BitLocker is an encryption solution which is part of Windows 7 and Windows 8 and can be easily enabled. Which would be all good and fine for a home user, however in an enterprise it doesn’t really cut the mustard. Sure you could go and enable BitLocker on your users machines but after that how do you easily ensure all your users machines are in compliance and have bitlocker encryption on their hard drives? What about when the user forgets their password or possibly tries to move their hard drive into a different machine and doesn’t have a recovery code for this?
That’s where Microsoft Bitlocker Administration and Monitoring can help. It gives you a centralized method for monitoring and provisioning BitLocker in your environment. The setup for MBAM is pretty straight forward. The first time I set this up it worked without issue, more recently I ran into some issues so I figured I’d blog about the setup and mention the issues I had and how I got past them, hopefully some others will find this helpful.
So the very first problem I ran into was a strange one!! I needed to get the BitLocker Client installed on my users machines and like some other companies mine was using Windows 7 Enterprise N. Which is a version of Enterprise with the media software stripped off it. The Client refused to install, it was not supported on the system. To get around this I actually had to modify the MSI, there’s a launch condition ensuring it’s only allowed to run on valid Windows 7 machines and it appears Microsoft made an oversight and didn’t include N in the list!!!
Next up, You should set the following Identifier in the group policy for MBAM.
I hit a problem after finding out some users machines already had BitLocker on them and had their drives encrypted. So now all of a sudden their machine would show up in the BitLocker console but would show as Non-Compliant to fix this, I set the following registry on their machines:
[HKEY_LOCAL_MACHINE\SOFTWARE\
“HWExemptionTimer”=hex(b):b1,
“HWExemptionType”=dword:
“DisableMachineVerification”=
This ensured the machine was now flagged as valid and allowed it to be processed. You need to ensure the users machine recovery key is stored in AD. If it is not you should run the following Powershell command on the users machine: manage-bde -protectors -adbackup C: -id {recoveryGUID}
How your setup should go:
Setup the server side software
Configure the MBAM GPO the way you want it.
Deploy the MBAM Client to the users machines which must have TPM enabled (TPM can be found in the BIOS of the computer).
The user will get a prompt within 90 minutes of the GPO being applied. This is a setting which can be changed in the GPO. You should have an option to change the intervals so the prompt to encrypt the drive is seen quicker.
The client will communicate back to the server at every interval set to confirm it’s compliance. You should see the status of the machine as compliant, the drive set to encrypted and also the machine BitLocker Recovery info should be stored in Active Directory for that computer.
The really great thing about BitLocker using the TPM is that the TPM is a chip in your computer, BitLocker writes to that chip and basically ties your Hard drive to that chip. So somebody steals your laptop and can’t get passed login but then tries to remove the drive and access info that way, it won’t work. Bitlocker has ensured the drive won’t work if the Bitlocker key doesn’t match what is set in the machines TPM. Also BitLocker gives the option to encrypt but not require a pre-boot password to be entered so it cuts down on that extra authentication layer but still provides a robust encryption method.
