How do I remove user exemption from Microsoft BitLocker Administration and Monitoring (MBAM)?
In testing MBAM, I selected the option to allow my user account for exemption to encryption. Now none of the machines I log in to will encrypt. I'd like to take myself off of the user exemption list. What's the best way to do
this? I don't see the option to remove a user from an exemption list in the web management interface.
Thanks! MCITP Windows 7 MCTS Windows Server 2008
November 3rd, 2011 10:41pm
On Win7 client machine, if you have click user postpone then
Delete: HKCU\Software\Microsoft\MBAM
Restart the MBAM agent service and when you hit the next client wake up frequency, we prompt you to start the encryption.
Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
November 4th, 2011 9:29am
Thanks for your reply, Manoj!
I removed the key and restarted the MBAM agent service and restarted my machine. But event viewer still shows that the user is exempt from encryption.
I've also tried introducing HKCU\Software\MBAM and setting the NoStartupDelay option to 1. And after a reboot, the user still shows exempted.
Now I'm hacking SQL tables to see if I can fix. Please offer some more advice before I break this system :-)MCITP Windows 7 MCTS Windows Server 2008
November 4th, 2011 11:10am
This step what you did is incorrect:
I've also tried introducing HKCU\Software\MBAM and setting the NoStartupDelay option to 1. And after a reboot, the user still shows exempted.
Follow these steps:
1. On Win7 client machine, if you have click user postpone then
Delete: HKCU\Software\Microsoft\MBAM
2.
HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1
3.
There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client.
If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM
and set its value to 1.
Restart the MBAM Client Service and then client will talk to server in 1 minute.
Monitor the MBAM logs on client.Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
November 4th, 2011 4:06pm
This step what you did is incorrect:
I've also tried introducing HKCU\Software\MBAM and setting the NoStartupDelay option to 1. And after a reboot, the user still shows exempted.
Follow these steps:
1. On Win7 client machine, if you have click user postpone then
Delete: HKCU\Software\Microsoft\MBAM
2.
HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1
3.
There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client.
If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM
and set its value to 1.
Restart the MBAM Client Service and then client will talk to server in 1 minute.
Monitor the MBAM logs on client.Manoj Sehgal
November 4th, 2011 11:04pm
Hi,
Did your issue solved by the suggestion of
Manoj Sehgal? Please feel free to give me any update.
Thanks.
Regards,
Leo Huang
TechNet
Subscriber Support in forum. If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
November 6th, 2011 8:36pm
Hey Leo,
Manoj's suggestions were very helpful in terms of coming to troubleshoot the system quickly. However, after carefully following the advice laid out, my user account still shows up as exempt in the MBAM web console. Now, i can enforce the user
side of group policy such that I'm not exempt. But there's still no change in the MBAM console when running the Enteprise Compliance Report. In other words, the console shows one user exempt (me) even though group policy dictates that i'm not exempt.
Not a big deal at the moment. Just would hate to have a group of users who applied for exemption to still show up in the exemption list after we've removed the user exemption policy when auditing BitLocker.
Thanks! MCITP Windows 7 MCTS Windows Server 2008
November 8th, 2011 4:54pm
Greg,
Enterprise compliance report updates once in 6 hrs.
check this to update manually:
2620269 MBAM Enterprise Reporting Not Getting Updated
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269
If you had configured User Exemption for MBAM - make sure the user account is removed from that GPO.
Do gpupdate /force on client.
Verify using rsop.msc or gpresult that user exemption is not applied.
Do same steps again:
HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1
3. There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client.
If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1.
Restart the MBAM Client Service and then client will talk to server in 1 minute.
Monitor the MBAM logs on client.
When you see an entry in operational logs for MBAM - The encryption data was successfully sent, then check the enterprise compliance report and update it manually using
2620269 MBAM Enterprise Reporting Not Getting Updated
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269
I hope this helps.Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
November 9th, 2011 10:34am
Greg,
Enterprise compliance report updates once in 6 hrs.
check this to update manually:
2620269 MBAM Enterprise Reporting Not Getting Updated
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269
If you had configured User Exemption for MBAM - make sure the user account is removed from that GPO.
Do gpupdate /force on client.
Verify using rsop.msc or gpresult that user exemption is not applied.
Do same steps again:
HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1
3. There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client.
If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1.
Restart the MBAM Client Service and then client will talk to server in 1 minute.
Monitor the MBAM logs on client.
When you see an entry in operational logs for MBAM - The encryption data was successfully sent, then check the enterprise compliance report and update it manually using
2620269 MBAM Enterprise Reporting Not Getting Updated
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269
I hope this helps.Manoj Sehgal
November 9th, 2011 6:31pm
Manoj,
Thanks again for the continued support. Love the information on using SQL Server Management studio to start the create cache routine to update the MBAM compliance report.
After following the steps you mentioned above, I was able to fix the issue by disabling the group policy setting "Configure user exemption policy". After running a gpupdate and starting the Create Cache job in SQL Server Management studio per
KB2620269, the user exemption status showed up as Not Exempt.
This tool is going to a very effective way for us to audit our BitLocker systems, and I especially look forward to implementing this product in our organization and can't wait to see it mature over time.
Great job! :-)MCITP Windows 7 MCTS Windows Server 2008
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2011 8:02am