Microsoft BitLocker Administration and Monitoring

Welcome to the Microsoft BitLocker Administration and Monitoring customer feedback site! Please submit your ideas or vote for one of the current features suggested below. The engineering team is actively monitoring the site and we want to hear from you!

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Save recovery keys even when policy does not mandate encryption

    According to the MBAM 2.0 GPO documentation (by the way it has disappeared in the MBAM 2.5 SP1 documentation whereas the behavior is the same), enforcing an encryption policy is required for the MBAM agent to save recovery keys in the recovery database.

    In our environment, we have deployed 2 GPOs: one with the MBAM URLs and common settings applied on all computers and one with the encryption policy filtered on some criteria.
    We expected computers that are encrypted without receiving the second GPO to have their recovery key saved in MBAM but found out it is not the case.…

    5 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    • MBAM as a Service / selectable option in Azure

      Hello

      I think MBAM should be offered “as a Service” / selectable option in Azure.

      This would save people the unnecessary “hassle” of having to duplicate work / figure it all out themselves - or paying someone else to do it (I know several solution providers are doing this stuff when it should just be a really simple thing for people to setup themselves)

      Doing this would speed up adoption / deployments of bitlocker

      It should come in a standardised form with a simple wizard to guide people thro the key configuration options.
      It should “take care” of fault tolerance…

      38 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
      • TPM ownership password is not saved in MBAM 2.5 SP1

        Using Invoke PS script in MBAM 2.5 SP1 does not escrow TPM password to database (event id 28 does not happen). Only in 1/10 case we saw TPM password in database. We use Windows 10, and also did testing with Windows 7. TPM is 1.2.
        - at the start, TPM is cleaned and ON.
        - Task Sequence Pre-provisiong step goes through
        - The .wsf scrip right after Image apply goes through
        - MBAM client 2.5 SP1 is installed
        - Using PS script encrypts the drive, recovery key is escrowed, but not TPM.

        11 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
        • Role-based access controls

          Allow for specifying or restricting what users/computers certain groups can access to retrieve keys, etc.

          23 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
          • Bypass MBAM policy check when running Invoke-MbamClientDeployment.ps1

            When running the invoke-mbamclientdeployment.ps1 script on a device that has the MBAM group policies targeted the script will fail during the pre-reqs check phase.

            During a new build or refresh this wouldn't be an issue, but during a new implementation of MBAM I use a task sequence to check for some pre-reqs, enable TPM and reboot, install the MBAM agent, then start encryption right away. In the past I was using the StartMBAMEncryption script from the DeploymentGuys blog which still works, but would rather leverage the supported PowerShell script.

            Please add a parameter to the cmdlet to bypass checking pre-reqs…

            14 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • Load Balancer and Machine Keys - Better Configuration Help needed

              more help could be needed on configuring the machine keys in a load balancer scenario. E.g at which level i need to specify this key ?

              9 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
              • Improved documentation - Server, client and GPO are done. What now?

                After completing all tasks documented in https://technet.microsoft.com/en-us/library/dn645316.aspx, there is no other information what to do next. I am currently at that step and I was assuming from what I read that the encryption should start automatically on the client. I rebooted a couple of times to make sure it would start; it does not. No idea if I am on the right path or not as there is no documentation on what I am supposed to do now.

                5 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                • Invoke-MbamClientDeployment.ps1 returns error exit code 1

                  Invoke-MbamClientDeployment.ps1 returns error exit code 1 in Task Sequence, but everything is okay.

                  Device \\?\Volume{b6df14ea-0000-0000-0000-401f00000000}\ is already encrypted but not protected. The key protectors will be enabled.

                  Process completed withexit code 1

                  Also problem remains that TPM password is not saved in database.

                  8 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    1 comment  ·  Admin →
                  • Support for Hardware encrypted USB flash drives and 3rd party encryption tools, so BitLocker can recognize the drives as compliant.

                    Support for Hardware encrypted USB flash drives and 3rd party encryption tools, so BitLocker can recognize the drives as compliant.

                    13 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      1 comment  ·  Admin →
                    • MBAM is not easy to configure, it is easy to install but it is headache to add features...so many prerequisites...

                      MBAM is not easy to configure, it is easy to install but it is headache to add features...so many prerequisites...

                      19 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        1 comment  ·  Admin →
                      • Single Sign On with AD. Instead of unlockin gwith password. Unlock with username and password to match AD

                        Single Sign On with AD. Instead of unlocking with password. Unlock with username and password that match AD

                        48 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                        • Documentation needs to answer some questions

                          TPM Owner and Bitlocker-to-MBAM hand off; these 2 topics require more explanation in the documentation:

                          1. what is the TPM Owner? where does it fit into this whole bitlocker/MBAM picture? what happens if you don't know the owner and don't have the password for it but still have the recovery keys?

                          2. the documentation has a link on how to reset the TPM Owner. the question is what will happen to the drives already encrypted if we clear the TPM? will it go into recovery mode the next time machine reboots? will the PIN/password still work? if it indeed wipes…

                          5 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                          • Please upload the Invoke-MbamClientDeployment.ps1 to MS Downloadcenter, it's not availble for download

                            Dear MBAM Team,
                            in this whitepaper -> https://technet.microsoft.com/en-us/library/dn645336.aspx
                            you're talking about the "Invoke-MbamClientDeployment.ps1" Script and the possibility to download it from Microsoft.com Download Center. However that file cannot be found in the Download Center. Please provide a working link to the script ot at least really upload it to the Download Center.
                            Kind Regards
                            Alexander

                            2 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                            • Better handling of Computer Renames

                              When a computer is renamed, MBAM never picks up the new name. Instead a new entry is added in MBAM with the new name. There should be a way for the new name to be picked up, and possible show what the previous name was.

                              53 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                1 comment  ·  Admin →
                              • 1 vote
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                • Multifactor Authentication in MBAM SelfService Portal

                                  We would like to implement Azure Multifactor Authentication for MBAM SelfService Portal. Is it possible with current MBAM 2.5 setup?

                                  Currently MBAM SelfService portal is corporate AD authenticated. To secure it more we have Azure Multifactor subscription that we would like implement for dual authentication of MBAM SelfService portal.

                                  15 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    1 comment  ·  Admin →
                                  • Ability to create departments folders

                                    We need to be able to create folder or OU's for better management

                                    9 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                    • Push Pull option for Client server communication

                                      Push Pull option for Client server communication to update the encryption keys

                                      8 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                      • User exception

                                        Would like to see improvements in the user exception to allow us to provide a group of users the option to encrypt/ not encrypt removable media on a case by case basis, regardless of which machine they login to. I believe as of now, exemptions are handled by computer policy rather than user policy.

                                        5 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          1 comment  ·  Admin →
                                        • Add the option to filter reports by domain

                                          In our environment we manage multiple Domains each with their own IT department.
                                          In order to be able to provide our users with 24h Support arround the globe we are using a central server setup in our Headquarters to which all IT departments have access.
                                          So right now, if I open up the Enterprise Report all devices from all Domains are included in the Report. Here I would like to be able to filter the Report by Domain so I know the compliance the devices in our specific Domain without having to first Export it to Excel and use filters…

                                          2 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                          • Don't see your idea?

                                          Microsoft BitLocker Administration and Monitoring

                                          Feedback and Knowledge Base