deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 03:43:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update MBAM on Win10 1607 change around TPM and OwnerAuth

Browse Source
This commit is contained in:
jamiejdt
2017-04-23 23:04:52 -07:00
parent 977427f2ef
commit 9058959ce7
3 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
View File

@ -43,7 +43,10 @@ This topic explains how to enable BitLocker on an end user's computer by using M
- Optionally encrypt FDDs
- Escrow TPM OwnerAuth, even on Windows 8 or higher (MBAM still must own the TPM on Windows 7 for escrow to occur)
- Escrow TPM OwnerAuth
For Windows 7, MBAM must own the TPM for escrow to occur.
For Windows 8.1, Windows 10 RTM and Windows 10 version 1511, escrow of TPM OwnerAuth is supported.
For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
- Escrow recovery keys and recovery key packages
@ -55,13 +58,15 @@ This topic explains how to enable BitLocker on an end user's computer by using M
- Robust error handling
You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=54439). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=48698). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
**WMI deployment methods for MBAM:** The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the `Invoke-MbamClientDeployment.ps1` PowerShell script.
<a href="" id="mbam-machine-wmi-class"></a>**MBAM\_Machine WMI Class**
**PrepareTpmAndEscrowOwnerAuth:** Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM is not owned and auto-provisioning is not on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting.
**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
| Parameter | Description |
| -------- | ----------- |
| RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. |
@ -172,7 +177,8 @@ Here are a list of common error messages:
3. Name the step **Persist TPM OwnerAuth**
4. Set the command line to `cscript.exe "%SCRIPTROOT%/SaveWinPETpmOwnerAuth.wsf"`
4. Set the command line to `cscript.exe "%SCRIPTROOT%/SaveWinPETpmOwnerAuth.wsf"`
**Note:** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
3. In the **State Restore** folder, delete the **Enable BitLocker** task.

3
mdop/mbam-v25/mbam-25-security-considerations.md
View File

@ -31,6 +31,7 @@ This topic contains the following information about how to secure Microsoft BitL
## <a href="" id="bkmk-tpm"></a>Configure MBAM to escrow the TPM and store OwnerAuth passwords
**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
Depending on its configuration, the Trusted Platform Module (TPM) will lock itself in certain situations ─ such as when too many incorrect passwords are entered ─ and can remain locked for a period of time. During TPM lockout, BitLocker cannot access the encryption keys to perform unlock or decryption operations, requiring the user to enter their BitLocker recovery key to access the operating system drive. To reset TPM lockout, you must provide the TPM OwnerAuth password.
@ -38,6 +39,8 @@ MBAM can store the TPM OwnerAuth password in the MBAM database if it owns the TP
### Escrowing TPM OwnerAuth in Windows 8 and higher
**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
In Windows 8 or higher, MBAM no longer must own the TPM to store the OwnerAuth password, as long as the OwnerAuth is available on the local machine.
To enable MBAM to escrow and then store TPM OwnerAuth passwords, you must configure these Group Policy settings.

13
mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
View File

@ -40,19 +40,26 @@ Before you install the MBAM Client software on end users' computers, ensure that
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>For Windows 8 and Windows 8.1 client computers only: If you want MBAM to be able to store and manage the TPM recovery keys, TPM auto-provisioning must be turned off, and MBAM must be set as the owner of the TPM before you deploy MBAM.</p>
<td align="left"><p>For Windows 8.1, Windows 10 RTM or Windows 10 version 1511 client computers only: If you want MBAM to be able to store and manage the TPM recovery keys, TPM auto-provisioning must be turned off, and MBAM must be set as the owner of the TPM before you deploy MBAM.</p>
<p>In MBAM 2.5 SP1 only, you no longer need to turn off TPM auto-provisioning, but you must make sure that the TPM Group Policy Objects are set to not escrow TPM OwnerAuth to Active Directory.</p></td>
<td align="left"><p>[MBAM 2.5 Security Considerations](mbam-25-security-considerations.md#bkmk-tpm)</p></td>
</tr>
<tr class="odd">
<td align="left"><p>For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM.</p>
<p>In MBAM 2.5 SP1, you must turn on auto-provisioning.</p>
</p></td>
<td align="left"><p>See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
</p></td>
</tr>
<tr class="even">
<td align="left"><p>The TPM chip must be turned on in the BIOS and be resettable from the operating system.</p></td>
<td align="left"><p>See the BIOS documentation for more information.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td align="left"><p>The computers hard disk must have at least two partitions and must be formatted with the NTFS file system.</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<tr class="even">
<td align="left"><p>The computers hard disk must have a BIOS that is compatible with TPM and that supports USB devices during computer startup.</p></td>
<td align="left"><div class="alert">
<strong>Note</strong>