MBAM and AD

[captonron]

Hello,

 

I was curious if anyone is using MBAM and also storing the Bit Locker recovery keys in active directory?

 

We are starting to Bit Locker all of our workstations, and we are currently storing the recovery keys in active directory. I was thinking about implementing MBAM also, but management wants the keys to be in active directory.

 

Can you store the keys in a MBAM database as well as in active directory? My searches have given me conflicting information.

 

Any help is much appreciated

 

Ron

[anyweb]

yes you can store the keys in mbam (an SQL database) and AD at the same time, when enabling bitlocker in the task sequence using the built in step you can choose to store the key in AD, then later in the task sequence you install the mbam client and it stores the key in it's database, as it can take up to 90 minutes (unless you add the nostartupdelay reg key) for MBAM to store its key in the db, having a backup copy in AD is a good idea.

[captonron]

Awesome, thank you!

 

And for the client that are all ready deployed and their recovery key is in AD, just push out the MBAM client and let it do it's thing?

[anyweb]

correct, also to note the mbam client can store the key in AD also

[captonron]

correct, also to note the mbam client can store the key in AD also

 

Maybe I'm missing something here, but I don't see this option.

 

In fact, I'm a little confused all together on this. I have installed MBAM and have integrated it into SCCM 2012. 90% or so of machines get bit lockered during an OSD task sequence. Only a few get bit lockered manually by our help desk.

 

I'm getting confused looking at the group policy templates. I have to make sure that the key is always in AD, but I also need to utilize the MBAM/SCCM reporting to make sure machines are bit lockered. The group policy object seems to be more geared to encrypting machines.

 

Maybe I'm over thinking this....

[67_dbc]

There is 2 areas of focus that I know of, MDOP MBAM Policy and Bitlocker Policy under Computer Configuration. You need to configure Bitlocker Policy for AD DS password/package store. If you want MBAM, you configure the MBAM services pointing to your SCCM/MBAM server, etc, as you already did.

 

Only thing to consider, if you need to enable AD DS backup, if you don't use Enhanced PIN / additional authentication, set the radio buttons to disable. At least I had to in order to make it work cause leaving it at Not Configured wouldn't allow me to encrypt. I got the pop-up UI to Postpone/Start but it would fail and that was because I didn't make clear choices on those PINs/additional auth. settings.

 

Once AD is ready, install RSAT if you don't have it already, then add the Bitlocker Password Recovery Viewer in Windows Features under Feature Administration Tools. That will allow you to view the Recovery tab under the Computer Objects in AD. If it doesn't appear, start checking permissions.

 

http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx

 

Hope that helps some.

 

Eric

[captonron]

Thanks for the reply. I'll check this out. I'm actually stuck at the moment, it would appear I'm having some issue with the App monitoring server. I haven't had time to look into it as MBAM is not really needed in our environment and doesn't take priority. As soon as I can get back to it, I'll try out what you have listed above