We have bitlocker ...so we need MBAM, too?

McKnife
CERTIFIED EXPERT
Published:
Updated:
Edited by: Andrew Leniart
In this article, I will take a look at Microsoft Bitlocker Administration and Monitoring (“MBAM”) and conclude, why I prefer my own scripts for deployment and management.

I will start by assuming that the reader is familiar with Bitlocker and even MBAM. This article is for you admins that already deploy and manage Bitlocker or those who are about to do so in the near future.


Let me ask you this: Have you noticed, that there are dozens of standard, built-in GPOs that can be used to configure Bitlocker, while there is not a single GPO that does actually enable Bitlocker as in “start encrypting”?

Now, why would that be?


I see two possible reasons:


1st reason (likely): Microsoft wants to prevent the unintentional and uncontrolled mass-encryption of company data, as a result of a few mouse clicks gone wrong

2nd reason (possibly): Microsoft is using these tactics for customer retention since they have MBAM but they don’t give it away for free to anyone, but only as added value for volume licensing customers.


Now let’s see what MBAM can do for you:


  • MBAM delivers the “missing piece” to finally enable encryption at client computers
  • It allows admins to reset locked out TPM modules
  • It allows users that forgot their PIN to access a self-help website and get them going again
  • It saves the recovery keys to a database separated from Active directory
  • It offers ways to see whether all devices are compliant with the rules that you hope to enforce


To me, that’s basically it. Sounds good, as long as you don’t look at the hours you will spend on setting it up and maintaining it because it is rather complex:


You will need to


  • Install an SQL server and license it
  • install a web server + configure SSL
  • create several users, user groups and service accounts
  • deploy an agent to the clients
  • setup MBAM-specific GPOs


In case this sounds like fun, please refer to this description:

https://www.scconfigmgr.com/2019/01/12/step-by-step-microsoft-mbam/ (4 parts!)

A good article without a doubt. But please scroll through all parts of it it and consider how much effort that is and what of these goodies you will really need.


OK, if you wanted to do without MBAM, how would you go about? For each MBAM goody, let me show you an easy-to-achieve alternative.


Starting the encryption

Surely the most important aspect. I recommend to deploy a scheduled task “at least Windows 7” via GPOs.


It would look like this:

Task name: BL (name it as you want, but please don’t forget to change the name in the last script line)

Triggers: at logon of any user

Executing account: system

Action: powershell.exe with the argument \\server\share\BL.ps1


The task would be set up to “apply once and do not reapply”

That share would need to be read-only for computer accounts, writable only for admins.


The script would create a random PIN for pre-boot authentication and save the PIN to a text file on another share “pins”, which is writable for domain computers, but not readable for them as people (local admins) able to impersonate the system account must not discover other computers’ PINs.


The script \\server\share\BL.ps1 goes


$pin=(Get-Random -Minimum 0 -Maximum 999999).ToString('000000')
echo "$pin" | out-file \\server\pins\$env:computername.txt -Append
$SecureString = ConvertTo-SecureString "$pin" -AsPlainText -Force
Add-BitlockerKeyProtector -MountPoint "C:" -Pin $SecureString -TPMandPinProtector
msg * /time:0 Your hard drive is being encrypted. To start your PC, you need your Bitlocker-PIN, which is $pin
manage-bde -on c: -s -used -rp
schtasks /delete /tn BL /f

So what happens at script execution, is that a popup would appear and name the PIN.



The user would need to be informed that he needs to memorize it. Of course, some people will write it down, we can’t stop them from doing so. But still, tell them not to do that. 6 digits can be memorized and if they forget, you have the PIN inside that text file named like the computer in question accessible only to you on that share \\server\share\PINs. Whether you would like to add a warning to the popup-message going “Please, don’t turn your PC off without shutting it down during encryption, else you might lose access to it” is optional and out of scope – it’s the same for MBAM.


Some of you might have noticed that I was using the good old msg.exe instead of a native powershell command...that's because with msg-exe, it is very simple to send a message to all users that are logged on! But there's a downside to it: msg.exe writes the message  (the secret PIN) into the system event log!
If you fear that someone could discover the PIN in the log, you should add another line of code at the end of the script that simply clears the system event log:

Clear-EventLog system 

By the way, what happens if the user shuts down the machine while it is encrypting? Well, encryption is paused and will be resumed the next time he starts the machine – no problem. In between, the PIN will already be asked for to start the machine.


Another thing: please use a GPO to prevent that people change their PINs. Not only because that would mean you would need to find a way to keep track of them, no. But rather, because people tend to use their date of birth as PIN. 6 digits... does that ring a bell? That would be too easy for an attacker to find out.


Resetting locked out TPM modules

…why would that even be needed? We’ll take a look at what it takes to lockout and what to do in case it really happens and you cannot unlock it.


So, how to lock a TPM module – the TPM lockout count is different from manufacturer to manufacturer. I have dealt with Infineon and Intel modules so far and the lockout count is 32. So only after someone entered their PIN incorrectly 32 times, will it lockout. Sorry, no one does that unless he is an attacker. If someone does it, he should be told “Congrats, now you have to get your device here so I can unlock it using the recovery key – I will not hand it to you”. Administrators may use the recovery key to start the device and they can reset the TPM at any time (without MBAM).


Self-service in case people forget their PIN

There surely must be a better way than handing the recovery key over to the users, since the recovery password is enabling users to do anything they like with the device (decrypt, manipulate), it’s not an option for those of you who take security seriously to ever give it to users, even if we could make the MBAM agent change it right afterwards, you never know what the user might have done in between, before he booted windows.


Instead, if you feel you need to set up self-service that works even for users that are out of office, please use the PINs, instead. The recovery password will not be needed unless the user


  • tampers with boot settings
  • updates the firmware (without admin permissions or bios password?)
  • enters the wrong PIN 32 times (we had that)


Seriously, the idea that the recovery key is needed regularly is non-sense, but newbie Bitlocker admins still fall for it. Tell me, why in all these years on our 100 devices, I never had to give a recovery password to a user because his machine, out of the blue, demanded it?


So let’s see, how can we allow self-service for PIN retrieval? Shall we set up some web server that mimics what MBAM does, accessible over the internet, just with the PINs instead of the recovery passwords? We could do that, we have technology...no, this is complicated, it will require authentication of some kind and most probably, users will not even memorize the steps. Remember what scenario we could be talking about: some user is on the abroad, jet-lagged, has forgotten his PIN, cannot start his laptop and you, the support, are not available as he's in another time-zone and you are asleep. Will the user walk into an internet café and somehow make it to the company MBAM website? Or what about his phone, he could have that self-service portal saved as a favorite on his smartphone – that will work. However, he would need to enter delicate credentials on the phone and have a recovery key displayed on the phone, an unmanaged device – sorry, no, not for me.


So why not simply write the PIN down obfuscated in a smart way? Tell the users, if they feel their brain is about to collapse and they can’t memorize a 6-digit PIN, they should utilize a smart method to hide it: a keyword-number. Look at this ruler: I display it to show how this is supposed to work.



Still no idea what I am talking about, right? OK, my keyword is for example something silly, let it be “tombraider”. Now take the first 6 letters and for each letter, write down the last digit of their position number in the alphabet [a=1, b=2,…,y=(2)5,z=(2)6] – my keyword (t/o/m/b/r/a) would become (2)0/(1)5/(1)3/2/(1)8/1 = 053281. So if my PIN has been set to 673231, I will now add 053281, what do I get? You get 726512 and that can be written down without having to fear someone cracks it, even when he reads it – even someone “in the know” would have just 32 guesses what word this might have been obfuscated with – have fun! If you forget your PIN, look at your note and subtract the keyword’s number equivalent from it and you have it (don't worry, this even works when the sum has 7 digits).


Is that too complicated? Let me remind you of the alternatives:

  • set up a web server, accessible from the internet, that requires a password which will possibly have to be entered on an untrusted device
  • simply remember that 6 digits! Not so hard...


On to the next:

MBAM saves the recovery keys to a database separated from Active directory


Now what good comes from that? If I look at the AD database, which is so well guarded, why would I even want a second database, in the first place? What’s the big idea?


Probably, Microsoft thinks this way: with a second DB, which can be administered by a different set of people (not domain admins, but Bitlocker admins), we don’t need them to be domain admins, thus, we limit the number of domain admins to a minimum, which is surely desirable! For example, the author over at scconfigmgr.com writes “For many companies simply storing the key in a repository that requires their IT help desk staff to have elevated Active Directory or Azure Active Directory rights is not something they want to do”.


That thought is tempting, but it is not correct. Viewing the Recovery passwords in AD does not require “elevated rights” (whatever that means) but it can be delegated, too. Although by default, the keys are only viewable by domain admins, it takes me only a minute to change that and give any standard user the right to view them! See my other article about that topic: https://www.experts-exchange.com/articles/33769/Delegation-of-access-to-Bitlocker-Recovery-Passwords-this-way-please.html


So in my mind, this possible advantage of having a dedicated DB is rather a disadvantage since it adds to overall complexity, big time.


Last one:

MBAM offers ways to see whether all devices are compliant


OK, now that is something important for sure. So we will have some monitor showing nice diagrams all in green color as all PCs are 100% compliant. I mean, what else, but 100%? If you encrypt the devices, could they become decrypted? Would someone change the encryption method that your GPO enforces? Who would be able to do that? Only local admins. Why would they do that? Wouldn’t that suggest these people could be up to things even worse, like disrupt the MBAM agent or fake its output for some reason?


What I would do instead of falling in love with diagrams, is again to deploy a scheduled task to run once a day, that calls a batch one liner and alarms me if for example the c: drive is not 100% encrypted. It’s as easy as this:


manage-bde -status c: | findstr 100,0% || md \\server\share\%computername%_c

This will create a folder named like the non-compliant computer. Check that parent folder once a day and you are good to go.


 What else would you like to be compliant with? Let’s say you define “compliant” as

-all drives are 100% encrypted

-all drives are using the encryption method XTS-AES 256

-the protection is enabled anywhere


So make that check a 3 liner


for /f "tokens=3" %%a in ('manage-bde -status ^| findstr %') do echo %%a | findstr 100 || md \\server\share\%computername%_not_100percent.txt
for /f "tokens=3,4" %%a in ('manage-bde -status ^| findstr /C:"Encryption Method"') do echo %%a %%b | findstr /C:"XTS-AES 256" || md \\server\share\%computername%_notXTSAES256.txt
for /f "tokens=3,4" %%a in ('manage-bde -status ^| findstr /C:"Protection Status"') do echo %%a %%b | findstr /C:"Protection On" || md \\server\share\%computername%_Protection_off.txt


And that’s all! I am open to critique as always and I ask you for opinions and as well encourage you to ask a related question.


3
27,126 Views
McKnife
CERTIFIED EXPERT

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.