MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, as well as monitor compliance with these policies. Kindly refer to the following similar guides on BitLocker. how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers, and how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines. Microsoft BitLocker Administration and Monitoring (MBAM) is a component of the Microsoft Desktop Optimization Pack (MDOP) is a suite available to Software Assurance customers through an additional subscription. Here is a guide on how to deploy Microsoft BitLocker Administration and Monitoring Tool.
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost or stolen devices. It is an encryption feature built into computers running Windows 10 Pro. If you’re running Windows 10 Home you will not be able to use BitLocker. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. See this guide for information on Full Disk Encryption with PBA / without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption, and Container Encryption, how to enable FileVault disk encryption on a Mac device, BitLocker Drive Encryption architecture, and implementation scenarios. and the concept of DriveLock with a focus on encryption.
Before proceeding to discuss the impact and solutions to devices protected by MBAM or BitLocker. It is worth noting that devices initially pulled from AD cannot be automatically synchronized by MBAM. such as deletion and name change. You may also want to see this guide on how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.
In all you do, I will strongly recommend avoiding a single point of failure. For redundancy sake, kindly maintain two Dbs for BitLocker keys. These are the MBAM SQL Db and the Active Directory. While configuring the GPO, you can configure it to save the BitLocker recovery keys also to AD. Here is an interesting guide if you wish to do this on a single device: How to backup existing and new BitLocker recovery keys to Active Directory using a simple script. In order to be able to view these keys in AD in the Properties tab or via the Search function in Active Directory Users and Computers. You must have the BitLocker RSAT enabled in Server Features and Roles.
MBAM Protected Device Scenario
A device has been renamed from TechDA001 to TechDA002. Here are some possible questions you may be faced with. - Would the MBAM client still be able to communicate with the MBAM Db and have the recovery key escrowed to the MBAM database again after a rename is performed? - Will MBAM automatically update the new AD record?
If you have the keys saved to a secondary location like the AD, the Bitlocker Recovery keys will be able to recover the drive when the BitLocker Recovery window is invoked.
What MBAM is not capable of doing?
Before we proceed with the resolution (recommendation), the following are the things MBAM cannot do.
- Decrypt systems and re-encrypt with the right algorithms. We have already seen this multiple times.
- Automatically update a device that is renamed to a new name.
- Force users to change the PIN in XX number of days.
- Force a change to the recovery key in an xx number of days etc.
If you rename the machine, The OwnerAuth passwords (TPM password) for the changed hostname will not be escrowed to the MBAM Db with the new name. Only the Recovery password and information will be sent by the MBAM Agent. As the machine is renamed, MBAM Agent considers the machine as an already encrypted machine and will hence only send the recovery details but not the TPM password. This scenario is the same as the MBAM Taking over an already encrypted machine (You have to decrypt and re-encrypt).
For your Information Only: In Windows 8 and higher (Windows 1 and 11), MBAM 2.5 SP1 can now escrow the OwnerAuth passwords without owning the TPM. During service startup, MBAM queries to see if the TPM is already owned and if so, it requests the passwords from the operating system. The passwords are then escrowed to the MBAM database. In addition, Group Policy must be set to prevent the OwnerAuth from being deleted locally
Since we are now aware of What MBAM cannot do, and the goal of MBAM is to have devices report to the MBAM Db and not just to AD only. Therefore, you must re-initilize the TPM and re-image the device in order for it to be protected by MBAM. After renaming a device, you may want to re-initialize the TPM by re-imagining the device. MBAM stores TPM hash information only once when MBAM initialize the TPM chip on a machine. Since TPM initialization is one time requirement for BitLocker/MBAM, we also have to save this information as an entry in SQL for the client which actually initializeds the TPM.
If you want TPM hash information to be in SQL again, you will have to follow these steps below.
- Clear TPM from BIOS. Th Please see this guide “how to clear, enable or disable TPM in Windows via the BIOS or UEFI” for more information.
- re-image the machine with the new computer name.
- Install the MBAM agent on client and let MBAM reinitialize TPM and store the information in MBAM SQL DB. Below is an image of how to clear off TPM from the BIOS.
Note: If you clear the TPM from the Management Console (tpm.msc), this will be discarded by windows (starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded). This is because, clearing or resetting the TPM resets it to an unowned state. After the TPM is cleared, the Windows 10 OS will automatically re-initialize it and take ownership again. In this way, the BitLocker encryptions work without any issues. You may want to read this guide: How to clear the TPM via the management console or Windows Defender Center App.
You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM is not cleared before a new operating system is installed, most TPM functionality will probably work correctly
If you clear the TPM using the tpm.msc console or Windows Defender Security Center app in any case, Windows may succeed in taking ownership as usual, but..... - You will also need to use a script to populate the new hostname with the TPM password from the older one. Isn't this cubersome!
BitLocker Protected Computer
If you need to rename a computer that is being protected by BitLocker Drive Encryption, be careful how you do it. If you remove the computer from the domain, rename the computer, and then rejoin it to the domain, the recovery key will be invalidated and will not work anymore.
You can use the manage-bde –protectors –adbackup command or the methods described here “How to backup existing and new BitLocker recovery keys to Active Directory using a simple script” to store the recovery key in Active Directory. Rename the computer while it is still joined to the domain for the recovery key to remain valid.
If this is just the situation without adding the complexity of MBAM to it. I would say you are fine :-)
How to rename a Computer correctly
Ensure you change the device name correctly. Note: Do not put in workgroup and then add in domain instead directly change the hostname. All you have to do is change the hostname and reboot. It will change the hostname successfully and u retain the recovery key as well in AD.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.