Jump to content


Recommended Posts

Hello,

 

I was curious if anyone is using MBAM and also storing the Bit Locker recovery keys in active directory?

 

We are starting to Bit Locker all of our workstations, and we are currently storing the recovery keys in active directory. I was thinking about implementing MBAM also, but management wants the keys to be in active directory.

 

Can you store the keys in a MBAM database as well as in active directory? My searches have given me conflicting information.

 

Any help is much appreciated

 

Ron

Share this post


Link to post
Share on other sites

yes you can store the keys in mbam (an SQL database) and AD at the same time, when enabling bitlocker in the task sequence using the built in step you can choose to store the key in AD, then later in the task sequence you install the mbam client and it stores the key in it's database, as it can take up to 90 minutes (unless you add the nostartupdelay reg key) for MBAM to store its key in the db, having a backup copy in AD is a good idea.

Share this post


Link to post
Share on other sites

correct, also to note the mbam client can store the key in AD also

 

Maybe I'm missing something here, but I don't see this option.

 

In fact, I'm a little confused all together on this. I have installed MBAM and have integrated it into SCCM 2012. 90% or so of machines get bit lockered during an OSD task sequence. Only a few get bit lockered manually by our help desk.

 

I'm getting confused looking at the group policy templates. I have to make sure that the key is always in AD, but I also need to utilize the MBAM/SCCM reporting to make sure machines are bit lockered. The group policy object seems to be more geared to encrypting machines.

 

Maybe I'm over thinking this....

Share this post


Link to post
Share on other sites

There is 2 areas of focus that I know of, MDOP MBAM Policy and Bitlocker Policy under Computer Configuration. You need to configure Bitlocker Policy for AD DS password/package store. If you want MBAM, you configure the MBAM services pointing to your SCCM/MBAM server, etc, as you already did.

 

Only thing to consider, if you need to enable AD DS backup, if you don't use Enhanced PIN / additional authentication, set the radio buttons to disable. At least I had to in order to make it work cause leaving it at Not Configured wouldn't allow me to encrypt. I got the pop-up UI to Postpone/Start but it would fail and that was because I didn't make clear choices on those PINs/additional auth. settings.

 

Once AD is ready, install RSAT if you don't have it already, then add the Bitlocker Password Recovery Viewer in Windows Features under Feature Administration Tools. That will allow you to view the Recovery tab under the Computer Objects in AD. If it doesn't appear, start checking permissions.

 

http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx

 

Hope that helps some.

 

Eric

post-17123-0-91770500-1393936952_thumb.png

Share this post


Link to post
Share on other sites

Thanks for the reply. I'll check this out. I'm actually stuck at the moment, it would appear I'm having some issue with the App monitoring server. I haven't had time to look into it as MBAM is not really needed in our environment and doesn't take priority. As soon as I can get back to it, I'll try out what you have listed above

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.