MBAM - Frequently Asked Questions

Within 24 hours after the system has completed the encryption of the hard drives.  The system must first report in compliant to the MBAM Server and then run the SCCM Client Hardware Inventory Cycle prior to showing up as compliant.  Please note that Hardware Inventory is run once a day unless manually kicked off through the Configuration Manager Control Panel App.

You will need to un-encrypt the system and then install the MBAM client using the Manual method or the SCCM method of installation.

No. The MBAM Group Policy settings do not exist in the Local Group Policy settings on client systems.

No. The MBAM Group Policy is the MBAM Compliance definition for the Windows Workstations it is applied to.  Applying the incorrect GPO will result in a non-compliance status in MBAM Reports as the system will be missing the TPM Protector.

Not without manually editing local Group Policy settings on the Windows Workstation which is not recommended or supported.

No. The MBAM Client requires Domain Group Policies to run.

Yes. To run without a TPM Chip 1.2 or greater you will need to be running Windows 8.1 for the Operating System and apply the Non-TPM MBAM Domain Group Policy.  This will require you to type in a BitLocker password to boot your computer up.

No. Due to hardware limitation of Hard Drive partitioning you cannot run both OSes natively on the same Apple hardware with a single Hard Drive.

Yes. As long as the Virtualized Windows is running on a Virtualized Hard Disk (.VHD file) and not running on an Apple Boot Camp partition.

No. MBAM can only protects the Windows partitions on Apple Hardware.

No. FileVault2 only protects the OS X partitions on Apple Hardware.

No. BitLocker to Go is designed to only work on Windows OSes.

No. The MBAM Client does not support encryption with a USB Key.

There are several things that can cause a computer to boot up into BitLocker recovery mode.  Most often it is caused by a change in the systems BIOS, a BIOS upgrade, a hardware change, or a change to the partition table on the hard drive.  For a more extensive list of things that can cause recovery mode, refer to "What causes BitLocker recovery?" in the following link: https://technet.microsoft.com/en-us/library/dn383583.aspx

The BitLocker recovery key is sent to the MBAM server infrastructure prior to the initial encryption of the computer by the MBAM Client.  The MBAM Client will not initiate the encryption of the computer until it receives a successful escrow message from the MBAM server verifying it has been received and stored correctly.  This is a fail-safe, designed by Microsoft, to ensure that the BitLocker recovery key is recoverable prior to encrypting a computer to ensure no loss of data. 

The MBAM Server records a record that the key was requested and by who.  The MBAM Client checks in with the MBAM Server the next time it is connected to the internet and receives a request to issue a new BitLocker recovery key.  The MBAM Client issues a new key and escrows it to the MBAM Server.  Once the MBAM Server acknowledges receipt and successful storage of the new key the MBAM Client finalizes the BitLocker recovery key change on the local computer and the old recovery key becomes obsolete and can no longer be used to unlock the computer.

Article number: 
103623
Last updated: 
August 29, 2016