How to Install MBAM 2.5 SP1 and integrate with SCCM Configmgr 2012 R2 SP1 – Part 7

In part 6 here,we have created MBAM collection ,application for MBAM 2.5 SP1 agent and deployed to our Clients and did the bitlocker drive encryption for windows 8.1 Client.We have also retrieved the bitlocker recovery key using self service portal and reviewed the bitlocker compliance reports.

In this part 7 of MBAM 2.5 SP1 multi series guide,we will do the bitlocker drive encryption for windows 10 ,also see the new features(Configure pre-boot recovery message and URL) included for windows 10. To know more whats new in MBAM 2.5 SP1 ,refer TechNet document here

I have created a windows 10 RTM 10240 virtual machine ,installed SCCM 2012 R2 SP1 client ,waited for few min to let MBAM 2.5 SP1 agent deploy automatically .( The MBAM collection was created to get all workstations ,deployed MBAM agent to this collection,more info ,refer part 6 ).

Login to windows 10 client,verify MBAM agent installed or not either from C:\program files\Microsoft\MDOP MBAM or from software center or from SCCM 2012 monitoring console/Reports.

image

image

lets check the GPO if the policies applied or not. For this,Open registry key , HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE.

From below snippet,you can see that ,Configure pre-boot recovery message and URL’s configured via GPO are applied which is new in MBAM 2.5 SP1.

image

 

image

You can either wait for the GPO to start the MBAM agent or manually trigger MBAMclientUI.exe from C:\program files\Microsoft\MDOP MBAM

image

As I Discussed in my previous post here ,cannot bitlocker the drive using MBAM agent on virtual machines .To check,go to event viewer,Microsoft-Windows-MBAM/Admin ,check the error code.

An error occurred while applying MBAM policies.
Volume ID:\\?\Volume{3968637d-842e-45c4-abb5-5f3a6421ec72}\

Error code:
-2144272219

Details:
BitLocker Drive Encryption only supports Used Space Only encryption on thin provisioned storage.

image

But in physical machines,it should work (atleast you will not see this error).So I go and do bitlocker manually .Go to control panel ,open Bitlocker drive encryption ,Turn on bitlocker

PowerShell commands to enable bitlocker https://technet.microsoft.com/en-us/library/jj649837(v=wps.630).aspx

image    image       image      image

Restart the Computer

image

Enter the bitlocker password that you have set earlier ,login to the client using your domain password.

image

After you login,wait for while until the drive encryption is done.

image

After the completion of encryption , reboot the client .This time ,we don’t enter the password to login instead ,we use recovery key and see the

image

As you can see from below snippet,pre-boot recovery message and URL which are customized in our group policy ,can help to recover the bitlocker key from another client by entering the first 8-digit number into selfservice portal.

image

With this,we have completed the bitlocker drive encryption for windows 10 using MBAM 2.5 SP1.

In the next post part 8,we will see the troubleshooting steps ,how and where to start for any bitlocker encryption issues related to MBAM.

35 Responses to "How to Install MBAM 2.5 SP1 and integrate with SCCM Configmgr 2012 R2 SP1 – Part 7"

  1. Hi Eswar,

    I have another question. When going from bitlocker to mbam is there a recommended process? I read decrypt then encrypt which will take took long. I also saw deploy the MBAM gpo to the already encrypted clients but the MBAMUI doesn't launch. Do you have a write up on this process?

    Reply
  2. Hi Eshwar . Thanks. I followed up the same steps. But I get Used Space only encryption. We are seeing that the Invoke MBAM Powershell script fails during the task sequence. So we have the following in TS:
    1. Convert BIOS to UEFI
    2. Set Registry value for XTS_AES256
    3. Pre-provision Bitlocker
    4. Apply OS
    5. Persist TPM Owner with the script SaveWinPETpmOwnerAuth.wsf
    6. Apply Drivers/Apps
    7. Install MBAM with Dec 2016 Patches
    8. Invoke MBAM Script - Invoke-MbamClientDeployment.ps1

    When i run the manage-bde -Status C: - I get the following
    BitLocker Version : 2.0
    Conversion Status: Used Space only Encrypted
    Encryption Method: XTS-AES 256
    Protection Status: Protection Off
    Lock Status: Unlocked
    Identification Field: Unknown

    Reply
  3. Great walk through overall! I am just refining the solution a little and it occurred to me that MBAM reports are available in 2 places in my installation

    1 - MBAM DB server using its locally installed SSRS instance with MBAM 'Reports' installed

    and

    2 - SCCM Primary Site server that has SSRS installed and has MBAM 'SCCM Integration' installed

    Can i remove the Reports from the MBAM DB server and drop the "Audit and Compliance" Database? Isn't SCCM agent handling all of the compliance data anyways? Leaving MBAD DB essentially just for Key recovery?

    Thanks again!

    Reply
    1. No,you cannot ,as they are for 2 different purpose. When you integrate MBAM with SCCM ,it create few collections,Configuration Items and reports. These reports are basic and just give you if clients are bitlockered or not but if you look at the reports that are created in MBAM are completely different . SCCM reports are generated against SCCM database but MBAM reports are completely from MBAM audit and compliance with bitlocker retrieval keys etc.

      Regards,
      Eswar

      Reply
  4. Great series!! One question, I'll be deploying BitLocker to approx 1800 devices and approx 300 or so had BitLocker turned on when imaged, manually. I'll be setting up MBAM as it is not in our environment yet. In the past at other companies I've done this and these type devices with BitLocker manually turned on we had to decrypt then encrypt using MBAM policies. Is that not the case now with 2.5 SP1? for recovery purposes and management, etc? I am hoping we will not have to do this. all devices are Win7

    Reply
    1. with my experience, when you install MBAM client on already bitlockered devices ,it wont try to de crypt for MBAM to encrypt again for sending the bitlocker keys to MBAM database . without doing de -crypt,MBAM will simply collect the bitlocker recovery key and other information ,forwarded it to MBAM server. http://windowsitpro.com/security/q-if-i-deploy-microsoft-bitlocker-administration-and-monitoring-client-machine-already-encr

      Regards,
      Eswar

      Reply
  5. Hi - Followed all the parts (1-7) and successfully deployed MBAM 2.5 SP1. Thanks for sharing such a detailed instruction. Look forward to more documents on other subjects in the future.

    Reply
  6. Eswar
    On a semi related note, I have been trying to find a solution to decrypt Bitlocker enabled drives. I have been researching and trying "manage-bde -off c:" within a SCCM Package and program but it keeps failing. I have also tried "C:\Windows\System32\wbem\win32_encryptablevolume.mof" but am having no luck. First I did get the error in this link https://support.microsoft.com/en-us/kb/2756402
    so I added the mofcomp.exe. I think the SCCM package is also failing to compile the mof. The only error in the execmgr.log is mofcomp.exe win32_encryptablevolume.mof failed with exit code 1 and Program: Decrypt Drive failed with exit code 1. Any Ideas?

    Reply
  7. Hello Eswar,

    Is windows 10 compatible with MBAM 2.0? We tried encrypting a windows 10 machine using MBAM 2.0 but it looks like the encryption happens but the recovery keys are not sent to the MBAM database. Any help would be appreciated. Thanks!

    Reply
  8. Protect My Identity · Edit

    Eswar,

    I have to say that you post really helped me wrap my head around MBAM 2.5 SP1.
    I have successfully deployed the product flawlessly into a test environment and production environment.
    Thanks for your efforts and time put into this post.

    Reply
  9. Great outline of the steps Eswar,
    An important part for me was the fact that SCCM integration means no compliance web service created on the web server; therefore setting the group policy to disabled for the compliance URL. that helped.

    Does the client see any prompts if TPM is disabled in BIOS? I am rolling out to desktops that were not enabled before today.

    Best regards,
    John

    Reply
    1. welcome Jhon. Nope, client wont see any prompt if the tpm is disabled is bios and i believe you can suppress the prompts if at all any using gpo.

      Reply
  10. Hello!

    Will there be a part 8? We upgraded our environment to MBAM 2.5 SP1. Trying to get Windows 10 clients to report back (so far, two Surface tablets) and having some issues.

    In computer compliance report, Computer details is blank, yet the computer volume is reporting the information. Local event log for MBAM operational log does show policies applied and key being escrowed.

    I know the drive in encrypted but we need the report to say that (compliance / compliant) to avoid any "legal" issues.

    Reply
      1. Hello, I have followed your instruction over and over again and checked every detail but I still can't get pass "configure web applications". under web service application pool domain account: got error" The web service application pool account is not valid" and under "SQL Server reporting services URL" The SQL Server Reporting Services URL that points to the MBAM reports is not vaild.

        I don't know what to do for search online and add mbam_hd_apppool to "log in a batch account" still is not working.

        Hope to hear back from you.

        Reply
          1. Hello, I have the exact same error and have been SCOURING the internet for a while now and nothing works.

            The web service application pool account is not valid" and under "SQL Server reporting services URL" The SQL Server Reporting Services URL that points to the MBAM reports is not vaild.

            I can browse to the URL fine, I just can't install the web applications part, it's literally the LAST PART of the installation I can't figure out.

            If anyone has any ideas I'd be happy to hear it, I may have to contact MS about it.

            Reply
            1. Hello,
              I've the same error of "The web service application pool account is not valid" I've done all but got stuck at Configure Web Applications.

          2. Hello,
            I've the same error of "The web service application pool account is not valid" I've done all but got stuck at Configure Web Applications.

            Reply
  11. Hi sir,
    Will there be part 8 ? I'm having a problem with Windows 8.1 Pro Client with this error: A message containing a fault was received from the remote endpoint.
    By the way, great guide from you.
    Thanks !

    Reply
      1. Hi Sir,
        I managed to solve the issue with some SQL Server error, but i having another problem with this error: "Failure to connect to the MBAM Compliance and Status service prevented the transfer of encryption status data (Warning - ID 43)".
        Also the Enterprise Compliance not show the Managed Computer (i'm not using SCCM) just AD and MBAM.
        Thanks in advance.

        Reply
          1. Hi,

            All last messages concern user right of MBAM_HD_AppPool in SQL on the 2 Database for Compliance and Hardware. I had the same problem like Jimmy and Phat. I added Sysadmin Role on MBAM_HD_AppPool and all is working. I will try to find restrictive rights for MBAM_HD_AppPool in SQL because Sysadmin Role is too much!!

            Hope this help!

            Reply

Post Comment