Windows 10: MBAM delays in escrow of recovery key and event logging

We have MBAM solution 2.5.1143.00, running on W10 and W11 systems.Solutions seems to be working. We can get to Selfservice and Helpdesk portals, recover keys, etc., and checking the SQL database, in \MBAM Recovery and Hardware\recoverandhardwarecore.keys - can see in the 'LastUpdateTime'., recovery keys being updated recently. 1One issue we are seeing is that it takes a several days, after changing PIN, for recovery key to upload to MBAM database. In one case it took 7 days.-What could be the reasons for this delay.-Any place we can check to why there is a delay.-On new builds key doesn'

:)

 

Escrowing Keys between MBAM and AD

Good day,

I am currently working on encrypting all the machines at my organization using MBAM (which was actually introduced before I started at the company). The issue I am running into is that some of the machines are escrowing the keys into MBAM while others are
just being stored in AD. This wouldn't be such an issue but the Help Desk team needs to ability to get the recovery key quickly if a PC were to prompt for the key. Not to mention, We want to ensure that all the keys are centralized and that there is a redundant
way of getting the key if MBAM or AD were to fail. Is there a way to escrow the keys from MBAM to AD and vice versa? This way the help desk team can just use the portal to search for any recovery key without having to go between AD to look and then MBAM?

Any help of this would be greatly appreciated.

 

MDOP MBAM agents not using SSL to post recoery keys

I have been troubleshooting an issue with a group of Windows 10 endpoints that will only post their recovery keys to the MBAM recovery service website over http/80. When the appropriate GPO is changed to use https/443 the endpoints act like they just don't
want to report in. No errors. Switch back to http/80 and the key escrow success events show up.

MBAM server is running 2012 R2 with MBAM 2.5.11 installed. Same agent version are on the Windows 10 endpoints. Some of the endpoints are running build 1511 (CBB), some are on 1607 (CB).

We can browse to the self-help and helpdesk portals over https/443 with no cert errors. So SSL is working.

Any thoughts on why SSL service communications is failing?

 

Escrowing Keys between MBAM and AD

Hello! I am an Independent Advisor, I would love to help you out!

I would recommend viewing the following "Configuring AD DS" section of this article, if you scroll down some you will see "configure group policy to enable backup of bitlocker and TPM recovery information in AD DS. Make sure that you have a GPO in place for
any OU a computer is in, that is not being overwritten by anything else. I would suggest to enforce the GPO for testing at least.

In that article near the top is also this entry referring to moving recovery information to AD:

If necessary, recovery information can be backed up to AD DS after BitLocker has been enabled by using either the Manage-bde command-line tool or the BitLocker Windows Management Instrumentation (WMI) provider. For more information about the WMI provider, see
the MSDN topic BackupRecoveryInformationToActiveDirectory Method of the Win32_EncryptableVolume Class (BackupRecoveryInformationToActiveDirectory method of the Win32_EncryptableVolume class - Win32 apps).

Hope this helps!