Migrate bitlocker from Mbam to sccm with TPM key

Question

question

lalajee asked Nov 18, '20 saldana-msft edited 3 days ago

Migrate bitlocker from Mbam to sccm with TPM key

Hi, We need to Migrate Bitlocker from MABAM to SCCM (Mbam integrate) but I can't seem to find information on if it will move the TPM key to SCCM or not.

We are running SCCM 2002 (soon to be upgraded to 2009)
MBAM server is 2.3 (We are in process of upgrading this to 2.5)

We would like to integrate MBAM with SCCM but also migrate recover key + TPM key.
I know recovery key will be moved but will the TPM key moved too, if not how do I move the TPM key without re-encrypting the drive.

mem-cm-general windows-10-security mem-cm-osd

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JennyFeng-MSFT · Nov 30, 2020 at 09:06 AM

Hi,

Just checking in to see if the information provided was helpful.

If the reply helped you, please remember to accept as answer.
If no, please reply and tell us the current situation in order to provide further help.

0 ·

Answer 1 · 2020-11-18T18:18:36.88Z

AravinthMathan-3183 answered Nov 18, '20

Hi @lalajee

Are you referring to TPM startup pin on the device?
If yes, that is specific to device and it is stored in TPM chip present locally on the device. So your during migration you don't have to worry about TPM pin. Just make sure the policy are replicated and there will not be any need for reencryption unless there is a bitlocker policy change

Regards
Aravinth

If this is helpful,kindly accept as answer

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2020-11-18T19:12:15.713Z

Jason-MSFT answered Nov 18, '20

We are running SCCM 2002 (soon to be upgraded to 2009)

There's no such thing as 2009 and never will be (at least not prod versions).

Are you referring to the TPM Owner password? If so, why are you escrowing this at all? By default, Windows doesn't even store this -- it sets it and then throws it away.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2020-11-19T15:24:46.477Z

lalajee answered Nov 19, '20 AravinthMathan-3183 commented Nov 20, '20

Thats it TPM Owner password but does it not store a key into mbam server which can be use for somehting

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT · Nov 19, 2020 at 04:09 PM

Sorry, not sure what this comment means. Why do you want the owner password stored? As noted, Windows itself no longer does this so it's not even available to be stored anywhere.

0 ·

AravinthMathan-3183 · Nov 19, 2020 at 04:23 PM

@lalajee , TPM owner password is not stored remotely . As @Jason-MSFT mentioned it sets and discards. Please refer the below microsoft document for your references.

https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/change-the-tpm-owner-password#about-the-tpm-owner-password

Password sets and discards -Starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.

Password can oly be stored as a file -"Then you can create a new password, either automatically or manually, and save the password in a file or as a printout."

Regards
Aravinth

If this is helpful,kindly accept as answer

0 ·

AravinthMathan-3183 AravinthMathan-3183 · Nov 20, 2020 at 07:21 PM

@lalajee , kindly let me know if the details were help ful.

Regards
Aravinth

0 ·

question