Category: BitLocker

MBAM 2.5: The SQL Reporting Services URL that point to the MBAM reports is not valid

When adding the Monitoring and Administration Feature of MBAM 2.5 and checking the System Center Configuration Manager Integraton features in the setup wizard you typically enter the URL to the Reporting Server, for instance http://configmgrsrv/ReportServer. If you get the error

The SQL Reporting Services URL that point to the MBAM reports is not valid

it actually means that you before installing the Monitoring and Administration features must install the MBAM Reports feature. That is even though you are integrating MBAM into System Center Configuration Manager. Why is that? Because when integrating MBAM with ConfigMgr, the only reports that are managed in ConfigMgr are the compliance reports.

How to resolve common problems when BitLocker enters recovery mode

From time to time BitLocker enabled machines enter recovery mode, requiring an unlock to proceed. Sometimes this comes as a surprise to you as an administrator. An example of when BitLocker  unexpectedly enters recovery mode could be when installing a language pack as this modifies the boot configuration data (BCDEDIT) making BitLocker automatically go to recovery mode as it thinks this is an attack on the machine. Ask the Core team has created a list of the most common problems with BitLocker entering recovery mode.

Backing up BitLocker recovery keys to Active Directory

Using BitLocker to encrypt your system partition is a very good option to keep the computer and the data on it secure. Starting with Vista SP1 you will be able to encrypt not only the system partition but all the other partitions as well, offering even better security. When you encrypt a partition with BitLocker a recovery key is automatically generated so that you can recover the data on the computer when necessary. By default you have the choice of printing the recovery key or saving it to a USB stick or a network share.

BitLocker Key Recovery ToolHowever using a group policy setting (Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Turn on BitLocker backup to Active Directory)  you can also backup the recovery key to Active Directory, which is a very good suggestion I must say. If you are running Windows Server 2008 you do not have to anything to get this working but if you would like to use Windows Server 2003 with SP1 or later to backup the BitLocker recovery key you must use scripts provided by Microsoft to extend the schema.

Microsoft also offer a tool called BitLocker Recovery Password Viewer which can be downloaded directly from Microsoft Premier Services. When this tool is installed it introduce another tab in a computer objects Properties called “BitLocker Recovery” where the BitLocker recovery keys are listed for your viewing pleasure in the case of necessary restoration. The only negative part about the tool is that it can only be installed on a Windows XP or Windows Server 2003 computer as it require that you have installed the “Window Server 2003 Administration tools for SP1” on Windows XP to get the control panel for Active Directory Users and Computers.

UPDATE: I forgot to add the link to the page where you can find all the necessary information as well as the “extend schema”-script. Here it is!

The Vista DVD considered to be a security threat

The Windows Vista DVD is to be considered a security threat! By starting a computer from the Vista installation DVD and choose to Repair the computer instead of installing Vista, the user gets to a number of choices amongst them a command line (cmd.exe). By starting the command line tool you will have full access to all files on the computer and might easily copy them to a removable device of your choice. This is a big difference from Windows XP where you at least had to login to the Recovery Console with an administrator account, in Vista you just get full access to all the user and system files on the computer, no questions asked.

I however live by the principle that if anyone has physical access to a computer it might be compromised anyway, but still it is good to know about this potential security hole. Laptop computers might contain sensitive data and can easily be accessed by anyone who gain access to it if it should be stolen for example. The only way to my knowledge to protect from this “attack” is to use BitLocker (or possibly other encryption software). By using BitLocker the system partition is encrypted and you cannot access it using the method I describe above. If you install Service Pack 1 for Vista you will also be able to encrypt all partitions and disks on your computer, protecting your files and data further, not just the system partition. The BitLocker encryption function is only available with Windows Vista Enterprise and Ultimate Edition