Hi, we are in the process of setting up bitlocker using intune.
The keys are being saved to AAD and replicated to AD.
RCT’s shows the keys via “AD Bitlocker Recovery Keys”
We haven’t set up MBAM as it was end of life in 2019, but as we don’t have MBAM, as expected the MBAM bitlocker recovery keys RCT’s option doesn’t work, but we thought the dashboard would; however we aren’t getting any results for “Search by AD OU” . Just all computers are listed as “computers without stored keys”
We get errors about “Cannot open Database"MBAM Compliance Status” requested by the login. The login failed…" which we attributed to the fact that we don’t have MBAM and so don’t have an MBAM Database.
Is there any way to get the dashboard to work via AD rather than MBAM or is MBAM a requirement for the dashboard. Also as MBAM ended mainstream support in 2019, are their plans to update it to use AD instead?
Thank you for contacting the Recast Support Team. I would be happy to assist with this issue. This document should help to delegate access to BitLocker Recovery Keys in AD: Delegate Access to BitLocker Recovery Key | Recast Docs (recastsoftware.com)
Technical Support Engineer
Hi, thankyou for the response. Can you clarify this please? Users of the MECM console can already access the recovery keys in AD, it is the dashboard that has the issue. What are the dashboard requirements? Are you saying we need to grant access to a service account or something for the dashboard? That page doesn’t mention any service accounts or the dashboard.
Based on the errors I’m seeing, I don’t think this is going to work. As we don’t have MBAM and so don’t have an MBAM database, I removed the name of our MECM server from the recast (RMS) settings under MBAM sqlserver and the dashboard now shows these messages -
- Sql Server and MBAM Compliance Status Database must be set to use this action.
- Sql Server and MBAM Recovery and Hardware Database must be set to use this action.
From this, it suggests this dashboard is actually the “MBAM Bitlocker Compliance Tool” and uses the MBAM Recast settings so isn’t going to work with AD without configuring MBAM.
As we don’t use MBAM, i would think our RMS settings for MBAM aren’t required, so they are currently set to
MBAMAdministrationURL - blank
MBAMComplianceStatusDatabase - “MBAM Compliance Status”
MBAMRecoveryAndHardware Database - " MBAM Recovery and Hardware"
MBAM - SqlServer - blank