MBAM and Clearing TPM Password
We are in the process of testing MBAM in our organization. Some of our test users manually enabled the TPM chip in their laptops and set a password before installing the MBAM client and encrypting with BitLocker. The TPM password/hash for these machines isn't in the MBAM database. I've read that to get the password/hash in the database you need to clear the TPM and allow MBAM to initialize the TPM and take ownerhsip, but this isn't working for me. I've tried: 1. Clearing the TPM, rebooting, and waiting for a day for a prompt from MBAM. 2. Suspending Bitlocker, clearing the TPM, rebooting, waiting for a day for a prompt from MBAM. Neither of the above Can someone give me the exact steps and how long it should take for MBAM to initialize the TPM? Thanks,
November 18th, 2011 1:39pm

I have not used MBAM yet but to do it using data from AD check this link. http://blogs.technet.com/b/bitlocker/archive/2010/09/14/how-to-use-hash-of-tpm-from-ad-to-reset-your-tpm-password.aspx
Free Windows Admin Tool Kit Click here and download it now
November 20th, 2011 6:43am

Exact steps: Make sure TPM is ON from BIOS. TPM state will be TPM is ON and ownership is not taken. Now when MBAM prompt for start encryption, it will see that TPM is not initialized and will first initialize TPM and ask for a reboot. After reboot we will start the encryption. 2640178 MBAM fails to take ownership of TPM http://support.microsoft.com/kb/2640178 Also you do not have to wait for 1 day for MBAM to prompt to start the encryption process. 1. On Windows 7 client open registry HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1 2. There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client. If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1. Restart the MBAM Client Service and then client will talk to server in 1 minute. If you hit this error on client, then follow the work around on this KB 2612822 Computer Record is Rejected in MBAM http://support.microsoft.com/default.aspx?scid=kb;EN-US;2612822Manoj Sehgal
November 21st, 2011 4:53pm

The TPM is On from the BIOS, and the TPM state shows "TPM is on and owership is not taken." The laptop was left on for several days, but MBAM never prompts to start encryption, nor do we get any error messages. Should I still execute the script in the support article 2640178?
Free Windows Admin Tool Kit Click here and download it now
November 22nd, 2011 2:30pm

Out of curiosity I ran the script and got a script error.
November 22nd, 2011 2:47pm

You do not execute the script from the KB unless you hit the error message. MBAM prompt to start encryption on a win7 client machine, only if 1. GPOs are set correctly. 2. You are on the console and not on RDP session for win7 client machine. 3. You do not have errors for MBAM in mbam admin logs on win7 client. Verify these things first. Also you do not have to wait for 1 day for MBAM to prompt to start the encryption process. 1. On Windows 7 client open registry HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1 2. There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client. If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1. Restart the MBAM Client Service and then client will talk to server in 1 minute. Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
November 23rd, 2011 10:11am

1. GPO's are set correctly. We have no other issues with the client or getting machines encrypted. 2. I have the machine next to me and am logged in with administrator rights. 3. I checked the logs for errors over several days and didn't see any errors. Changing the registry keys and restarting the client doesn't make MBAM take ownership of the TPM.
November 23rd, 2011 2:28pm

Registry key changes help to prompt the client to get the MBAMClientUI so that you can click on Start Encryption. If TPM is not initialized then before we start encryption, MBAM will do that. 2640178 MBAM fails to take ownership of TPM http://support.microsoft.com/kb/2640178 if TPM is already initialized then MBAM will start the encryption process. Also check the status of TPM from TPM Management Console.Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2011 10:10am

The status from the TPM Management Console says "The TPM is on and ownership has not been taken." There are no errors in the MBAM logs on the machine, and policies are being applied successfully, as well as encryption data is being sent successfully.
December 7th, 2011 11:16am

Hi Manoj, Now when MBAM prompt for start encryption, it will see that TPM is not initialized and will first initialize TPM and ask for a reboot. After reboot we will start the encryption. now one question to ask, i am trying to encrypt the OS drive through MBAM with SCCM 2007(without ant user interaction). if the machine will reboot the log in screen will come and the user at that time will not be logged in(which requires a manual process). will the MBAM will start the encryption without getting logged in. or do we need to logged in the machine to start the encryption. If we have to then it will not be fully automated.right Do we have any methods to made it fully automated. Also when the registry entries made through the reg file templates, when we have to delete it. that should be deleted before the completion of the encryption process as far as i know by reading materials on MBAM. so how that can be done with SCCM? do we have to make separate TS for deleting those entries. If included within a single TS the entries got deleted within a second after being added to the proper location. and fails to start the encryption. can you please guide me to the proper steps for encryption. i have also replied to one another post of you but unfortunately i did not get a reply back. please help if you can. yours posts helped me a lot getting familiar with the MBAM. but still lots of doubt left with.Gaurav Ranjan
Free Windows Admin Tool Kit Click here and download it now
January 5th, 2012 7:30am

Hi Manoj, What if the machine has been already encrypted by MBAM. For some cause we need to clear the TPM from MBAM console. it will erase the records for the TPM ownership information for the TPM chip and the machine will go into the recovery mode. Once the TPM is cleared how will MBAM reinitialize it and take back the ownership. Once a clear TPM takes place, how much time does it take for the computer to go into recovery mode. Any help will be appreciated. Gaurav Ranjan
February 8th, 2012 1:27am

Are there any additional steps to take if the script does not resolve the "MBAM fails to take ownership of TPM" error? The script has worked successfully on 300 systems, but we have found that in a few cases it will not resolve it. "TPM is on and Ownership has not been taken" and policies are applied on the laptops that TPM ownership is failing. Along with running the script I've updated the BIOS and cleared the TPM to no avail. In these rare cases we've had to swap the drive in to a like system to bypass the error and kick off encryption, but would like to find another solution. Any thoughts???
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2012 11:32am

1. Once the TPM is cleared how will MBAM reinitialize it and take back the ownership If you clear the TPM, bitlocker will go in recovery mode. To prevent this, suspend bitlocker protection first, then clear TPM. If TPM is cleared and your drive is already encrypted then MBAM will not prompt the user to initialize TPM. In this scenario, if you want MBAM to initialize the only way you can do is by decrypting the drive and then let MBAM prompt to start encryption. In this MBAM for TPM and then initialize it and start the encryption. 2. Once a clear TPM takes place, how much time does it take for the computer to go into recovery mode. Answer: Next reboot. If you suspend bitlocker, then we don't go in recovery mode.Manoj Sehgal
February 9th, 2012 10:45pm

If the script from the KB does not work, then we are not able to take ownership of TPM due to some other reason. http://support.microsoft.com/kb/2640178 One reason, is SELF does not have rights on the OU where your machines are located in AD DS. You might have Turned ON Group policies to backup TPM information in AD, which can cause TPM initialization to fail. check the blog below: http://blogs.technet.com/b/askcore/archive/2010/03/30/access-denied-error-0x80070005-message-when-initializing-tpm-for-bitlocker.aspx Let me know if this helps or not. Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2012 10:50pm

Thanks Manoj for your reply and your help. So, if the TPM is cleared, we need to re-encrypt the Drive in order for MBAM to take the ownership information. It will not populate the info with any other process. I am not getting the option to mark it as an answer, but i think it is the answer for the question I asked.I voted it as helpful. Digging deeper and deeper into the MBAM, i am getting a lot more queries in my mind. I hope you will help me on that. There is a way through which we can add hardware details of the Machine into the MBAM console under hardware section. i want to know what is the need for that. why do we need to manually add the hardware details of a machine although the MBAMAgent sends all the information to the database. --> Does the Bitlocking with MBAM is dependent on onlly the make and model of the machine (till now i only know that the encryption is dependent upon the make and model of the machine and not on the TPM info). --> Do the MBAM prompt for the encryption if there is only the info for the make and model of the machine. the compliant status of the machine has been set manually. there is a scenario for us where we have to manully add a machine make nad model under the hardware section and force the encryption process to start. is it possible to do so. --> Also how long does it take for MBAM to sent the compliant status of the hardware to the hardware. as far as i am concern it takes 24 hours to generate the compliance report. --> What is the validation step to check the reachability of the URL for the Compliance and Audit report. is it http://<NameofComplianceandAuditReportsServer>:<Port#>/Reports/Pages/Report.aspx?ItemPath=%2fMalta+Compliance+Reports%2fEnterprise+Compliance+Report Note: If you installed SRS on a named instance the URL will follow the following format: http://<NameofComplianceandAuditReportsServer>:<port#>/Reports_<NAMEDINSTANCE>/Pages/Folder.aspx?ItemPath=%2fMalta+Compliance+Reports%2fEnterprise+Compliance+Report Gaurav Ranjan
February 10th, 2012 12:55am

Also, How can i turn off the automatic discovery for the hardware. so that the MBAMagent will only pick the machine details added manually to the MBAM console. What policies are going in background through which the MBAMagent sends the compliance report to the MBAM database. do we have any debugging tools for that so as to monitor the background processes like to monitor the http communication or the behaviour of the SQL server on changes. How can the duration for the MBAM to prompt to start the encryption can be reduced.usually it takes 90 minutes.I got a success to automate the encryption by reading your blogs by changing hte registry settings. But now i would like to do is know the backgroung processes running. any help would be greatly appreciated. for marking your replies as an answer i have started a new forum. http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/86a6612a-0b8a-44c2-abd9-de6de79c1a01 Gaurav Ranjan
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2012 1:06am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics