Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


This article describes a hotfix package for Microsoft BitLocker Administration and Monitoring (MBAM) 2.5. Check out the details of the issue and the prerequisites of this hotfix.

Note We recommend that you test hotfixes before you deploy them in a production environment.

Symptoms

The BitLocker Administration and Monitoring (MBAM) client does not apply a numeric recovery password to any of the BitLocker encrypted volumes when it is running on Windows 7 Service Pack 1 (SP1) in a Federal Information Processing Standard (FIPS)-enabled environment.

Note This problem occurs even when update 2990184 is installed. Update 2990184 for Windows 7 SP1 fixes the BitLocker numeric recovery password so that it is FIPS compliant.

Cause

Before update 2990184, the numeric password protector in Windows 7 SP1 was not FIPS compliant. This problem occurs because the MBAM 2.5 client assumes that the numeric password protector in Windows 7 SP1 is not FIPS compliant.

Resolution

To resolve this problem, apply the hotfix package that is mentioned in this article. The hotfix package is provided for both the x86 (32-bit) and x64 (64-bit) architectures. Use the architecture that matches that of the client operating system. You can apply the hotfix package through one of the following methods.

Method 1: Follow the installation wizard

Double-click the hotfix, and then complete the installation wizard.

Method 2: Silently install the hotfix

At a command prompt, type the following command, and then press Enter:

MBAM2.5-Client-KB3015477.exe /acceptEula=Yes /quiet
Method 3: Extract and install the MSP 

At a command prompt, extract the MSP file by running the following command:

MBAM2.5-Client-KB3015477.exe /acceptEula=Yes /extract path_to_extract_MSP_file
Then, install the MSP file by running the following command:

msiexec /update path_to_the_extracted_MSP_file /quiet

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website:

http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix package, you must have the following installed on Windows 7 SP1:

  • Microsoft BitLocker Administration and Monitoring 2.5 client

  • Update 990184


Restart information

You do not have to restart the computer after you apply this hotfix.

Replacement information

This hotfix package replaces update 2975636.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

File name

File version

File size

Date

Time

Platform

MBAM2.5-Client-KB3015477.exe

2.5.380.0

2,513,120

2-Apr-2015

17:36:50

x64

MBAM2.5-Client-KB3015477.exe

2.5.380.0

2,450,656

2-Apr-2015

17:14:09

x86


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

For more information about FIPS, see the following article in the Microsoft Knowledge Base:

811833 "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows
For more information about support in Windows 7 SP1 for a FIPS-compliant numeric password protector, see the following article in the Microsoft Knowledge Base:

2990184 A FIPS-compliant recovery password cannot be saved to AD DS for BitLocker in Windows 7 or Windows Server 2008 R2
If the FIPS policy in Windows 7 SP1 is enabled after you apply this hotfix, the numeric recovery password protector that was applied to the volumes before this hotfix will not be FIPS compliant. After you enable FIPS, the non-FIPS-compliant recovery password protector will stay in effect. Disclosure of the single-use recovery password will cause the non-FIPS-compliant recovery password to be replaced by a FIPS-compliant recovery password.

To mark all keys as disclosed and cause clients to reset their recovery passwords to a FIPS compliant recovery password, you must update the MBAM Recovery and Hardware database.  We recommend that you back up your MBAM Recovery and Hardware database before you run any direct SQL statements. After you back up the database, you should run the following SQL UPDATE statement to mark all volume keys as disclosed:

/** Where ‘MBAM Recovery and Hardware’ is the name of the installed MBAM Recovery and Hardware database **/
UPDATE [MBAM Recovery and Hardware].[RecoveryAndHardwareCore].[Keys]
SET Keys.Disclosed = 1


If the FIPS policy was already enabled, and if volumes in Windows 7 SP1 applied a DRA protector for recovery instead of the numeric password, a FIPS-compliant numeric recovery password will be added to the volumes and escrowed to the recovery database automatically you apply after this hotfix package.

References

Learn about the terminology that Microsoft uses to describe software updates.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×