How to Install MBAM 2.5 SP1 and integrate with SCCM Configmgr 2012 R2 SP1 – Part 7

In part 6 here,we have created MBAM collection ,application for MBAM 2.5 SP1 agent and deployed to our Clients and did the bitlocker drive encryption for windows 8.1 Client.We have also retrieved the bitlocker recovery key using self service portal and reviewed the bitlocker compliance reports.

In this part 7 of MBAM 2.5 SP1 multi series guide,we will do the bitlocker drive encryption for windows 10 ,also see the new features(Configure pre-boot recovery message and URL) included for windows 10. To know more whats new in MBAM 2.5 SP1 ,refer TechNet document here

I have created a windows 10 RTM 10240 virtual machine ,installed SCCM 2012 R2 SP1 client ,waited for few min to let MBAM 2.5 SP1 agent deploy automatically .( The MBAM collection was created to get all workstations ,deployed MBAM agent to this collection,more info ,refer part 6 ).

Login to windows 10 client,verify MBAM agent installed or not either from C:\program files\Microsoft\MDOP MBAM or from software center or from SCCM 2012 monitoring console/Reports.



lets check the GPO if the policies applied or not. For this,Open registry key , HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE.

From below snippet,you can see that ,Configure pre-boot recovery message and URL’s configured via GPO are applied which is new in MBAM 2.5 SP1.




You can either wait for the GPO to start the MBAM agent or manually trigger MBAMclientUI.exe from C:\program files\Microsoft\MDOP MBAM


As I Discussed in my previous post here ,cannot bitlocker the drive using MBAM agent on virtual machines .To check,go to event viewer,Microsoft-Windows-MBAM/Admin ,check the error code.

An error occurred while applying MBAM policies.
Volume ID:\\?\Volume{3968637d-842e-45c4-abb5-5f3a6421ec72}\

Error code:

BitLocker Drive Encryption only supports Used Space Only encryption on thin provisioned storage.


But in physical machines,it should work (atleast you will not see this error).So I go and do bitlocker manually .Go to control panel ,open Bitlocker drive encryption ,Turn on bitlocker

PowerShell commands to enable bitlocker

image    image       image      image

Restart the Computer


Enter the bitlocker password that you have set earlier ,login to the client using your domain password.


After you login,wait for while until the drive encryption is done.


After the completion of encryption , reboot the client .This time ,we don’t enter the password to login instead ,we use recovery key and see the


As you can see from below snippet,pre-boot recovery message and URL which are customized in our group policy ,can help to recover the bitlocker key from another client by entering the first 8-digit number into selfservice portal.


With this,we have completed the bitlocker drive encryption for windows 10 using MBAM 2.5 SP1.

In the next post part 8,we will see the troubleshooting steps ,how and where to start for any bitlocker encryption issues related to MBAM.

20 Responses to "How to Install MBAM 2.5 SP1 and integrate with SCCM Configmgr 2012 R2 SP1 – Part 7"

  1. Hello Eswar,

    Is windows 10 compatible with MBAM 2.0? We tried encrypting a windows 10 machine using MBAM 2.0 but it looks like the encryption happens but the recovery keys are not sent to the MBAM database. Any help would be appreciated. Thanks!

  2. Protect My Identity · Edit


    I have to say that you post really helped me wrap my head around MBAM 2.5 SP1.
    I have successfully deployed the product flawlessly into a test environment and production environment.
    Thanks for your efforts and time put into this post.

  3. Great outline of the steps Eswar,
    An important part for me was the fact that SCCM integration means no compliance web service created on the web server; therefore setting the group policy to disabled for the compliance URL. that helped.

    Does the client see any prompts if TPM is disabled in BIOS? I am rolling out to desktops that were not enabled before today.

    Best regards,

    1. welcome Jhon. Nope, client wont see any prompt if the tpm is disabled is bios and i believe you can suppress the prompts if at all any using gpo.

  4. Hello!

    Will there be a part 8? We upgraded our environment to MBAM 2.5 SP1. Trying to get Windows 10 clients to report back (so far, two Surface tablets) and having some issues.

    In computer compliance report, Computer details is blank, yet the computer volume is reporting the information. Local event log for MBAM operational log does show policies applied and key being escrowed.

    I know the drive in encrypted but we need the report to say that (compliance / compliant) to avoid any "legal" issues.

      1. Hello, I have followed your instruction over and over again and checked every detail but I still can't get pass "configure web applications". under web service application pool domain account: got error" The web service application pool account is not valid" and under "SQL Server reporting services URL" The SQL Server Reporting Services URL that points to the MBAM reports is not vaild.

        I don't know what to do for search online and add mbam_hd_apppool to "log in a batch account" still is not working.

        Hope to hear back from you.

  5. Hi sir,
    Will there be part 8 ? I'm having a problem with Windows 8.1 Pro Client with this error: A message containing a fault was received from the remote endpoint.
    By the way, great guide from you.
    Thanks !

      1. Hi Sir,
        I managed to solve the issue with some SQL Server error, but i having another problem with this error: "Failure to connect to the MBAM Compliance and Status service prevented the transfer of encryption status data (Warning - ID 43)".
        Also the Enterprise Compliance not show the Managed Computer (i'm not using SCCM) just AD and MBAM.
        Thanks in advance.


Leave a Reply