MBAM 2.5 - no TPM - options?

Similar Messages

• MBAM Options for Non TPM Machines

  Hi there,
  We have just installed MBAM 2.5. We also have SCCM 2012 R2 in our environment. We are looking to use Bitlocker on around 500 laptops which are currently a mixture of Windows 7 and Windows 8.1 but with no TPM. (we should begin receiving TPM laptops from next
  year).
  Could someone please point me in the direction of what our options are both for Windows 7 and Windows 8.1 with no TPM as I am not clear on this.
  Many thanks,
  Jay

  Hi,
  for Windows 7 Computers and MBAM they must have a TPM to be managed for a windows 8 / 8.1 you can use MBAM on computers without TPM.
  http://technet.microsoft.com/en-us/library/dn645378.aspx
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• TPM password not found in MBAM database

  There are other threads I have read through and did some troubleshooting, but still I´m stuck with this, how to get TPM password in MBAM database. Another question is, do I really need it? Isn´t recovery key enough?
  My situation is this:
  1. Computers are encrypted during Task Sequence and MBAM client is installed.
  2. During first logon MBAM client promts for PIN and encryption is complete.
  3. Bitlocker recovery key is found in MBAM Admin Web page, but not TPM password.
  What I tried to do:
  - There is no Group Policy for controling TPM password.
  - I´m member of MBAM Admin group and Helpdesk groups.
  - If I clear and initialize TPM from its mgmt console, there will not be any activity from MBAM client, and TPM password still does not go to DB
  - I have checked from SQL mgmt studio, that TPM hash is NULL
  - I tried to use TPM-EK vbs script before and after encryption, there is no effect.
  So how to get TPM password to DP? Specially I´m intresting in scenario where Computer is already encrypted.

  MBAM has to own the TPM to store the password. During a task sequence, follow the steps below. The steps assume pre-provisioning, but the concept is the same even if you don't use it.  If the machine is already encrypted and you want MBAM to store the
  password, you will have to clear the TPM and reboot. Note that this requires physical presence - someone will have to hit F1 in the preboot screen. See below for info on how to clear it via PowerShell.  The reason you want the TPM OwnerAuth password is
  that if a user types their PIN too many times in preboot, the TPM may put the machine into BitLocker Recovery and lock itself for some period of time (depends on manufacturer).  To unlock it faster after you have supplied the BitLocker Recovery Password
  and are in the OS, you have to go to tpm.msc and choose Reset TPM Lockout, supplying the TPM Owner Auth password.  If MBAM stores it, you can get this info from the Helpdesk portal.
  To configure MBAM to own the TPM and store OwnerAuth passwords
  On the client computer, open an elevated Windows PowerShell command prompt.
  Type the following Windows PowerShell commands:
  Command
  Description
  $tpm=get-wmiobject -class Win32_Tpm -namespace root\cimv2\security\microsofttpm
  Gets an instance of the TPM WMI class.
  $tpm.DisableAutoProvisioning()
  Disables TPM auto-provisioning.
  $tpm. SetPhysicalPresenceRequest(22)
  Clears the TPM.
  Restart the computer, and then confirm that you want to clear the TPM.
  For the task sequence to get MBAM to own it out of the box, do the following:
  Capture and      sysprep a WIM as you normally would.
  Mount the      captured WIM using
  dism /mount-wim /wimfile:C:\WimImages\Win7.wim
  /index:1 /mountdir:C:\AIKMount
  Load the WIM      registry -
  reg load
  HKLM\WimRegistry
  c:\AIKMount\windows\system32\config\system
  Open regedit      and browse to hklm\WimRegistry\system\controlset001\services\TPM\WMI and      add the two reg keys that
  Jim mentioned
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tpm\WMI: NoAutoProvision [REG_DWORD]
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tpm\WMI: NoDisableOwnerClear [REG_DWORD]
  Close regedit
  Unload the WIM      registry -
  reg unload HKLM\WimRegistry
  Commit changes      to the WIM and unmount -
  dism /unmount-wim /mountdir:C:\AIKMount
       /commit
  Went to MDT      2012 Update 1 and my deployment share.
  Edited the      ZTIBDE.wsf script in MDT to tell it not to take ownership of the TPM. 
  In that script, replace the TPMValidate      function with what I have below (I just commented out the SetTPMOwner      lines)
  Function TpmValidate ()
  Dim iRetVal, sCmd, sTpmOwnerPassword
  iRetVal = Success
  '// Set oTpm to valid instance
  iRetVal = GetTpmInstance()
  TestAndFail iRetVal, 6734, "Get TPM Instance"
  '// Set global booleans for TPM state. Error bubble handled by subs
  iRetVal    = GetTpmEnabled()
  TestAndFail iRetVal, 6735, "Check to see if TPM is enabled"
  iRetVal = GetTpmActivated()
  TestAndFail iRetVal, 6736, "Check to see if TPM is activated"
  iRetVal = GetTpmOwner()
  TestAndFail iRetVal, 6737, "Check to see if TPM is owned"
  iRetVal = GetTpmOwnershipAllowed()
  TestAndFail iRetVal, 6738, "Check to see if TPM Ownership is allowed"
  iRetVal = GetEndorsementKeyPairPresent()
  oLogging.CreateEntry "TpmEnabled: " & bTpmEnabled, LogTypeInfo
  oLogging.CreateEntry "TpmActivated: " & bTpmActivated, LogTypeInfo
  oLogging.CreateEntry "TpmOwned: " & bTpmOwned, LogTypeInfo
  oLogging.CreateEntry "TpmOwnershipAllowed: " & bTpmOwnershipAllowed, LogTypeInfo
  oLogging.CreateEntry "EndorsementKeyPairPresent: " & bEndorsementKeyPairPresent, LogTypeInfo
  '// Single instance check to allow future corrective action branching.
  TestAndFail bTPMEnabled, 6739, "Check to see if TPM is enabled"
  TestAndFail bTPMActivated, 6740, "Check to see if TPM is activated"
  TestAndFail bTpmOwned or bTpmOwnershipAllowed , 6741, "Check to see if TPM is owned and ownership is allowed"
  If bTpmOwned <> True AND bTpmOwnershipAllowed = True Then
  If oEnvironment.Item("TpmOwnerPassword") <> "" Then
  oLogging.CreateEntry "TPM Ownership being intiated.", LogTypeInfo
  'iRetVal = SetTpmOwner(oEnvironment.Item("TpmOwnerPassword"))
  TestAndFail iRetVal, 6741, "TPM Owner Password set"
  ElseIf oEnvironment.Item("AdminPassword") <> "" Then
  oLogging.CreateEntry "TPM Ownership being intiated with AdminP@ssword (not TPMOwnerP@ssword).", LogTypeInfo
  'iRetVal = SetTpmOwner(oEnvironment.Item("AdminPassword"))
  TestAndFail iRetVal, 6742, "TPM Owner P@ssword set to AdminP@ssword"
  Else
  oLogging.CreateEntry "TPM Ownership being intiated with Default p@ssword (not TPMOwnerP@ssword).", LogTypeInfo
  'iRetVal = SetTpmOwner("M0nksH00d!4T3al")
  TestAndFail iRetVal, 6743, "Set TPM Owner P@ssword to value"
  End If
  End If
  TpmValidate = Success
  End Function
  Grab the      StartMBAMEncryption.wsf script from
  here
  and edit out those same lines as above.
  Added the      following files to an MDT application.      
  Set the app to run cscript.exe startmbamencryption.wsf      /MBAMServiceEndPoint:http://<yourmbamserver>/MBAMRecoveryAndHardwareService/CoreService.svc
  Added the MBAM      agent installer as an application
  Added the MBAM      agent to the task sequence
  Added the Start      MBAM Encryption app to the task sequence
  Set      OSDBitLockerMode=TPM and IsBDE=True in customsettings.ini
  Made sure this was a bare metal machine where the TPM was clear (for testing, you can clear it from the BIOS, just make sure it is activated).
  Ran the TS on      the box.
  Result:
  BitLocker was pre-provisioned and activated, and MBAM took ownership of the TPM which escrowed the OwnerAuth info to MBAM.

• MBAM - SCCM 2012 Reports - Error: the 'MBAM Policy' view does not exist

  Hi
  I have installed MBAM with SCCM 2012 integration. A single server install with SQL server 2012. Mostly it has gone smoothly and laptops are being encrypted and pins stored and recoverable. The problem I have is reports are not showing. I get the following
  error message.
  "Error: the 'MBAM Policy' view does not exist"
  Any ideas why this is? I get the same error message with all 4 reports.

  Hi Slycy,
  There is another thread that seems to be a similar issue
  here that may help you. The last post in particular has a number of steps that you can use to speed up creation of the views:
  Just for future reference, there are quite a few things that have to happen before the view is created. This is merely how CM works.
  Make MBAM MOF changes
  Select TPM spec version in hardware inventory
  Install MBAM CM Integration feature
  Perform a machine policy refresh cycle on a client to get the MOF changes that need to be inventoried
  Perform hardware inventory
  Update MBAM Supported Computers collection membership.  The machine should appear if it meets the criteria
  Run another machine policy refresh on the client so that the Configuration Baseline will come down
  Make sure that the MBAM agent has woken up once
  Evaluate the Configuration Baseline
  The MBAM views should be created now.
  You don't have to do this for every machine, but this is the process to speed it up.  If you let CM do it, it could take over a week before the view is created the first time, depending on when Hardware inventory runs, etc.
  Hope this helps,
  David

• MBAM 2.0 SP1, SCCM 2012 SP1 - OSD

  Found a few threads on this but just looking for an answer before I spend to much time fiddling to get this to work.  What I am looking to do is encrypt laptops during OSD as follows:
  Enable TPM (working fine)
  Activate TPM (working fine)
  Pre-Provision Bitlocker (using Win 7 Ent SP1)
  Install OS
  Install MBAM
  Enable Bitlocker and escrow both TPM and Drive recovery keys to MBAM server
  The bit I am not too sure about is the Pre-Provision and also the TPM key backup.  Ideally I'd like both the TPM and Disk keys stored in MBAM but I am not sure if this will work if I have activated the TPM pre OS?
  Cheers

  Pre-provisioning only works on a bare metal machine and occurs in WinPE. It also uses TPM so you need to make sure that is on an active in the BIOS. 
  This blog post provides some detail on how to enable MBAM and pre-provisioning.  If you are using Windows 8+, and you want MBAM to back up TPM to its db instead of AD, you have to turn off auto-provisioning or Windows 8+ will take ownership automatically
  and escrow to AD.  To disable auto-provisioning you can set the following key when the OS has come up:
  Reg Key to disable auto-provision:
  HKLM\System\CurrentControlSet\Services\TPM\WMI
  NoAutoProvision   = 1
  you
  will need  
  to create a
  regkey called
  NoAutoProvision=1
  Hope that helps!
  Lance

• Is it possible to disable the Trusted Platform Module (TPM) ?

  I have a Thinkstation D20 and went into the BIOS and selected Inactive & Disabled for the TPM option. The strange thing is that it still shows up in the Device Manager as active and ready. No error messages that I can see.
  Any ideas?

  It says how to turn it off in here --> http://technet.microsoft.com/en-us/library/cc749022%28WS.10%29.aspx
  IT Specialist and Consultant
  Lenovo Tablet Evangelist
  Current Machines: IdeaCentre A300, ThinkPad Tablet, IdeaPad U410, and Yoga 3 Pro Touch
  Deutsche Community   Comunidad en Español
  Lenovo - the latest in DOtabs, DOpads, DOcentre's, DOstations and DOservers!

• Drive Recovery Using DRA on another Computer Shows No Protectors

  We are rolling out a new series of laptop using MBAM 2.5 next week. We are encrypting the OS drive with 256bit encryption using MBAM GPOs and use TPM+PIN. We have also setup DRAs via GPO, which was done on our previous generation of laptops, but
  without MBAM. We are able to recover a drive using the recovery password. Manage-bde -protectors -get c: on the laptop shows all the correct protectors. When I remove the disk drive and put it in a USB carrier and plug it into a similarly configured laptop
  to decrypt the drive via DRA, the drive shows as unformatted and a showing of protectors for the drive lists no protectors. I don't understand. We have done this same process for several years with our previous generation of laptops. I am stumped.

  You may want to check the settings configured for the policy “Choose how BitLocker-protected operating system drives can be recovered”
  From Planning for MBAM 2.5 Group Policy Requirements
  Suggested configuration: Not Configured
  Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).
  When this policy is not configured, the data recovery agent is allowed, and recovery information is not backed up to AD DS.
  MBAM operation does not require recovery information to be backed up to AD DS.
  Brandon
  MDOP on the Springboard Series on TechNet

• Report error after upgrading to 2.1

  Hello,
  I upgrade my MBAM integrated with SCCM 2012 setup to 2.1 from 2.0 and now I get an error whenever I run the reports.  The error is the same wither I run the report from SSRS or from the SCCM console.  Any ideas?
  Error : the 'MBAM Policy' view does not exist

  Just for future reference, there are quite a few things that have to happen before the view is created. This is merely how CM works.
  Make MBAM MOF changes
  Select TPM spec version in hardware inventory
  Install MBAM CM Integration feature
  Perform a machine policy refresh cycle on a client to get the MOF changes that need to be inventoried
  Perform hardware inventory
  Update MBAM Supported Computers collection membership.  The machine should appear if it meets the criteria
  Run another machine policy refresh on the client so that the Configuration Baseline will come down
  Make sure that the MBAM agent has woken up once
  Evaluate the Configuration Baseline
  The MBAM views should be created now.
  You don't have to do this for every machine, but this is the process to speed it up.  If you let CM do it, it could take over a week before the view is created the first time, depending on when Hardware inventory runs, etc.

• Thinkpad Tablet Music Sound Issue

  I have an X220 tablet, 4294CTO, and I think the sound card has taken a vacation. Was working then not. Get the message "no audio output device detected" but I have not made any changes to my machine. have two questions, 1) is the sound card integrated on the motherboard, and 2) how do i determine which mother board I have? I know i have the i7-2640M, but not sure what the AMT and TPM options are. If you think it's not the board I wouldn't mind keeping the money in my pocket :-)
  Thanks for the help, Mike

  http://support.lenovo.com/en_US/product-and-parts/partsLookup.page
  from the above, you can find the exact planar that was installed in the machine.
  But for an i7 X220t motherboard it would be quite expensive, more than what your machine is worth (if you are getting a new one). While, the second hand one from ebay can sometimes have quality or hardware issues.
  For a more cost effective fix, you should just get an ExpressCard Sound Card, which cost under 100 dollars. You would also gain better sound quality, among other features.
  Regards,
  Jin Li
  May this year, be the year of 'DO'!
  I am a volunteer, and not a paid staff of Lenovo or Microsoft

• X301 Client security problem

  Hi,
  My X301 came with XP installed Vista so i did a clean Vista install and after i installed the latest client security i got the following message:
  http://www9.0zz0.com/2009/03/31/19/467406581.jpg
   http://www6.0zz0.com/2009/03/31/19/213918438.jpg
  Thanks
  Khalifa
  Solved!
  Go to Solution.

  as it said, you have to get into BIOS and clear TPM chip first. It was like user data from previous Windows that is not the same as new Windows--probably new user and such.
  When rebooting, you can click ThinkVantage button or F1 or F2 (i'm not sure) to get into BIOS. Then find for TPM option.

• MBAM System Administrators - Missing Manage TPM and Drive Recovery option - MBAM 2.5

  I have installed MBAM 2.5 in a 3 server environment. Every thing is working fine and validated the installation.
  But what I have found that the drive recovery tab and Manage TPM is missing for the users member of MBAM System administrators. As there are many changes that comes with MBAM 2.5 and one is exclusion of MBAM local groups.
  Everything is perfect for the Advanced Helpdesk and Helpdesk users.
  Gaurav Ranjan

  Hi Gaurav,
  As you mentioned, there are no local groups anymore.  During configuration of the Admin portal, you specify AD groups for administration.  We removed the System administrators group because it was kind of redundant.  You could get the same
  effect by adding the user to the Advanced Helpdesk and Reporting Users AD groups you specify.  So, if you add whatever user you wanted to be the "system administrator" for MBAM to both of those AD groups, that should solve your problem.  Note you
  may have to log out of your machine and back in after adding them to the group so that they get the token, as with any AD group addition.

• Using MBAM with Non-TPM Enabled Systems

  We have locations within our organization where systems enabled with TPM chips are not allowed.  For these systems we are looking at using the USB flash drive option for booting the system and unlocking the encrypted drive.  We do
  have other locations within our organization where TPM enabled systems are allowed.  For these systems we are using the TPM chip and storing the recovery key information in MBAM.  My question is, can the recovery keys for those systems that are non-TPM
  enabled be stored in MBAM so the drives can be recovered if the USB flash drive is lost?

  USB Key only is not listed as a supported authentication method for MBAM. On devices without a TPM, the password protector is recommended. See
  Planning for MBAM 2.0 Group Policy Requirements.
  MBAM supports the following types of BitLocker protectors for operating system drives: Trusted Platform Module (TPM), TPM + PIN, TPM + USB key, and TPM + PIN + USB key, password, numerical password, and Data Recovery Agent. The password protector is supported
  only for Windows To Go devices and for Windows 8 devices that do not have a TPM. MBAM supports the TPM + USB key and the TPM + PIN + USB key protectors only when the operating system volume is encrypted before MBAM is installed.

• Recovery key from MBAM for non TPM machines

  Hi,
  Since long time am trying to find answer about below query but unlucky , can some one guide me if this is feasiable or not?
  1. I have non TPM Machines and want to use Bitlocker with MBAM.
  2. if I will use the USB flash driver as start-up key during machine start-up than can we get the recovery key from MBAM (self service or helpdesk portal) if I lost the USB flash drive ?
  Shailendra Dev

  Hi,
  For Windows 7 computers TPM is a requirement for Windows 8 / 8.1 it is not, so it depends in what client OS you want to manage.
  See the documentation:
  http://technet.microsoft.com/en-us/library/dn145046.aspx
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Surface Pro 3 - MBAM/BitLocker/TPM: "An Error Has Occurred" Issue

  We are trying to implement full disk encryption using MBAM Server/Client and BitLocker. We have been successful on standard Windows 7 Ent and Windows 8.1 Ent laptops and the MBAM Console reports encrypted/compliant.
  The Surface Pro 3 running Windows 8.1 Ent however has been a pain in the you-know-what! It just will not work like our laptops. The Event Viewer error we get is as follows:
  "An error occurred while applying MBAM policies.
  Volume ID:\\?\Volume{dfd94fd0-206c-45d1-a19a-6a39019ada1e}\
  Error code:
  0x80310018
  Details:
  You must initialize the Trusted Platform Module (TPM) before you can use BitLocker Drive Encryption."
  For reference, here is our workflow:
  1. Enable TPM in UEFI.
  2. Install .NET 3.5 since this is apparently a Windows 8.1 requirement for MBAM. Reboot. Install related updates from Microsoft Update. Reboot.
  3. Verify relevant MBAM & BitLocker GPOs are applied by running "gpupdate /force" in an elevated command prompt. Reboot.
  4. Run the following elevated PowerShell commands and then reboot:
  $tpm=get-wmiobject -class Win32_Tpm -namespace root\cimv2\security\microsofttpm
  $tpm.DisableAutoProvisioning()
  $tpm.SetPhysicalPresenceRequest(22)
  5. Install MBAM Client 2.5 and KB2975636 hotfix.
  6. Run MBAMClientUI.exe and set PIN. On our laptops, encryption begins, but on the Surface Pro 3 we get a generic "An error has occurred". Event Viewer shows the above error.
  Can anyone help?? There has got to be others that have used MBAM on the Surface Pro 3.

  More testing today and I *think* I may have found my issue.
  I failed to mention that on step 5 above, I have been rebooting after installing the MBAM Client and hotfix. It appears that this extra reboot breaks the process and does not allow the MBAM Client to initialize the TPM when running MBAMClientUI.exe. If I do
  not reboot, then everything seems to work great.

• MBAM 2.5 Unable to find compatible TPM despite TPM available and device encrypted

  We have just installed and are piloting MBAM 2.5. Everything seems to have gone fine, machines are checking in getting policies, encrypting as they are supposed to and we can query MBAM for recovery keys and TPM passwords to do recoveries as needed.
  The only issue we have is when we come to look at the compliance reports we see the following
  Enterprise Compliance report - Machines show 'Unable to find compatible TPM'
  In Computer Compliance report for one of these machines , Protector type is TPM+PIN, Protector state is ON, Encryption State is Encrypted yet compliance status is Non-Compliant.
  TPM is ON, Initialised and is v1.2
  Any suggestions as to why my machines status is non-compliant?

  I was having the same problem with some of my Dell Laptop clients and although the Hotfix did solve the problem, I thought it was worth mentioning the first time the client reported back to MABM after installing the hotfix, only the Compliance Status changed
  from "Non-Compliant" to "Compliant" and the Compliance Status Details still showed "Unable to find compatible TPM". It took one more reporting cycle for the Compliance Status Details  to show "No Error".  I
  would also like to mention there is no indication of anything wrong with these systems in terms of looking at them via the TPM.msc, MBAM Event Log or WMI Win32_Tpm class/properties. The systems encrypt the drive via MBAM normally...they just don't
  report back to the MABM database properly. The computers are running the latest BIOS and I have reset the TPM Security BIOS settings back to their Defaults several times with the same results. Thanks for the hotfix!!!