The Helpdesk portal is used by admins to assist users to unlock their drives when they have been locked due to changes to the BIOS or TPM.
The Helpdesk portal is https://mbam.oit.ncsu.edu/helpdesk
Users will log in with their .admin accounts. The Helpdesk portal will allow admins to view reports, recover drives, and manage TPM’s.
When viewing reports admins will have to login a second time because the reports are hosted on another server that they will need to be authenticated to.
The three reports admins will have access to are Enterprise Compliance Report, Computer Compliance Report, and Audit and Recovery.
Enterprise Compliance gives an overview of all machines that have ever talked to the MBAM servers.
The pie graph gives you a quick view of overall compliance. All machines are listed below and more detailed information can be viewed by clicking on a computer name.
If you want detailed information about a specific computer use the Computer Compliance report. Enter the name of the computer you want more information on.
In this example you can see the drives that are encrypted and how they are encryption.
Most users needing help, will need the Recovery Password because of changes to the BIOS. Recovery Passwords can be obtained from the Drive Recovery page.
There are four pieces of required information that will needed to be entered to retrieve the Recovery Password.
User Domain – This will always be wolftech.ad.ncsu.edu
User ID – the end users UnityID, a user can only recover a drive through the Self Service portal or have a admin retrieve a Recovery Password for them if the end user has previously logged into the computer having issues. This prevents users from gaining access to data they are not authorized to have.
Key ID – when there is a BitLocker event the end user is present with a BitLocker recovery screen.
The Key ID is the Password ID on the recovery screen. The helpdesk portal only needs the first 8 characters to recovery the drive
Reason for Drive Unlock – This is a drop down list. This information is what is put into the Recovery Audit Report. While the reason selected should be as accurate as possible, the listed reason will not change the recovery process.
If all of the information is input correctly the Drive Recovery Key will be displayed.
The 48 digit Key will need to be typed in by the end user. If the key is correct Windows will boot normally.
If the user or admin is able to verify that there were changes made to the BIOS and those changes are correct, the changes will need to be “committed” to BitLocker so the end user will not be present with the BitLocker recovery screen on next reboot.
This is done by going to the Control Panel -> System and Security -> BitLocker Drive Encryption
Under Operation system drive “Suspend protection”
Administrator credentials will be needed. Then “Resume protection”
A reboot is not necessary, but a reboot will confirm the changes were applied and the end user will not continue to have problems.
The last table Manage TPM is used when the TPM is locked out. A TPM Lockout can occur if an end user enters the incorrect PIN too many times. The number of times an incorrect Pin can be entered varies by TPM manufacturer.
Computer Domain – will always be wolftech.ad.ncsu.edu
Computer Name – the NETBIOS name of the computer
User Domain – will always be wolftech.ad.ncsu.edu
User ID – user unityID
Reason for request TPM Owner Password File – this is a drop down list, and while the selection should be as accurate as possible this information will be record in the Recovery Audit Report. The selection will not change the recovery process.
Save the TPM password file. If the end user is an administrator on their machine they can use the password reset password to reset the TPM. If they are not someone with administrative access to the machine will need to help.
To use the TPM reset password file go to the Control Panel -> System and Security -> BitLocker Drive Encryption. In the lower left hand corner look for TPM Administration.
In the right hand panel select Reset TPM Lockout
Select “I have the owner password file”
Browse to the location of the password reset file and click Reset TPM Lockout
Do not leave the password reset file on the end users computer and do not give the end user the reset password as this poses a security risk.