MBAM and Bitlocker to Go

Similar Messages

• MBAM and BitLocker - How to do it in Best Practice

  Hi!
  I have a situation where I want to implement MBAM in our environment. What I have at the moment:
  1x all-in-one MBAM server (SQL 2012R2 Standard at the same server).
  SCCM 2012R2 CU3 Integration
  GPO´s are ready and published to the correct OU (Laptops)
  MBAM Client is in SCCM and tested - Working great. Not published yet cause we are in pilot at the moment
  MBAM is working fine and all recovery keys are stored in DB.
  My question is - How to deploy MBAM to old computers that are allready in use - The correct way to do it so that recovery keys and TPM recovery password are all stored in MBAM DB? I mean I know how to set MBAM correctly up while using SCCM and TS but I can´t
  get it to work in old computers - TPM passwords are not presented. MBAM Client can´t take ownership of TPM cause Windows has allready done that.
  I was able to get TPM password to MBAM DB if I disable Auto-provisioning and Clearing the TPM
  $tpm=get-wmiobject -class Win32_Tpm -namespace root\cimv2\security\microsofttpm
  $tpm.DisableAutoProvisioning()
  $tpm. SetPhysicalPresenceRequest(22)
  then running MBAM wizard (for the first time!). But how to make it fully automatic so that all computers that are in use will be like that? Do I have to make a script to disable auto-provisioning and then restart and start MBAM or is there any other solution
  for that?
  Best Regards,
  Taavi

  Are you using MDT/SCCM for deployment?
  Can you take a procmon while running the command and then see what all registries it is touching? you can then modify the install.wim of your MDT/SCCM deployment share and add those registry keys there. It depends on hardware to hardware, following registry
  keys worked for me once. by the same way; 
  [HKEY_LOCAL_MACHINE\WimRegistry\ControlSet001\Services\TPM\WMI]
  "NoAutoProvision"=dword:00000001
  "NoDisableOwnerClear"=dword:00000001
  Mayank Sharma Support Engineer at Microsoft working in Enterprise Platform Support.

• Some basic questation about mbam and bitlocker

  Sorry for questation . What doing options Auto-unlock ?
  allow auto-unlock and require auto-unlock .
  and exist some construction betwen setting fixed drive and os drive . If I disable encrypting fixed drive or set only read fixed drive it mean that os drive is set to ?
  and about bitocker:
  exist solution how i enforce encrypting ? 
  thank you
  Falcon

  Recovery key and the PIN are two different protectors. PIN is something you set to unlock your machine at boot. It provides an additional protection. You can always change the PIN choosing option, bitlocker drive encryption option from control panel.
  Recovery key is to log in the machine if your machine goes into the recovery mode. If you will not be able to access your OS Drive how you will be able to boot. TPM string is called as the Ownership Hash password which is different from the recovery string
  of the OS Drive which is a 48 digit numerical password.
  Gaurav Ranjan

• Certificates of App-V, MBAM and other Desktop solutions

  I´m stuck at certificate career, because my specialty covers desktop deployment solutions, like Configuration Manager, App-V, Images and all technologies around them. Sure I have some skills in Windows 2012, W8, W7, and AD, but these are not the
  main thing I do every day. It seems that Mbam and App-V were covered on Deployment and Optimization Pack few years back, but what about now? Also, is there a single cert about Hyper-V and MS virtualization?
  I already have ConfMgr and Image/MDT certs. 

  Hi,
  The certifications that cover SCCM, MDT, App-V and MS virtualization are part of MCSE tracks, MCSE: Server Infrastructure, MCSE: Desktop Infrastructure and MCSE: Private Cloud.
  http://www.microsoft.com/learning/en-us/mcse-certification.aspx
  In orde to achieve MCSE certification you will fist need to pass the three MCSA: Server 2012 exams:
  http://www.microsoft.com/learning/en-us/mcsa-windows-server-certification.aspx
  When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer
  MCSE:Server Infrastructure, MCSE:Desktop Infrastructure, MCSA Server 2012, Citrix CCIA & CCEE, Cisco CCNA, VMware VCP 3/4/5 Twitter: @dnyvandam http://www.dannyvandam.net

• T440s with Windows 8.1 (and BitLocker) - 1 ot of 3 times gets black screen when booting

  We have a case on a machine with original "Lenovo Windows 8" installed. Windows updated to 8.1 and the latest patches. System update is up to date.
  Aprox 1 out of 3 times, when booting, after entering the BitLocker PIN, the Windows loading screen is shown in 1-2 seconds, and the the screen goes black. But the machine is moving forward, because the fingerprint lights up and the user is able to log in using that.
  (The machine was even able to print a document that was sent to the printer when the machine was offline.)
  Have tried to disable fingerprint without any success.

  I have the same problem.
  After trying and failing many times, I worked out that disabling my nvidia card was the only successful solution.
  This will then allow the intel graphics chip to work on its own.
  Something is wrong with the communication with the USB Dock and the nvidia card! I am hoping a workaround that allows me to keep the nvidia card switched on will be found by someone...

• Pavilion 500-214 and bitlocker

  Where can I get bitlocker or another encryption software and how to encrypt the whole C: drive on the Pavilion 500-214? I perfer free if it is easy to install and work with.  I tried dsikcrypt and it wiped my boot sector and I had to reinasll the OS.

  Hi,
  You need to be running Window 8.1 Pro or Enterprise to use bitlocker.
  Be sure to install the latest BIOS update for your PC as it improves security.  More information on BIOS updating can be found here.
  HP DV9700, t9300, Nvidia 8600, 4GB, Crucial C300 128GB SSD
  HP Photosmart Premium C309G, HP Photosmart 6520
  HP Touchpad, HP Chromebook 11
  Custom i7-4770k,Z-87, 8GB, Vertex 3 SSD, Samsung EVO SSD, Corsair HX650,GTX 760
  Custom i7-4790k,Z-97, 16GB, Vertex 3 SSD, Plextor M.2 SSD, Samsung EVO SSD, Corsair HX650, GTX 660TI
  Windows 7/8 UEFI/Legacy mode, MBR/GPT

• Windows 8 and 8.1 and Bitlocker

  Im having major issues using Bitlocker on my Windows machine.
  My machine was working fine before I decided to use Bitlocker.  I ran the encryption, which took several hours and it said that it was fully encrypted and to restart the machine.
  On restarting the Bitlocker password prompt came up and I entered my password correctly but then the Windows system failed to boot correctly and sent my machine into a boot loop, finally saying that it could not fix the issue.
  I did a fresh install of Windows 8 Pro and before installing any programs (I thought there may possibly be a conflict somewhere) I used Bitlocker to encrypt the drive once more.
  I am still having the same issue now, even with a clean install.
  I have finally managed to get back into my system, due to luck more than anything else and I suspended Bitlocker and rebooted and it worked fine so the issue has to be with Bitlocker?
  I cant find anyone else that is having this problem so would appreciate any advice anyone can give.
  My machine doesnt have a TPM so I have changed the settings to require additional authentification at startup but I really do not understand what the issue is or why there would be a conflict in the boot. Ive checked the boot list to make sure things are
  in the correct order and they appear to be. Like I said ive tried most things I can think of but would appreciate any and all advice.

  Hi Sm-TH,
  “Bitlocker and Windows all work fine until I get a message from the 'Host Process for Windows Tasks' asking to restart the system.”
  Do you mean that the machine can be booted successfully with the bitlocker turned on until you got the message ? Have you checked the path of the “Taskhost” process ? Normally the path of it is C:\Windows\System32\Taskhost.exe. When we shut down the machine
  ,usually we will get a message that this process is trying to finish the shut down task.
  Please check the Event Viewer for any errors or warnings about this issue. The logs may give us some very important information for troubleshooting this issue.
  The following path may be helpful:
  Event Viewer\Windows logs\System or Application
  Event Viewer \Applications and Services logs\Microsoft\Windows\(Bitlocker related channels)
  Best regards

• Windows 7 Pro + Enterprise dual boot and BitLocker

  Hi,
  For testing purpose, I'm working on a machine I prepared for dual booting 2 differents "flavors" of Windows 7. 
  On single HD, I have 3 partitions:
  1- BDE
  2- Windows 7 Enterprise, connected in AD
  3- Windows 7 Pro, workgroup.
  Everything is working fine, until I try to encrypt my whole drive with BitLocker. Encryption goes fine for both Windows partitions and, on restart, selecting the first partition to boot into Windows 7 enterprise in AD will work fine too.
  The problem comes out when trying to boot the Windows 7 Pro partition: BitLocker will ask the recovery key on each boot. 
  Is there any solution to this? Thanks a lot.

  Hi,
  The Bitlocker Drive Encryption is only supported in Windows 7 Enterprise and Windows 7 Ultimate.
  Karen Hu
  TechNet Community Support

• TPM Module / X61 Tablet / Window 7 and Bitlocker

  I am sure my laptop has a TPM - at least the device manager shows it and says it is working - I try to turn on Bitlocker by right-clicking on the drive and it tells me I dont have a suitable TPM module installed...
  Anyone come across this or do I not have a module installed.????
  Sorry but I am confused...also note this drive has only a single partition..none of this service partition stuff..
  Lenovo X200 Tablet / 350Gb HDD / 4GB RAM / Windows 7

  make sure you get the right cable. There are 4 choices. They come with or without support for fingerprint reader and with connections for 2 different digitizers. Most, but not all, X61 tablets have G5 digitizers, but some have G4. Try seeing if the leg to the digitizer has just come unplugged. I hafe seen it happen when the cable is stressed from a bad hinge.

• MDT and Bitlocker encryption

  I'm just wondering...I don't interact with Bitlocker in my MDT TS (we encrypt our drives after the customization has been done by hand after deploy). However, when we re-clone over a machine that has been encrypted, we have been manually kill-disking the
  HDD first.
  Does MDT "completely" wipe the drive, if its been encrypted with Bitlocker, or do I actually have to de-encrypt the drive as we've been doing? How deep does MDT wipe the drive (with the built-in default format step)? THANKS

  [Settings]
  Priority=Default
  [Win7E 64]
  DriverGroup001=Windows 7\x64\%Model%
  DriverSelectionProfile=Nothing
  [Default]
  _SMSTSORGNAME=XXXX
  OSInstall=Y
  SkipAppsOnUpgrade=NO
  SkipAdminPassword=YES
  SkipProductKey=YES
  SkipComputerName=NO
  SkipComputerBackup=YES
  SkipDomainMembership=NO
  SkipUserData=YES
  SkipLocaleSelection=YES
  SkipTaskSequence=NO
  SkipTimeZone=YES
  SkipApplications=NO
  SkipBitLocker=YES
  SkipSummary=YES
  SkipBDDWelcome=YES
  SkipCapture=YES
  SkipFinalSummary=NO
  TimeZone=020
  TimeZoneName=Central Standard Time
  JoinDomain=XXXX
  DomainAdmin=XXXX
  DomainAdminDomain=XXXX
  MachineObjectOU=OU=XXXX Computers
  FinishAction=Reboot
  That's it. Nothing references Newcomputer or Refresh. All I do is drop a custom image on our machines. It gets drivers based on WMIC. Additional apps are exe's from the desktop as silent installs. However, the destination machines have had Bitlocker activated
  on them, which is my question about the Disk Format.
  I see under Preinstall>New Computer Only>Format and Partition is where the format is done. "100% of remaining space on disk. NTFS file system" is there by default. I've never modified any of this info.

• OneDrive and Bitlocker

  I have a desktop computer with Windows 8.1 that does not have a TPM Chip. This PC has a second fixed hard drive with 1tb of space and I use this hard drive primarily to store all my OneDrive Files/Folders. I use Bitlocker to encrypt my fixed hard drive for
  protection, and I use Microsoft Account to log into the computer.
  The issue is that when I restart my computer, I have to manually unlock my bitlockered drive (as my OS drive is not encrypted), but there is no way I have been able to find to stop OneDrive starting automatically. This causes OneDrive to freak out at every
  start and then the app takes hours of "Setting up" and "Checking for changes" to go through my 150K+ files that I store on OneDrive.
  I have trying switching to Local Account but OneDrive goes completely missing. 
  Has anyone else have this issue and have they managed to resolve this? I think it is a very obvious use case. All I want to do is, protect my import files on local PC and Sync it with OneDrive.
  Any suggestions to fix this issue?

  This TechNet article tells that if you want to unlock your fixed drive automatically, the operating system drive has to be also protected by Bitlocker.
  Then your fixed drive will also be automatically unlocked and the OneDrive application will start normally.
  http://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_noautounlock

• SBS-2011 and BitLocker

  Looking for any feedback \ gotchas when setting up Bit Locker onto and existing Small Business Server 2011 Standard 
  This topic first appeared in the Spiceworks Community

  Hi,
  Please refer :
  http://blogs.technet.com/b/sbs/archive/2010/06/10/help-protect-your-data-by-using-bitlocker-in-windows-small-business-server-2008-and-in-windows-7-ultimate.aspx
  http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_28184209.html
  Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• Boot Camp, Win7 x64 and Bitlocker

  Has anyone successfully installed Win7 x64 via Boot Camp and enabled BitLocker? If you have how did you do it?
  Thanks,
  SMF

  repoman_1966,
  That answers one question ... no TPM ... but according to the bitlocker docs you can, through policy settings, allow bitlocker to use an external USB key instead if a TPM module is not present. This allows bitlocker to work on computers without a TPM. The catch is that the USB port & device must be accessible during the boot process prior to the OS being loaded - something that not all computers are capable of. According to Apple support on Macbooks the USB is available during the boot process but of course they can not confirm that it will work ... they don't support Microsoft products ...;)
  I'm looking to see if anyone has actually done it to confirm what the support folks believe will work.
  Thanks.

• Prestaged Media and Bitlocker Pre-Provisioning

  Hi all
  I am working on a project right now that requires all computers to be pre-provisioned with bitlocker
  I have managed to get pre-provisioning working with no issues. the pre-provisioning kicks in directly after the disk formatting and the Enable Bitlocker step works perfectly after the domain join.
  I have also been able to get pre-staging of media working (after a short fight with it) and I can deploy my task sequence to a pre-staging WIM. I can then deploy that to a disk as a data image and the build proceeds after the first boot.
  What I cant get to work, it both together.
  In an ideal world, I would pre-provision the bitlocker in the pre-staging task sequence before deploying the data image. bit I cant get it to work.
  If I partition with more than one partition (so I have a BDE partition) and use the small partition as a boot disk, the machine fails to boot.
  If I make the larger partition the boot partition, the bitlocker pre-provisioning task tells me that the disk os the os image and fails to work
  has anyone done this or have any ideas?
  thanks
  Stephen

  I guess the pre-provision bitlocker cannot work for booting Windows PE. This is why the system cannot boot.
  The screenshot is a capture of the prestage disk bcd store. We can see the system boots from a ramdisk mouted from boot.wim. The process is different from a traditional system boot, the wim cannot be booted from anencrypted disk.
  Juke Chou
  TechNet Community Support

• MBAM - Encryption does not start. Error code 0x80041016

  Hi,<o:p></o:p>
  I'm having trouble getting MBAM and bitlocker working.
  I followed the guidelines from MS, and setup my MBAM server and Bitlocker GPO. My test client is hit by the GPO - i can see the registry
  settings pointing to the MBAM server, and the URL's are accessible by the client.
  I get this error message in my client MBAM event log:
  "An error occured while sending encryption status data"
  "Error code: 0x80041016"
  "Details: NULL"
  I can't seem to find this error code referenced anywhere. Does anyone know what this means?<o:p></o:p>

  Hi,
  I would like to share the following articles:
  MBAM TechNet Guides:
  Planning Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx
  Deployment Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx
  Operations Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx
  Troubleshooting MBAM: http://onlinehelp.microsoft.com/en-us/mdop/hh352745.aspx
  Microsoft BitLocker Administration and Monitoring (MBAM) Documentation Resources Download Page
  Hope this helps.
  Vincent Wang
  TechNet Community Support