Windows Windows Server

Microsoft Bitlocker Administration: Impact of Protected Computers

Bitlocker management

Microsoft Bitlocker Administration streamlines the management of BitLocker drive encryption. This administrator interface empowers you to effectively configure optimal BitLocker encryption policies for your enterprise and ensures seamless monitoring of policy compliance. Kindly refer to the following similar guides on BitLocker. how to fix the missing BitLocker Recovery Tab in Active Directory Users and Computers, and how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.

Microsoft BitLocker Administration and Monitoring (MBAM) is a component of the Microsoft Desktop Optimization Pack (MDOP) is a suite available to Software Assurance customers through an additional subscription. Here is a guide on how to deploy Microsoft BitLocker Administration and Monitoring Tool.

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost or stolen devices. It is an encryption feature built into computers running Windows 10 Pro. If you’re running Windows 10 Home you will not be able to use BitLocker.

BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. See this guide for information on Full Disk Encryption with PBA / without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption, and Container Encryption, how to enable FileVault disk encryption on a Mac device, BitLocker Drive Encryption architecture, and implementation scenarios, and the concept of DriveLock with a focus on encryption.

Managing Device Effects and Synchronization in Microsoft Bitlocker Administration

When delving into the realm of Microsoft Bitlocker Administration, it’s crucial to consider the effects on devices safeguarded by MBAM or BitLocker. An important aspect to bear in mind is that devices extracted from AD may not undergo automatic synchronization with MBAM. such as deletion and name change. You may also want to see this guide on how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.

When dealing with Microsoft Bitlocker Administration, a crucial strategy is to prevent any single point of failure. Enhance redundancy by maintaining two separate databases: the MBAM SQL Database and the Active Directory. While configuring, opt to store BitLocker recovery keys in both databases, reinforcing data protection.

Here is an interesting guide if you wish to do this on a single device: How to backup existing and new BitLocker recovery keys to Active Directory using a simple script. In order to be able to view these keys in AD in the Properties tab or via the Search function in Active Directory Users and Computers. You must have the BitLocker RSAT enabled in Server Features and Roles.

MBAM Protected Device Scenario

A device has been renamed from TechDA001 to TechDA002. Here are some possible questions you may be faced with.

  • Would the MBAM client still be able to communicate with the MBAM Db and have the recovery key escrowed to the MBAM database again after a rename is performed?
  • Will MBAM automatically update the new AD record?

Suppose you have the keys saved to a secondary location like the AD. In that case, the Bitlocker Recovery keys can recover the drive when the BitLocker Recovery window is invoked.

What MBAM is not capable of doing?

Before we proceed with the resolution (recommendation), the following are the things MBAM cannot do.

  • Decrypt systems and re-encrypt with the right algorithms. We have already seen this multiple times.
  • Automatically update a device that is renamed to a new name.
  • Force users to change the PIN in XX number of days.
  • Force a change to the recovery key in an xx number of days etc.
  • The computer account is deleted and recreated. When this happens, you cannot use the selfservice or helpdesk to recovery the BitLocker Recovery keys. Also, the AD BitLocker recovery Tab will be empty if you have polices configured to back up keys to AD.

My recommendation

Renaming the machine prevents escrowing OwnerAuth passwords (TPM) to MBAM Db with a new name. MBAM Agent sends Recovery password after renaming. After renaming, MBAM Agent treats the machine as encrypted, sending only recovery info, not TPM password. This situation parallels MBAM taking over an already encrypted machine (requires decryption and re-encryption).

For your Information Only:

In Windows 8 and higher (Windows 1 and 11). MBAM 2.5 SP1 can now escrow the OwnerAuth passwords without owning the TPM. During service startup, MBAM queries to see if the TPM is already owned. And if so, it requests the passwords from the operating system. The passwords are then escrowed to the MBAM database. In addition, Group Policy must be set to prevent the OwnerAuth from being deleted locally

Since we are now aware of What MBAM cannot do. The goal of MBAM is to have devices report to the MBAM Db and not just to AD only. Hence, re-initialize the TPM and re-image the device to secure it under MBAM’s protection. After renaming a device, you may want to re-initialize the TPM by re-imagining the device.

MBAM stores TPM hash information only once when MBAM initialize the TPM chip on a machine. Since TPM initialization is a one-time requirement for BitLocker/MBAM, we also have to save this information as an entry in SQL for the client which actually initialised the TPM.

If you want TPM hash information to be in SQL again, you will have to follow the steps below.

  • Clear TPM from BIOS. Th Please see this guide “how to clear, enable or disable TPM in Windows via the BIOS or UEFI” for more information.
  • re-image the machine with the new computer name.
  • Install the MBAM agent on client and let MBAM reinitialize TPM and store the information in MBAM SQL DB. Below is an image of how to clear off TPM from the BIOS.
encryption administration
Note: This will result in data loss if you do not have the BitLocker recovery key.

Clearing TPM Ownership: Windows 10 Version 1607 and BitLocker Encryption Integration

Note: If you clear the TPM from the Management Console (tpm.msc), this will be discarded by Windows (starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded). This is because, clearing or resetting the TPM resets it to an unowned state. Once the TPM clears, the Windows 10 OS will automatically re-initialize and regain ownership. In this way, the BitLocker encryptions work without any issues. You may want to read this guide: How to clear the TPM via the management console or Windows Defender Center App.

You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, not clearing the TPM before installing a new operating system could still result in most TPM functionality working correctly.

If you clear the TPM using the tpm.msc console or Windows Defender Security Center app in any case, Windows may succeed in taking ownership as usual, but you will also need to use a script to populate the new hostname with the TPM password from the older one. Isn’t this cumbersome?!

BitLocker Protected Computer

If you need to rename a computer that is being protected by BitLocker Drive Encryption, be careful how you do it. If you remove the computer from the domain, rename the computer, and then rejoin it to the domain, the recovery key will be invalidated and will not work anymore.

You can use the manage-bde –protectors –adbackup command or the methods described here “How to backup existing and new BitLocker recovery keys to Active Directory using a simple script” to store the recovery key in Active Directory. Rename the computer while it is still joined to the domain for the recovery key to remain valid.

If this is just the situation without adding the complexity of MBAM to it. I would say you are fine :-)

How to rename a Computer correctly

Ensure you change the device name correctly. Note: Do not put in workgroup and then add in a domain instead directly change the hostname. All you have to do is change the hostname and reboot. It will change the hostname successfully and u retain the recovery key as well in AD.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x