locked
Microsoft BitLocker Administration and Monitoring (MBAM) and Workgroup Laptops RRS feed

  • Question

  • Is it possible for a non domain laptop to work with MBAM? I have added the MBAM policies to the local group policy of the machine and have defined the details for the MBAM server in the local policy i.e. the MBAM Recovery and Hardware service endpoint and MBAM compliance service endpoint etc.

    However I keep getting the following error:

    An error occured while applying MBAM policies.
    Volume ID:\\?\Volume{fb6a6cb9-e044-19e2-964a-806e6f6e6963}\ 

    Error code:
    0x803d0005 

    Details:
    Access was denied by the remote endpoint.

    I assume this is due to some sort of domain authentication trying to happen. Is there anyway to make this work?






    • Edited by PaDocIT Monday, July 1, 2013 12:22 PM
    Monday, July 1, 2013 12:19 PM

Answers

  • I don't believe that will work with WORKGROUP laptops. You would likely need to use Bitlocker itself for encrypting the machines and then store the keys centrally somewhere.

    MBAM is used to Administer the encryption and Monitor. It really heavily relies on being on a Domain. It reports the last logged on users and a few other things. It sounds like overkill for a WORKGROUP laptop as your Laptops as I imagine you will not have these machines continously report back to the DB as they won't be on the domain.

    You could use Bitlocker and just store the keys for all WORKGROUP machines into a central location.


    PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

    • Marked as answer by PaDocIT Tuesday, July 2, 2013 12:43 PM
    Monday, July 1, 2013 11:57 PM

All replies

  • I don't believe that will work with WORKGROUP laptops. You would likely need to use Bitlocker itself for encrypting the machines and then store the keys centrally somewhere.

    MBAM is used to Administer the encryption and Monitor. It really heavily relies on being on a Domain. It reports the last logged on users and a few other things. It sounds like overkill for a WORKGROUP laptop as your Laptops as I imagine you will not have these machines continously report back to the DB as they won't be on the domain.

    You could use Bitlocker and just store the keys for all WORKGROUP machines into a central location.


    PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

    • Marked as answer by PaDocIT Tuesday, July 2, 2013 12:43 PM
    Monday, July 1, 2013 11:57 PM
  • I was afraid of that. Unfortunately manually storing keys centrally will be a logistics nightmare. We have central and field IT staff and it would be hard to ensure that keys are being managed properly. For example, a field IT guy re-images a laptop and forgets to ensure the key has been updated in the central location, etc. I could see that happening a lot.

    We're not so much concerned with monitoring as we are with the administering. We have a basic need. Laptop gets encrypted, helpdesk has an easy way to recover the machine if needed.

    Looks like we may just have to join the domain to get the key in mbam and then disjoin.

    Thanks for the reply.

    Tuesday, July 2, 2013 12:43 PM