Recovery key from MBAM for non TPM machines

Similar Messages

• MBAM Options for Non TPM Machines

  Hi there,
  We have just installed MBAM 2.5. We also have SCCM 2012 R2 in our environment. We are looking to use Bitlocker on around 500 laptops which are currently a mixture of Windows 7 and Windows 8.1 but with no TPM. (we should begin receiving TPM laptops from next
  year).
  Could someone please point me in the direction of what our options are both for Windows 7 and Windows 8.1 with no TPM as I am not clear on this.
  Many thanks,
  Jay

  Hi,
  for Windows 7 Computers and MBAM they must have a TPM to be managed for a windows 8 / 8.1 you can use MBAM on computers without TPM.
  http://technet.microsoft.com/en-us/library/dn645378.aspx
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• MBAM 2.0 SP1 Deployment for Windows 8.1 Non TPM machine

  Hi ,
  how can I use MBAM (all features of MBAM 2.0 SP1) for Windows 8.1 Non TPM Machines ?
  Can anyone share the step by step Deployment guide as i am new to MDOP and i have to use MBAM for Windows 8.1 Non TPM machines...
  Shailendra Dev

  Are you using the Password protector then or are you putting the keys on a USB stick? None of these scenarios are supported by MBAM but you can use at least BitLocker with the password protector to enable BitLocker and get the BitLocker status reported back
  to MBAM. However, the other benefits of using MBAM will not be available, such as recovering the keys from the central location using the help desk or self service portal, if needed.
  Is there a reason why you do not use BitLocker with TPM enabled machines? All corporate range of Machines have had TPM chips for many many years.
  Blogging about Windows for IT pros at
  www.theexperienceblog.com

• My laptop has FileVault turned on. How would I obtain the Recovery Key from Apple should I need it?

  My laptop has FileVault turned on. I remember a Recovery Key was created for me but I can't find it. I do know the log in password for my computer so I am not locked out. How would I obtain the Recovery Key should I need it?

  http://support.apple.com/kb/PH11381 

• How to obtain Sync Recovery Key from Android Firefox?

  Desktop sync is broken and instructs to obtain "Your Recovery Key" from a working device. Only working device is Android Firefox. What is the magic incantation to get Firefox (v21 beta) on Android to reveal the needed sync Recovery Key?

  You can use:
  *Android OS > Settings > Accounts > Firefox Sync > Pair a new Device
  This will give you a 12-character pairing key the you can enter in the desktop computer.
  You can look at this version of the about:synckey extension that I have modified to show the sync key in current Firefox versions (desktop and mobile).
  * http://www.freefilehosting.net/aboutsynckey-11-fnfx
  * [[/questions/942893]]

• MBAM Clients not able to recover key from MBAM Console

  For the first time I am installing MBAM with SCCM intergration. Everything has successfully installed, but having problem getting clients to respond to the MBAM administration console. I keep getting "Please enter correct Machine Information"(for
  Manage TPM) or "Recovery keys not found" (Drive Recovery). 
  When I checked SCCM reports, it shows the one computer i'm working on at 100% compliant. Also the the recovery key is showing in AD. 
  Somewhere i think i'm not connected to the database. Please help? 

  It sounds like you might not have configured the 'Configure MBAM Services' policy, or you have conflicting policies between the default BitLocker policies and the MBAM policies. Please see the article 'Planning
  for MBAM 2.0 Group Policy Requirements', where it states:
  If you do not configure or if you disable this policy setting, the Key recovery information will not be saved, and status report and key recovery activity will not be reported to server. When this setting is set to
  Recovery Password and key package, the recovery password and key package will be automatically and silently backed up to the configured key recovery server location.
  Hope this helps,
  David
  MDOP on the Springboard Series on TechNet

• Using MBAM with Non-TPM Enabled Systems

  We have locations within our organization where systems enabled with TPM chips are not allowed.  For these systems we are looking at using the USB flash drive option for booting the system and unlocking the encrypted drive.  We do
  have other locations within our organization where TPM enabled systems are allowed.  For these systems we are using the TPM chip and storing the recovery key information in MBAM.  My question is, can the recovery keys for those systems that are non-TPM
  enabled be stored in MBAM so the drives can be recovered if the USB flash drive is lost?

  USB Key only is not listed as a supported authentication method for MBAM. On devices without a TPM, the password protector is recommended. See
  Planning for MBAM 2.0 Group Policy Requirements.
  MBAM supports the following types of BitLocker protectors for operating system drives: Trusted Platform Module (TPM), TPM + PIN, TPM + USB key, and TPM + PIN + USB key, password, numerical password, and Data Recovery Agent. The password protector is supported
  only for Windows To Go devices and for Windows 8 devices that do not have a TPM. MBAM supports the TPM + USB key and the TPM + PIN + USB key protectors only when the operating system volume is encrypted before MBAM is installed.

• Possible to obtain Windows 7 product key from Lenovo for downgrade from Windows 8.1?

  Hi all. I have searched all over these forums and haven't found the answer to my question, so I figured I'd just ask it.  
  I purchased an Ideapad Y580 with Windows 8 pre-installed.  Hated it from the get go. Upgraded to Windows 8.1, and still don't like.  But, now, I am having a ton of bug-y issues. Although I've managed to fix most, they have become increasingly annoying. The latest is that upon upgrading to Windows 8.1, my USB ports stopped working...except they sometimes work, some of the time, but never all of the time. Drivers are up to date, and every diagnostic test I have run passes. Surfing the net, it sounds like this is a common issue with windows 8.1.
  I was speaking with my firm's IT company and was told that they have had the exact same issues with numerous clients. (As an aside, they universally place lenovo products in their client's hands). It has gotten so bad that they do not provide windows 8/8.1 on any of the machines they prepare for their clients. 
  Last week, I was speaking to the IT company's local rep who was performing some server maintenance for us, and he indicated that if you purchased a laptop pre-installed with windows 8 and didn't like it, you could obtain a windows 7 product key from the manufacturer and downgrade to windows 7. Is that accurate? if so, how do I make that happen? 

  Too be honest I suggest you do not downgrade unless you have to use software in your company that does not work on Windows 7.
  Get started reading Windows 8 guides, and you will notice Windows 8 is a lot better after you have read all the guides:
  http://lmgtfy.com/?q=windows+8+get+started+guide
  Jonas
  Microsoft MVP: Windows Consumer Expert
  Yoga Tablet 2 10 || ThinkPad X1 Carbon (20A7007MPH) || ThinkPad Helix (3698-6EU) || IdeaCentre B540
  Twitter: @jonashendrickx

• Ordering Recovery media from Europe, for US model.

  I brought a second-hand Satellite from US while on a business trip but I live in Europe. HDD crashed now I need to order recovery media because it has none. The problem is that the US site only accepts an American address (shipping and billing both) and the European Toshiba Recovery media ordering site doesn't accept my Satellite because it's foreign. What would you do?
  Sven
  Solved!
  Go to Solution.

  What would you do?
  I would have an acquaintance in the US purchase and reship it.
  -Jerry

• USB recovery media from Toshiba for Windows 7 doesn´t work

  Hi, 
  Recently as my laptop Potégé was slow I reinstalled Windows without using Toshiba recovery disks. Now I can't activate Windows 7 (64 bits), so I ordered a USB recovery media from Toshiba. I tried to use it but it doesn't work. I turn off the laptop, turn it on again pressing F12, -with the USB plugged to the laptop- and when I press HDD recovery, the system just takes me to Windows as usual, without reinstalling. Any thoughts on how to reinstall?
  Solved!
  Go to Solution.

  Hi,
  Are you getting a boot option menu when you press f12?  Have you tried going into BIOS to check your boot order?  Usually f2 or DEL will get you to BIOS, or at the bottom of the boot option menu (which I assume is f12).  Once you are in BIOS, check that your USB drive is above the others in the boot order and save your configuration and reboot.  If you are still having a problem, you might check to see how many USB devices you have plugged in, or chained, and remove the ones that are not necessary because they could interfere with booting to your USB drive.  If you are using a USB hub, you might try putting the usb key into a different slot to give it priority over the other USB devices on boot up.  The highest priority slot on a USB hub might be the one closest to the USB cable that plugs in to your laptop's USB port.

• Direct Access for Non Domain Machines

  Hi,
  In My IT-infra, there is multiple machines that is out my Office network & Domain..
  Can we join these machines in domain via Direct Access implementation ? or for implementing Direct Access we required to join those non domain & out of office network machine to Domain first ?
  secondly, can we implement the Direct access without any public certificate purchase, and without any IPV6 configuring in internal network,machines and in servers .currently i am using IPv4  IP on all Machines & Servers.
  I have gone through the Direct Access Technet guide but i feel very complex document there ...can you please brief me about direct access implementation in simpale way, i want to implement direct access to join the internet based client machines  to
  domain and manage via/for SCCM ...
  Shailendra Dev

  Correct, DirectAccess clients must be domain joined. Also, only Windows 7 Ultimate, Windows 7 Enterprise, or Windows 8 Enterprise clients are able to be DirectAccess connected, so that may also make a difference to your situation. I see many customers deploy
  DirectAccess for those Win7/Win8 domain-joined systems, and then make use of the traditional (RRAS) VPN on the same DirectAccess server for connecting any other operating systems or non-domain-joined machines. Those would just have to launch a manual VPN connection,
  where the DirectAccess connections are of course automatically connected.
  You don't "have" to use an SSL certificate that you purchased from a public CA, but you really should. It is definitely a best practice to use a trusted public certificate on your DirectAccess server. Further, if you have Windows 8 client computers,
  you don't even need to distribute the machine certificates inside your network, but it is also a best practice that you do this anyway, to strengthen the authentication process.
  No, you do not need IPv6 inside your network at all for DirectAccess to work.
  Sounds like you might be interested in some additional reading on DA, here are the two books available on the subject:
  https://www.packtpub.com/virtualization-and-cloud/microsoft-directaccess-best-practices-and-troubleshooting
  https://www.packtpub.com/networking-and-servers/windows-server-2012-unified-remote-access-planning-and-deployment

• How do I use my backup drive for non-Time Machine stuff?

  I haven't set up Time Machine yet because it wants me to completely format my external hard drive, and it seems to want to use it for TM backups exclusively?
  However, I would also like to use it to store stuff that I don't want to keep on my computer, eg tons of photos, videos, stuff from my sister's computer, etc.
  Is there a way to do Time Machine but also use the external hard drive for storage? I don't mind temporarily copying the photos etc that are on there to my computer while I format, so that's not the issue. I just don't want my EHD rendered completely useless to everything else.
  Thanks

  DevonC wrote:
  I haven't set up Time Machine yet because it wants me to completely format my external hard drive, and it seems to want to use it for TM backups exclusively?
  However, I would also like to use it to store stuff that I don't want to keep on my computer, eg tons of photos, videos, stuff from my sister's computer, etc.
  Is there a way to do Time Machine but also use the external hard drive for storage? I don't mind temporarily copying the photos etc that are on there to my computer while I format, so that's not the issue. I just don't want my EHD rendered completely useless to everything else.
  Thanks!!!
  There are several ways to do exactly this.
  If you partition the external drive, you can use one partition for TM and the other for anything else.
  Even if you do not partition the drive, you can safely store other data in folders on the drive. Just to not use the folder that TM creates for anything. And it's best not to put files directly on the drive, in my opinion, but use folders for storage.
  Just remember that whatever you put on the drive takes up room from TM and when the drive gets nearly full, TM will start automatically deleting older files from it's own folder.
  I have my Tiger clone on my external TM drive in a separate partition and everything works fine.

• Automatic PO creation from PR for non materials

  A requirement has recently been raised where the business wants to introduce the use of purchase requisitions and once the purchase requisiiton has been released (approved) a purchase order be automatically created from the purchase requisition. However the business do not use or maintain material records, purchasing info records or source lists. If the the standard automatic purchase order from purchase requisition is used (ME59N) these items are required. In entereing the purchase requisition it is expected that the 'Desired Vendor' will be entered. Has anyone had a similar scenario where the automation of purchase order creation is required? Any assistance is appreciated.
  Thanks

  Hi,
  For no material, only for SERVICE procurement , the Service auto- PO created by activating Automatic Purchase order creation for Service requisitions in t.code: ML91. Create info record based on Material Group. For Automatic PO , info record is mandatory. For more please read note 635511
  Regards,
  Biju K

• How do I apply an upgrade key from Wyse for PocketCloud?

  I have been gifted with an upgrade key for WYSE PocketCloud.  How do I apply the key?  Thanks

  Hi kevinc26850405,
  I can understand your concern & will guide you in the right direction.
  As you have a registered copy of Acrobat 9 for windows so even if you have the setup file for Mac the serial key won't work as it is platform (operation system) specific.
  I would suggest you to get the latest Acrobat version i.e Acrobat DC and you will be able to use it on any of your computer as it requires a subscription to serialize it not a serial key.
  Download link for 30 days trail version of Acrobat DC Download Adobe Acrobat free trial | Acrobat Pro DC & you can serialize it using your Adobe ID.
  In case if you experience any issue or have any query please let us know. We will be happy to help you.
  Regards,
  Aadesh

• Bitlocker fails to store recovery key in AD

  I am deploying Windows 8.1 with Bitlocker with TPM and PIN and recovery keys stored in AD.
  This works fine for most deployments but rarely Manage-bde fails to store the Recovery key into AD. This only happened three times over about 200 deployments.
  I have checked the ZTIBDE.WSF script and I have noticed that the command is launched but there is no check on its return code. I am not even sure if Manage-bde actually returns any. Therefore for the failed deployments I don't know why the recovery key wasn't
  stored and also I din't get any report that it actually failed. The only reason we realised that is because one user had problems in getting the PIN to work and required the Recovery Key. To our surprises this was not in AD! This is then when we checked
  all AD objects and found only three didn't have it. Looking at the deployment logs there are no errors for these.
  Luckily the user then successfully managed to enter the PIN and could boot up his laptop (and, by the way, we could get his recovery key from C:\). 
  Questions:
  1) Has anybody else experienced this?
  2) Does Manage-BDE return anything at all? It seems strange to me that ZTIBDE.WSF doesn't check for its return code as the script checks for errors in a million places.
  3) Is there any easy way I can check whether the AD info is actually stored? I was thinking to write some code to query AD for that computer and see if the BL info actually are there. Maybe Manage-BDE can provide that?
  Many thanks.

  Hi,
  This link has all the information you need. And more importantly which policies to create.
  I have managed to do this implementation myself, and can only state that it works like a charm.
  See a copy/paste of the bit-locker section I have configured in the customsettings.ini when doing deployments with MDT:
  [HP Elitepad 900]
  SkipTaskSequence=YES
  TaskSequenceID=OSD001
  ; Bitlocker Configuration
  BDEInstallSuppress=NO
  BDeWaitForEncryption=False
  BDEDriveLetter=S:
  BDEDriveSize=2000
  BDEInstall=TPM
  ; OSDBitLockerCreateRecoveryPassword=AD
  BDERecoveryKey=AD
  BDEKeyLocation=C:\Windows\BDEKey
  Hope this helps!
  If this post is helpful please click "Mark for answer", thanks! Kind regards