Windows Components/BitLocker Drive Encryption/Operating System Drives Currently I have the following group policy settings and corresponding registry entries:Ĭomputer Configuration > Policies > Administrative Templates > I am working with Windows 7 64-bit computers exclusively. PIN group and one for the non-PIN group? That adds a good deal of overhead that I'm hoping to avoid. Must I have two separate Group Policies with differing target groups of computers? one for the The PIN is no longer necessaryĪnd has been removed." How to I prevent the MBAM client from doing this? I don't want to disable the client as reporting and other management functions would be lost. I even get a GUI message from the MBAM client that says "the encryption policy of your computer has changed. Shortly after enabling the MBAM client service the TPM and PIN key is replaced. MBAM client preserves the TPM and PIN key. The problem is that when I get logged into Windows, the MBAM client removes the TPM and PIN key and replaces it with the TPM only one. When I reboot, the computer asks for the PIN at startup and it works.
I see the TPM and PIN key placed in the protectors list and I'veīeen able to successfully enable the "Allow startup PIN with TPM" which allows me to run the manage-bde –protectors –add %systemdrive% -tpmandpin command successfully. The standard/original Bitlocker policies allow you to set values of "Allow startup PIN with TPM" but this is not an option in the MDOP/MBAM policies - it is either "TPM Only" or "TPM+PIN." But I do not want to force PIN for all, just allow it for some. I am trying to use one policy to use TPM only by default, but allow the use of a PIN for a subset of computers.
0 kommentar(er)
