • I have already followed this article. But my question is: after doing everything on the workstation management computer/server and change some policies. How can Active directory server get these policies from the workstation management server/computer to apply them after that on the target computer.


     

    If you have updated the relevant GPO using GPMC.msc , you are directly altering the definitions and relevant policies on the DC you have connected to .

    When you've started GPMC.msc , go to your domain and check the status details ( it should tell you that you are connected to a DC , which is used as the baseline domain controller for this domain ) 

    Tuesday, February 27, 2018 8:41 AM
  • 1- The policies will applied only on the client/computer that has already installed MBAM-Client. The other       client/computer which have not installed it will be not effected, is not it?

    2- When I edit the group policy and edit/change any one of them, automatically created on the DC, is it right?  

    Tuesday, February 27, 2018 2:19 PM
  • 1- The policies will applied only on the client/computer that has already installed MBAM-Client. The other       client/computer which have not installed it will be not effected, is not it?

    MBAM specific policies will only be active on machines that have the client installed . So , yes you are correct

    2- When I edit the group policy and edit/change any one of them, automatically created on the DC, is it right?  

    if you follow the recommendations and suggestions previously posted and found in any of the available MBAM-specific articles ( concerning MBAM GPO's ) . If so , than yes you are correct 


    Tuesday, February 27, 2018 2:42 PM
  • In this case how the policies will be applied on the target client/computer, If I cannot see anything on the AC DC server?
    Thursday, March 1, 2018 9:04 AM
  • In this case how the policies will be applied on the target client/computer, If I cannot see anything on the AC DC server?

    do you have / Does your company have more policies ? Are these working as expected ? Is the ADDS environment in a consistent state ? Are you experiencing replication / synchronization issues ? Do you know how to check if policies are being effectuated ? Have you checked the results of the affected machines and the GPO's pushed and enforced ( gpresult ) - and so on and so on ..

    Based on your last two posts , it seems that your questions - and issues , are outside of the cope of this thread and I would suggest that you open a new thread in the relevant community-forum ( ADDS related ? ).

    It seems that you will have to troubleshoot your symptoms , checking AD infrastructure , it policies , the replication thereof and so .

    Thursday, March 1, 2018 9:19 AM
  • Note: after installing MBAM-Client on the client-computer, I could not find the BitLocker Management Client Service on the client-computer. 
    Friday, March 2, 2018 12:03 PM
  • Note: after installing MBAM-Client on the client-computer, I could not find the BitLocker Management Client Service on the client-computer. 
    what (version of the ) OS are you using ?
    Are you able to start and use BitLocker ?
    Monday, March 5, 2018 8:00 AM
  • Hi,

    I would say that if the service is not installed, the MBAM-Client installation failed. Or if installed, try to reinstall and check the log.
    Take a look to your services and search for mbamagent or type "get-service mbamagent" in powershell.

    To answere your questions...

    1) Your computer where MBAM client is installed on will be effected when the policies are successfully applied and the mbamagent service is running. Set following reg key to let the computer directly connect to the MBAM endpoint after startup.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "NoStartupDelay"=dword:00000001

    2) Where?? control panel or GPMC? If missing in GPMC, copy the AMDX/AMDL templates into the central store. If missing in control panel, your MBAM client is not installed, but I would be wondering why you want to install it on a DC.


    Monday, March 5, 2018 11:06 AM
  • Very nice: Many thanks for support. I follow your instructions and I could see now the client on the website (Bitlocker administration and monitoring) with all details.

    and I applied all the recommended policies on the client.

    1- I have applied this Fixed Data Drive policy on the client and through the  (Bitlocker administration and monitoring-website). I see (Policy: Fixed Data Drive : Encryption Required: Password)

    How can I encrypt it by password.? should not automatically ask me for that?

    2- I have also applied  Policy: Operating System Drive > Encryption Required: TPM.

    How can configure it? should not automatically ask me for that?

    Wednesday, March 7, 2018 9:26 AM
  • When I click on the ''Volume report'' of the web site and write the name of the client-computer, I recieved the below error:

    • The value provided for the report parameter 'MachineId' is not valid for its type. (rsReportParameterTypeMismatch)

    What can be the reason?

    Wednesday, March 7, 2018 11:39 AM
  • Hi,

    did you connect to that client with the console session? The MBAM client won't popup when connected trough remote deskop.

    But yes you're right, it should popup automatically when encryption is required. But I am sorry - I don't know MBAM's behavior for TPM-only deployments. When configuring TPM+PIN MBAM pops up and asks for a PIN. Maybe the encryption is already working? Start "fvenotify.exe" or "manage-bde -status C:" in cmd.exe to verify.

    You could set these registry items in your GPO as well next to the main MBAM policies. But be careful with the Frequency-Settings. If you plan to deploy MBAM to several clients, that will definitely slow down your server. 
    To let all clients directly connect to the server when computer starts up is also a bit risky when to many users start to work at for example 8 am. I would only apply these settings for testings.

    Where exactly did you click on "Volume report"?

    Wednesday, March 7, 2018 2:57 PM
  • Where exactly did you click on "Volume report"?

    In the main MBAM website there are :

    1. Computer Compliance Report

    2Enterprise Compliance Report

    3Recovery Audit Report

    4Volume Report : 

    When I click on the ''Volume report'' of the web site and write the name of the client-computer, I received the below error:

    • The value provided for the report parameter 'MachineId' is not valid for its type. (rsReportParameterTypeMismatch)

    What can be the reason?


    Monday, March 12, 2018 10:25 AM
  • I configuring TPM+PIN MBAM pops up  asked me on the client  for a PIN. 

    Now. How can get the PIN code if the end user/client forgot it? 

    Monday, March 12, 2018 10:28 AM
  • you cannot , you will have to enter the recovery ID and set a new PIN
    Monday, March 12, 2018 10:30 AM
  • I remove the policy related to operating system encryption through the TPM and PIN code and applied it on the client. but the machine is still asking for PIN code. Why?

     
    Monday, March 12, 2018 12:06 PM
  • because the policy was applied previously and PIN set accordingly . If you want to address this , there is no other option than to decrypt the volumes , turn off BitLocker and wait for the GPO / policies to kick-in .
    Monday, March 12, 2018 12:23 PM
  • How can I view the recovery ID?
    By checking the MBAM (self-service , or helpdesk ) Portal 
    Monday, March 12, 2018 12:23 PM
  • Is it possible to reset the PIN code through MBAM (self-service , or helpdeskl) Portal ?

    If Yes. have I to reset the PIN code form the client manually after finishing the reset from the portal?

    Monday, March 12, 2018 12:58 PM
  • Is it possible to reset the PIN code through MBAM (self-service , or helpdeskl) Portal ?

    If Yes. have I to reset the PIN code form the client manually after finishing the reset from the portal?

    no , that is not possible . You can only recover a volume using MBAM , after which you can use BitLocker ( the GUI ) on the machine in question to change the PIN .

    Monday, March 12, 2018 1:02 PM
  • suppose that the client forgot the PIN code ( operating system encryption). so how we can resolve this kind of problem? 

     
    Monday, March 12, 2018 1:48 PM
  • than she or he will have to use the MBAM self-service portal , or call the service desk and ask them to assist in getting the recovery key . Truth be told , I am surprised that you are still asking these type of questions . Perhaps reading some of the relevant articles written by Microsoft about MBAM should help you in further understanding what MBAM is ( and what it isn't ) …
    Monday, March 12, 2018 7:08 PM
  • Calm down please. I am asking what happens if the client forget the PIN code. Because I had a strange behavior. I have got the recovery key then wrote it on the client machine but, after mandatory restarting the machine, it asked me again for entering the PIN code and by this way I could not access to the machine.

    Thanks


    Tuesday, March 13, 2018 11:43 AM
  • Perfect calmness on this side , thank you for asking ! Any question you still have , that I may distill from what you wrote ?
    Tuesday, March 13, 2018 11:53 AM
  • Calm down please. I am asking what happens if the client forget the PIN code. Because I had a strange behavior. I have got the recovery key then wrote it on the client machine but, after mandatory restarting the machine, it asked me again for entering the PIN code and by this way I could not access to the machine.

    Thanks


    You have to change the PIN code before the next reboot otherwise it will just ask you for the same PIN code at reboot and you will be in an endless loop. So use the recovery key to unlock the machine, then change the PIN code, then reboot.

    Can I ask if you solved the problem with the MBAM Volume report? Because I am now getting the same issue:
    "The value provided for the report parameter 'MachineId' is not valid for its type"

    Wednesday, July 25, 2018 11:21 AM
  • Can I ask if you solved the problem with the MBAM Volume report? Because I am now getting the same issue:

    "The value provided for the report parameter 'MachineId' is not valid for its type"

    There seems to be something very strange with that "Volume Report".  I don't know if it was working for me before, with version 2.5 (no SP1), but I recently updated to 2.5 SP1 with the July 2018 servicing (2.5.1143) and when I run that report, I get that error when I put in a machine name. I mean, it does say "Device or Machine Name" in the prompt for that box.

    However, when I download the report definition and look at it, it's expecting an *INTEGER* for that value... the MachineId.  I don't know if that's working right either - I looked in the table "RecoveryAndHardwareCore.Machines" for the ID of the machine I was interested in, put that ID value in and submitted.  At least it didn't give me an error, but it also didn't show any type of volume report - empty.

    The report calls a sproc "ComplianceRead.GetVolumeInfoByMachineId" and passes @MachineId, and what that led me to realize is that our compliance data isn't populating. Oh well. We use SCCM so something must not be tied in correctly.  

    Anyway, now you know, it's expecting an integer, not a machine name. So... yeah.

    Thursday, January 24, 2019 6:45 PM