Can someone click the Postpone button in MBAM forever?
When a user clicks the Postpone button instead of the Encrypt button, can they just keep clicking that and they'll never have to Bitlock their drive? Or will it at some point encrypt the drive? And if there is a time limit, is it configurable?
thanks
October 31st, 2011 7:55pm
In MBAM when user clicks the Postpone button, we do not prompt for encryption again until we hit the next client wake up frequency which is 90 minutes by default.
Now if you do not wait for 90 minutes, then you will have to modify these keys in registry.
On Windows 7 client open registry
HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1
2. There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client.
If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1.
Restart the MBAM Client Service and then client will talk to server in 1 minute.
Now since the user clicked Postpone encryption, you can remove one reg key
Delete: HKCU\Software\Microsoft\MBAM
Restart the MBAM client service.
I hope this helps.Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 9:58am
Yes thanks I have been playing with those settings on one of my test clients.
But will MBAM allow someone to click the Postpone Encryption button forever, there by never forcing the encryption?
November 1st, 2011 11:42am
Yes, this is possible.
User can click postpone button N number of times and never start encryption on his machine.
For this Admins has to view the MBAM reports and you will see this machine as non-compliant and then tell the user to complete the encryption once.
Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 2:25pm
thats what I figured :)
thanks!
November 1st, 2011 2:26pm
If this answer your question, then can you mark this thread as closed.
ThanksManoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2011 2:30pm
When will the hotfix for this bug be available?
January 13th, 2012 7:38am
Is there any way you can tell in the MBAM reports the reason the machine is not compliant _ for example, tpm disabled, postpone button , manual decryption? I don't see it anywhere, but that would be good information!Dee Ramon
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2012 7:13pm
Duh - i had to wait for the reporting to refresh, yes it does list the status as postponed in the console. Sorry for the dumb questionDee Ramon
May 4th, 2012 1:36pm