Planning Hardware Management for MBAM
Applies To: Microsoft BitLocker Administration and Monitoring
The Microsoft BitLocker Administration and Monitoring (MBAM) Hardware Compatibility feature can be used to ensure that only the computer hardware that you specify as supporting BitLocker will be encrypted. When this feature is turned on, Microsoft BitLocker Administration and Monitoring will only encrypt computers that are marked as compatible.
Important
When this feature is turned off, all computers where the MBAM policy is deployed will be encrypted.
The Hardware Compatibility feature is best used when your organization has older computer hardware or computers that do not support Trusted Platform Module (TPM) chips. If this is the case, you can use the Hardware Compatibility feature to ensure that BitLocker encryption is only applied to computer models that support it. If all computers in your organization will support BitLocker, you do not have to use the Hardware Compatibility feature.
The Hardware Compatibility feature works in the following way.
The MBAM client agent discovers basic computer information such as manufacturer, model, bios maker, bios version, Trusted Platform Module (TPM) maker, and TPM version and then passes this to the MBAM server.
The MBAM server generates a list of client computer makes and models to enable you to differentiate between those that can or cannot support BitLocker
This list is automatically updated by the MBAM client agents deployed in the enterprise with all new computer makes and models added with a state of Unknown. An administrator can then use the MBAM Administration console website to change list entires to specify a particular computer make and model as Compatible or Incompatible.
Before the MBAM client agent begins encrypting, the agent first verifies the BitLocker encryption compatibility of the hardware it is running on:
If the hardware is marked as compatible, the BitLocker encryption process starts. MBAM will also re-check the hardware compatibility status of the computer one time per day.
If the hardware is marked as incompatible, the agent will log an event and pass a ‘hardware exempted’ state as part of compliance reporting. The agent will check every 7 days to see whether the state has changed to compatible.
If the hardware is marked as unknown, the BitLocker encryption process will not begin. The MBAM client agent will re-check the hardware compatibility status of the computer one time per day.
Warning
If the MBAM client agent attempts to encrypt a computer that does not support BitLocker drive encryption, there is a possibility that the computer will be corrupted. Because of this, you should ensure that the hardware compatibility feature is correctly configured when your organization has older hardware that does not support BitLocker.