locked
MBAM - End of Support July 2019. No Successor for a Bitlocker Management Solution? RRS feed

  • General discussion

  • --> Update. Now supported with SCCM 1911. (I do not know how to close this thread.)

    Hello fellow MBAM Users/Admins/Consultants,

    I was just wondering if anyone got a glimpse from Ignite what is happening for MBAM Users, when supports ends next year?

    Yeah I know, the extended support goes until 2024, but I would expect to get a successor BEFORE mainstream suppport ends. Has anyone heard anything? I certainly hope it is not a cloud only solution, this would make me and my customers a big headache. Most of foreign countries are not excited about security relevant information moving to Azure. And well, decryption keys are this kind of data, many CIOs would not rely entrusting such information an US company... in some countries this is even forbidden by law...

    But I don't want to start a political discussion here... just what your experiences are with the problem MBAM is disbanded and what you are doing about it?

    As things are now, I will be forced to use a non-microsoft product like Sophose Safe Guard... which is doing the same thing as MBAM but I would prefer using an MDOP Product, which is included in Windows Enterprise License-costs.


    www.netlogix.de


    • Edited by Reittier Tuesday, December 10, 2019 10:18 AM
    Friday, October 5, 2018 9:47 AM

All replies

  • Hi,

    you can use powerhell :-)

    /Oliver

    Monday, October 15, 2018 10:05 AM
  • Hi,

    and what am I supposed to do with Powershell? Code my own MBAM Server and Agent? ;)

    I know that I can encrypt volumes with Powershell, but I think the point of MBAM is the RecoveryKey Management and the Reporting functionalities... Powershell cannot do that for me :)


    www.netlogix.de


    • Edited by Reittier Monday, October 15, 2018 10:17 AM
    Monday, October 15, 2018 10:16 AM
  • Hi,

    sure it can but it takes some effort to implement. If i´m not wrong Ronald Schilf (also active here) is doing it this way.

    You can store the Key in AD. 

    A commercial tool called Bittruster does it completley remote without an agent.

    So it can be done .... ;-)

    /Oliver 

    Monday, October 15, 2018 12:24 PM
  • About Recoverykey Management - the key needs to be recorded in AD and that's it for me. Self-Service recovery (users may retrieve the key by themselves) is not advisable in secure environments.

    As for reporting: it depends of what you expect reporting to do for you.

    We can deploy simple scripts that will list the encryption status and dump it to files so that you can see "of my 100 machines, 99 are fully encrypted, while 1 is not". You can as well dump details like encryption algorithm and such. What do you need?

    Monday, October 15, 2018 1:33 PM
  • Hi and thanks for your will to contribute.

    Well MBAM brought this nice Portal for the Helpdesk-Staff that could access RecoveryKeys without the need for access to an ADUC mmc console. Moreover the MBAM Agent changed the RecoveryKey automatically if a user entered it to regain access to Computer. The key-Change is inevitable from a security perspective, because the User would be able to write their Key down and store it, along with the encrypted device. So storing in AD is great for small environments, but bad for bigger ones. Moreover the reporting and auditing features of MBAM are great because you can provide "evidence" or proof that a specific device was encrypted shortly before it was lost or stolen. Without MBAM you just would know that you encrypted it once... maybe 2 years ago... not good if you need to justify in a security related problem. And you can even show a report of the device and when a recoveryKey was requested and even by whom.

    So yes 3rd party-Software (I don't know BitTruster, but I know Sophos Safe Guard) is available to do that job, but it costs additional Licenses and thats a downside. MBAM ist included for Enterprise Agreement Users.

    And yeah I'm sure I can write a ton of scripts and use that, but I certainly do not want to use them by my customers and moreover I don't want to support it. I loved it to tell my customers that they most likely already pay for a management solution with all those features via their Enterpsie Agreement which works perfectly well, they just need to install and configure it. 

    Thanks for your comments!


    www.netlogix.de


    • Edited by Reittier Monday, October 15, 2018 3:09 PM
    Monday, October 15, 2018 3:07 PM
  • Heard from MS that they withdraw the end of life of MBAM. Though, the solution will not be forever.

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Monday, October 15, 2018 5:28 PM
  • "nice Portal for the Helpdesk-Staff that could access RecoveryKeys without the need for access to an ADUC mmc console" - you can script that as well, no ADUC needed:

    do {
    $computers = get-adobject -Filter * | Where-Object {$_.ObjectClass -eq "msFVE-RecoveryInformation"}
    
    $key = (read-host -Prompt "Enter starting portion of recovery key ID").ToUpper()
    $records = $computers | where {$_.DistinguishedName -like "*{$key*"}
    foreach ($rec in $records) {
        $computer = get-adcomputer -identity ($records.DistinguishedName.Split(",")[1]).split("=")[1]
        $recoveryPass = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $computer.DistinguishedName -Properties 'msFVE-RecoveryPassword' | where {$_.DistinguishedName -like "*$key*"}
        [pscustomobject][ordered]@{
            Computer = $computer
            'Recovery Key ID' = $rec.Name.Split("{")[1].split("}")[0]
            'Recovery Password' = $recoveryPass.'msFVE-RecoveryPassword'
        } | Format-List
    }
    $response = read-host "Repeat (y)?"
    }
    while ($response -eq "y")

    (you will only need to know the 1st 4 characters of the recoverykey ID).

    About self-recovery: after you hand the key to users, the device becomes untrusted and will need to be reinstalled. There is no reason to believe that the user has only good intentions. The key change is no means to mitigate that.

    --

    "Without MBAM you just would know that you encrypted it once... maybe 2 years ago... not good if you need to justify in a security related problem." - you misunderstand what you see in front of you. MBAM uses an agent and guess what that agent does: it uses powershell, regularly, to retrieve the status and write it to the MBAM server. What we do, without MBAM, is the same, we only write it to text files, regularly. Same "evidence". Since the script is as easy as one line:

    manage-bde -status>\\server\share\%computername%.txt

    it's really not "a ton". To give you an idea about how to use these files: parse them like this:

    for /f %a in ('dir /b \\server\share\') do findstr Percentage d:\share\%a | findstr /v 100 &&echo notFullyEncrypted>\\server\share\noncompliant\%a

    Try it out, see how easy it is.



    Tuesday, October 16, 2018 8:14 AM
  • Hey, yeah I'm sure that it is a lot of fun and I love to write scripts and so on.... but I don't want and cannot support my own "script-based" Bitlocker Management Application for all my customers.

    Imagine that one of those scripts don't work after a Windows 10 Update that was released. Nobody would notice for some time until you need the Key... and than see that it might not be there, or it might be the wrong key or something. I do not want to take responsibility for lost data because my scripts didn't work and they cannot find their Keys. Thats why you buy some software which has support and you can rely on somebody who has the job to react on bugs and problems.

    • About self-recovery: after you hand the key to users, the device becomes untrusted and will need to be reinstalled. There is no reason to believe that the user has only good intentions. The key change is no means to mitigate that.

    I don't agree here. We can agree with the Self-Service Portal. Okay.
    But if a user calls helpdesk for regaining access to their PC and they give him or her the RecoveryKey. The device gets not untrusted. Because MBAM Agents changes the Recovery key and escrows it to the database. So he cannot use the old key. Which is much better than having to manually change they (manage-bde etc.) or leaving the old key valid. Moreover you'll not have always the option to reinstall a Notebook if the user is currently in another continent making important stuff with his notebook and will not return back in the next few weeks. So changing the RecoveryKey may not be sufficient... but still much better than doing nothing and hope everything will go well.

    So I'm no Admin, I work for customers and I provide consulting... And I'm no software developer ;) But thanks for sharing anyway, I think we just have different conditions for bitlocker management.

    @yannara: Thats very interesting!



    www.netlogix.de

    Tuesday, October 16, 2018 10:10 AM
  • Thats interesting! Thank you for sharing. I hope the rumors are true. I would be happy with a newer MBAM version, or else it has to be 3rd party software... like sophos. Good for them I guess. :)

    www.netlogix.de

    Tuesday, October 16, 2018 10:14 AM
  • If a user is abroad and asks for the key, he can use it to immediately harvest any password hashes of admin accounts on that machine, read data, turn his account into an admin account, implant keyloggers and so forth. That does not need much know-how. Believing that changing the key immediately afterwards will keep him from doing that is wishful thinking.

    Yes, I would give him the key as well if he called me, but after his return, the device would be reinstalled (never had to do that as the recovery mode does not get triggered for nothing)..

    I am telling you this as a security admin. You don't have to take that advice.

    Tuesday, October 16, 2018 10:58 AM
  • Ah thats what you thought about! Okay I can understand that. Thats much mistrust to your users, but now I get it. :)

    I see bitlocker for migitation of an attack of a 3rd party, not as a method to ensure users are unable to hack their own Notebook.

    If a company cannot even trust their employees why should they even trust their security admin ;) No offense. I don't want this to get political. 
    So yeah from a very strict security perspective this is a risk, I can agree with that.

    But I cannot imagine that this is the reason for Microsoft to abandon MBAM.
    Thats like "Oh hey, it is not secure to give out Recovery keys to End-Users, so with MBAM this was possible... so we shut it down completely and bury it forever." :D

     


    www.netlogix.de


    • Edited by Reittier Thursday, October 18, 2018 11:59 AM
    Thursday, October 18, 2018 11:59 AM
  • Good luck to having those Bitlocker recovery keys going to Azure AD tenant :D

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Wednesday, November 14, 2018 10:23 AM
  • I know McAfee has a tool called Management of Native Encryption that manages Bitlocker and Filevault. Can be done on prem or in the cloud. 

    https://www.mcafee.com/enterprise/en-us/products/technologies/filevault-bitlocker-management.html

    Wednesday, November 14, 2018 11:10 AM
  • Sophos has "SafeGuard". Same thing, different Manufacturer.

    https://www.sophos.com/en-us/products/safeguard-encryption.asp


    www.netlogix.de

    Wednesday, November 14, 2018 12:25 PM
  • Hi 
    Sophos is also dropping their encryption product some time in 2019

    https://lancrypt.conpal.de/EN/

    Check WinMagic they provide bitlocker, Mac FireVault as well as SED management.

    https://www.winmagic.com/encryption-solutions/bitlocker-management

    Tuesday, December 4, 2018 3:59 PM
  • <g class="gr_ gr_22 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="22" id="22">Trendmicro</g> Endpoint Encryption does BL Management and key recovery: http://apac.trendmicro.com/apac/enterprise/product-security/endpoint-encryption/index.html
    Tuesday, December 4, 2018 6:05 PM
  • Hi, trying to find solutions posted this question in few posts already but no answer yet. Trying to add feature to MBAM 2.5 first time, already installed July 2018 SP for MDOP. Using SQL Server 2014 SP2 on windows server 2016 SP2.

    Any suggestions please ?

    Unexpected configurator error.

    Description:
    Exception thrown from feature provider.

    Exception:
    Microsoft.Mbam.Setup.Common.SetupException: An error occurred deploying the Data Tier Application ---> System.Data.SqlClient.SqlException: DacInstance with the specified instance_id does not exist.
       at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
       at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
       at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption, Boolean shouldCacheForAlwaysEncrypted)
       at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest)
       at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry)
       at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(TaskCompletionSource`1 completion, String methodName, Boolean sendToPipe, Int32 timeout, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry)
       at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
       at Microsoft.Data.Tools.Schema.Common.SqlClient.RetryPolicy.ExecuteAction[R](Func`2 func, Nullable`1 token)
       at Microsoft.Data.Tools.Schema.Common.SqlClient.RetryPolicy.ExecuteAction[T](Func`1 func, Nullable`1 token)
       at Microsoft.Data.Tools.Schema.Sql.Dac.ConnectionManager.SingleDatabaseModeConnectionManager.ExecutionContext.ExecuteNonQueryWithRetry(SqlCommand sqlCommand, RetryPolicy commandRetryPolicy, RetryPolicy connectionRetryPolicy)
       at Microsoft.Data.Tools.Schema.Sql.Dac.ProcedureCommand.ExecuteInSystemDatabase(ConnectionManager connectionManager)
       at Microsoft.Data.Tools.Schema.Sql.Dac.InsertHistoryEntryCommand.Execute()
       at Microsoft.Data.Tools.Schema.Sql.Dac.DacRegistrationManager.DacHistoryManager.HistoryEntry.InsertEntry()
       at Microsoft.Data.Tools.Schema.Sql.Dac.DacRegistrationManager.DacHistoryManager.StartDeploy(Guid instanceId)
       at Microsoft.Data.Tools.Schema.Sql.Dac.DacRegistrationManager.StartDeploy()
       at Microsoft.SqlServer.Dac.DacServices.InternalDeploy(IPackageSource packageSource, Boolean isDacpac, String targetDatabaseName, DacDeployOptions options, CancellationToken cancellationToken, DacLoggingContext loggingContext, Action`3 reportPlanOperation, Boolean executePlan)
       at Microsoft.SqlServer.Dac.DacServices.Deploy(DacPackage package, String targetDatabaseName, Boolean upgradeExisting, DacDeployOptions options, Nullable`1 cancellationToken)
       at Microsoft.Mbam.Setup.Common.Database.DatabaseProvider`1.DeployDac(DacServices services, String databaseName, CancellationToken cancellationToken)
       at Microsoft.Mbam.Setup.Common.ActionItem.Run()
       at Microsoft.Mbam.Setup.Common.ActionItemQueue.Run()
       at Microsoft.Mbam.Setup.Common.Database.DatabaseProvider`1.Enable(IProgress`1 progress, CancellationToken cancellationToken, T configuration)
       --- End of inner exception stack trace ---
       at Microsoft.Mbam.Setup.Common.Database.DatabaseProvider`1.Enable(IProgress`1 progress, CancellationToken cancellationToken, T configuration)
       at Microsoft.Mbam.Setup.Common.FeatureProviderBase`1.<>c__DisplayClass34`1.<InvokeAsync>b__33()
       at System.Threading.Tasks.Task`1.InnerInvoke()
       at System.Threading.Tasks.Task.Execute()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Mbam.Setup.Common.FeatureProviderBase`1.<InvokeAsync>d__36`1.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Mbam.Setup.Common.FeatureProviderBase`1.<>c__DisplayClass2.<<EnableAsync>b__0>d__4.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Mbam.Setup.Common.FeatureProviderBase`1.<EnableAsync>d__8.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Mbam.Setup.Configurator.RecoveryDBUIFeatureModel.<EnableTransacted>d__4.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Mbam.Setup.Configurator.BatchTaskModel.<>c__DisplayClass5.<<Commit>b__1>d__7.MoveNext()

    Tuesday, December 4, 2018 9:40 PM
  • I don't know, maybe MBAM will be replaced by SCCM in on-prem scanario.. why not :)

    MCSE Mobility 2018. Expert on SCCM, Windows 10 and MBAM.

    Tuesday, December 11, 2018 12:41 PM
  • They (Sophos) drop their own encryption solution, yeah. But not their bitlocker management solution, as far as I know. :) 

    www.netlogix.de

    Tuesday, January 22, 2019 10:27 AM
  • Yeah I do hope so.
    But wouldn't it be time to announce it? Maybes don't help with either planning or consulting customers. :(

    But thanks for sharing and discussing :)

    I think it will be some Azure-based solution. And that would suck for me ;)


    www.netlogix.de

    Tuesday, January 22, 2019 10:32 AM
  • Would you mind linking the existing thread? I don't want to answer you in this discussion.

    www.netlogix.de

    Tuesday, January 22, 2019 10:33 AM
  • Now supported with SCCM 1910. Not tested yet.

    www.netlogix.de


    • Edited by Reittier Thursday, April 2, 2020 7:18 AM typo
    Tuesday, December 10, 2019 10:08 AM
  • It is SCCM 1910, not 1911. Yea, but here is the problem - MBAM requires https. It means you need to transfer your entire SCCM Infrastructure to https and use PKI. Not simply done in real World.

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Tuesday, December 10, 2019 10:37 AM