Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Hotfix Package 2 for BitLocker Administration and Monitoring 2.5


View products that this article applies to.


This article describes a hotfix package for Microsoft BitLocker Administration and Monitoring (MBAM) 2.5. Check out the details of the issue and the prerequisites of this hotfix.

Note We recommend that you test hotfixes before you deploy them in a production environment.

↑ Back to the top


Symptoms

The BitLocker Administration and Monitoring (MBAM) client does not apply a numeric recovery password to any of the BitLocker encrypted volumes when it is running on Windows 7 Service Pack 1 (SP1) in a Federal Information Processing Standard (FIPS)-enabled environment.

Note This problem occurs even when update 2990184 is installed. Update 2990184 for Windows 7 SP1 fixes the BitLocker numeric recovery password so that it is FIPS compliant.

↑ Back to the top


Cause

Before update 2990184 , the numeric password protector in Windows 7 SP1 was not FIPS compliant. This problem occurs because the MBAM 2.5 client assumes that the numeric password protector in Windows 7 SP1 is not FIPS compliant.

↑ Back to the top


Resolution

To resolve this problem, apply the hotfix package that is mentioned in this article. The hotfix package is provided for both the x86 (32-bit) and x64 (64-bit) architectures. Use the architecture that matches that of the client operating system. You can apply the hotfix package through one of the following methods.

Method 1: Follow the installation wizard

Double-click the hotfix, and then complete the installation wizard.

Method 2: Silently install the hotfix

At a command prompt, type the following command, and then press Enter:

MBAM2.5-Client-KB3015477.exe /acceptEula=Yes /quiet

Method 3: Extract and install the MSP 

At a command prompt, extract the MSP file by running the following command:

MBAM2.5-Client-KB3015477.exe /acceptEula=Yes /extract path_to_extract_MSP_file

Then, install the MSP file by running the following command:

msiexec /update path_to_the_extracted_MSP_file /quiet

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix package, you must have the following installed on Windows 7 SP1:
  • Microsoft BitLocker Administration and Monitoring 2.5 client
  • Update 990184

Restart information

You do not have to restart the computer after you apply this hotfix.

Replacement information

This hotfix package replaces update 2975636 .

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

File nameFile versionFile sizeDateTimePlatform
MBAM2.5-Client-KB3015477.exe2.5.380.02,513,1202-Apr-201517:36:50x64
MBAM2.5-Client-KB3015477.exe2.5.380.02,450,6562-Apr-201517:14:09x86

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More Information

For more information about FIPS, see the following article in the Microsoft Knowledge Base:

811833  "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows

For more information about support in Windows 7 SP1 for a FIPS-compliant numeric password protector, see the following article in the Microsoft Knowledge Base:

2990184 A FIPS-compliant recovery password cannot be saved to AD DS for BitLocker in Windows 7 or Windows Server 2008 R2

If the FIPS policy in Windows 7 SP1 is enabled after you apply this hotfix, the numeric recovery password protector that was applied to the volumes before this hotfix will not be FIPS compliant. After you enable FIPS, the non-FIPS-compliant recovery password protector will stay in effect. Disclosure of the single-use recovery password will cause the non-FIPS-compliant recovery password to be replaced by a FIPS-compliant recovery password.

To mark all keys as disclosed and cause clients to reset their recovery passwords to a FIPS compliant recovery password, you must update the MBAM Recovery and Hardware database.  We recommend that you back up your MBAM Recovery and Hardware database before you run any direct SQL statements. After you back up the database, you should run the following SQL UPDATE statement to mark all volume keys as disclosed:

/** Where ‘MBAM Recovery and Hardware’ is the name of the installed MBAM Recovery and Hardware database **/
UPDATE [MBAM Recovery and Hardware].[RecoveryAndHardwareCore].[Keys]
SET Keys.Disclosed = 1

If the FIPS policy was already enabled, and if volumes in Windows 7 SP1 applied a DRA protector for recovery instead of the numeric password, a FIPS-compliant numeric recovery password will be added to the volumes and escrowed to the recovery database automatically you apply after this hotfix package.

↑ Back to the top


References

Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top


Keywords: kbbug, kbsurveynew, kbexpertiseinter, kbautohotfix, kbhotfixserver, kbqfe, kb, kbfix

↑ Back to the top

Article Info
Article ID : 3015477
Revision : 1
Created on : 1/7/2017
Published on : 4/29/2015
Exists online : False
Views : 218