none
How to manage bitlocker through MBAM of already encrypted machine RRS feed

  • Question

  • Hi All,

    I got a scenario where the machines are already encrypted with the recovery key on AD and protector type as TPM. Now the comapny is moving to the MBAM for managing bitlocker.

    I had installed the MBAM Client on one of the machine and follow the reports reflected to the MBAM server. The reports reflects the encrypted state as encrypted and says the correct reports. That's OK but how can I get the information regarding the recovery keys. How the MBAM server will ablew to contact with the active directory to get the recovery keys?

    Do I have to disable the bitlocker and again have to encrypt the machine through MBAM so that MBAM server can store the recovery information. I have tried with suspending the bitlocker also but it has also not reflected any success.

    Or there is some other alternatives for that.

    I know de-crypting and encrypting again can solve the problem but it will take lots of time. So I am looking for some short and better solution.

    Thanks..........


    Gaurav Ranjan

    Monday, August 20, 2012 10:38 AM

Answers

  • If you use Allow Hardware Compatibility Checking Policy then:

    There is a 24 hr check delay when you make a machine as compatible from MBAM console.

    To do remove the timer, delete the below 2 keys.

    1. HKLM\software\microsoft\MBAM\HWExemptionTimer
    2. HKLM\software\microsoft\MBAM\HWExemptionType
    3. Restart the MBAM agent: (BitLocker management client service)

    Or

    Change the value of HKLM\software\microsoft\MBAM\HWExemptionType from 0 to 2.

    O = unknown

    2= compatible.

    Restart the MBAM client agent service and then we will prompt the user to start the encryption process when we hit the next client frequency which is 90 mins by default.

    Also we will send the recovery key to SQL DB.

    If you are not using the above GPO, then check for MBAM Admin logs for errors?


    Manoj Sehgal

    • Marked as answer by Gaurav_Ranjan Monday, August 20, 2012 2:13 PM
    Monday, August 20, 2012 1:48 PM

All replies

  • In one of the post by Manoj sehgal, I noticed that once we install the MBAM agent on an already encrypted windows 7 machine, the MBAM Agent will automatically send the recovery keys to the SQL DB once we hit the next client wake up frequency.

    http://www.networksteve.com/windows/topic.php/Importing_BitLocker_recovery_key_information_from_Active_Directo/?TopicId=49370&Posts=5 

    But in my case, the MBAM Agent is not sending the recovery keys to the MBAM SQL DB. What can be the possible causes?

    I am using a single server infrastructure for MBAM. the MBAMDB's and the MBAM server is on a single server. Policy templates are installed on the AD and MBAM bitlocker policies has been applied through the GPO. The client wake up frequency has been set to 1 minutes.

    Can somebody help?


    Gaurav Ranjan

    Monday, August 20, 2012 11:15 AM
  • If you use Allow Hardware Compatibility Checking Policy then:

    There is a 24 hr check delay when you make a machine as compatible from MBAM console.

    To do remove the timer, delete the below 2 keys.

    1. HKLM\software\microsoft\MBAM\HWExemptionTimer
    2. HKLM\software\microsoft\MBAM\HWExemptionType
    3. Restart the MBAM agent: (BitLocker management client service)

    Or

    Change the value of HKLM\software\microsoft\MBAM\HWExemptionType from 0 to 2.

    O = unknown

    2= compatible.

    Restart the MBAM client agent service and then we will prompt the user to start the encryption process when we hit the next client frequency which is 90 mins by default.

    Also we will send the recovery key to SQL DB.

    If you are not using the above GPO, then check for MBAM Admin logs for errors?


    Manoj Sehgal

    • Marked as answer by Gaurav_Ranjan Monday, August 20, 2012 2:13 PM
    Monday, August 20, 2012 1:48 PM
  • Thanks to your post Manoj, I was able to accomplish the scenario.

    Now the MBAM has overtaken the other Microsoft bitlocker technology and recovery keys has been exported tot he MBAM DB.

    Your post are really like a source of water in a desert for the bitlocker guys.

    I need one more help from you regarding the bitlocker once again but not with MBAM. I am using the default bitlocker option in the TS. I had posted it on Technet. http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/58024d00-c691-428a-90cf-7419c007d6b1/#f3488617-63e3-4f04-87df-846a09cc7332


    Thanks....


    Gaurav Ranjan

    Monday, August 20, 2012 2:18 PM
  • Hi Manoj,

    All the information regarding the bitlocker has been reported to the MBAM server except the TPM owner password.

    I have couple of questions regarding the bitlocker with MBAM:-

      -- How the TPM Ownership information will be reported to the MBAM DB by mbamagent? Presently it shows the value of NULL.

      -- If somehow TPM got reset, the machine will prompt for the recovery password at every boot up and the MBAM Admin has to provide the key at every boot up. So how that can be stopped. If somehow the TPM has been reset what should we do so that it will prompt for a single time entry of the recovery password and will boot up by it own as in usual boot up processes (without recovery password).

      -- In that case how the MBAM will initialize the TPM again.


    Gaurav Ranjan

    Tuesday, August 21, 2012 6:43 AM
  • From a trusted source at Microsoft:

    Q1:
    If I re-deploy with a NEW recovery database, is there any way to force the clients to re-report their keys?
    A1:
    By design, when MBAM clients talk to MBAM server, they will escrow the 48 digit recovery keys to SQL DB.

    Q2:
    Even if they have already reported it?  (they report it every 48 hours, regardless?)
    A2:
    Yes, regardless if they have reported to SQL DB.  We keep only latest key in SQL DB for every volume which is encrypted.



    Mike Crowley | MVP
    My Blog -- Planet Technologies


    • Edited by Mike Crowley Wednesday, November 27, 2013 1:06 AM
    Wednesday, November 27, 2013 1:06 AM
  • Hi Gaurav ,

    Did u manage to find the solution for your query ?

    If yes , please let me know the solution as well ... 

    Regards,

    David


    David J.

    Tuesday, July 16, 2019 8:49 AM