Close Menu
    Facebook X (Twitter) Instagram
    Monday, July 14
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Active Directory»How to Install MBAM 2.5 SP1 and integrate with SCCM Configmgr 2012 R2 SP1 – Part 7

    How to Install MBAM 2.5 SP1 and integrate with SCCM Configmgr 2012 R2 SP1 – Part 7

    Eswar KonetiBy Eswar KonetiSeptember 21, 6:11 pm3 Mins Read Active Directory 10,487 Views
    Share
    Facebook Twitter LinkedIn Reddit

    In part 6 here,we have created MBAM collection ,application for MBAM 2.5 SP1 agent and deployed to our Clients and did the bitlocker drive encryption for windows 8.1 Client.We have also retrieved the bitlocker recovery key using self service portal and reviewed the bitlocker compliance reports.

    In this part 7 of MBAM 2.5 SP1 multi series guide,we will do the bitlocker drive encryption for windows 10 ,also see the new features(Configure pre-boot recovery message and URL) included for windows 10. To know more whats new in MBAM 2.5 SP1 ,refer TechNet document here

    I have created a windows 10 RTM 10240 virtual machine ,installed SCCM 2012 R2 SP1 client ,waited for few min to let MBAM 2.5 SP1 agent deploy automatically .( The MBAM collection was created to get all workstations ,deployed MBAM agent to this collection,more info ,refer part 6 ).

    Login to windows 10 client,verify MBAM agent installed or not either from C:\program files\Microsoft\MDOP MBAM or from software center or from SCCM 2012 monitoring console/Reports.

    image

    image

    lets check the GPO if the policies applied or not. For this,Open registry key , HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE.

    From below snippet,you can see that ,Configure pre-boot recovery message and URL’s configured via GPO are applied which is new in MBAM 2.5 SP1.

    image

     

    image

    You can either wait for the GPO to start the MBAM agent or manually trigger MBAMclientUI.exe from C:\program files\Microsoft\MDOP MBAM

    image

    As I Discussed in my previous post here ,cannot bitlocker the drive using MBAM agent on virtual machines .To check,go to event viewer,Microsoft-Windows-MBAM/Admin ,check the error code.

    An error occurred while applying MBAM policies.
    Volume ID:\\?\Volume{3968637d-842e-45c4-abb5-5f3a6421ec72}\

    Error code:
    -2144272219

    Details:
    BitLocker Drive Encryption only supports Used Space Only encryption on thin provisioned storage.

    image

    But in physical machines,it should work (atleast you will not see this error).So I go and do bitlocker manually .Go to control panel ,open Bitlocker drive encryption ,Turn on bitlocker

    PowerShell commands to enable bitlocker https://technet.microsoft.com/en-us/library/jj649837(v=wps.630).aspx

    image    image       image      image

    Restart the Computer

    image

    Enter the bitlocker password that you have set earlier ,login to the client using your domain password.

    image

    After you login,wait for while until the drive encryption is done.

    image

    After the completion of encryption , reboot the client .This time ,we don’t enter the password to login instead ,we use recovery key and see the

    image

    As you can see from below snippet,pre-boot recovery message and URL which are customized in our group policy ,can help to recover the bitlocker key from another client by entering the first 8-digit number into selfservice portal.

    image

    With this,we have completed the bitlocker drive encryption for windows 10 using MBAM 2.5 SP1.

    In the next post part 8,we will see the troubleshooting steps ,how and where to start for any bitlocker encryption issues related to MBAM.

    Bitlocker encryption Bitlocker Windows 10 Compliance Install MBAM agent using SCCM 2012 Integrate MBAM with SCCM 2012 R2 MBAM 2.5 SP1 MBAM GPO MBAM Guides MBAM reports MBAM Windows 10 pre-boot recovery message and URL selfservice portal Upgrade MBAM 2.5 Used Space Only encryption
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    SCCM SQL Report – Compare Installed Apps on TWO Different Computers

    July 13, 10:35 am

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    Migrate Microsoft 365 Updates from SCCM/MECM to Intune for Co-Managed Devices

    February 11, 9:50 pm

    35 Comments

    1. rah muhammad on February 28, 2018 10:17 PM

      Hi Eswar,

      I have another question. When going from bitlocker to mbam is there a recommended process? I read decrypt then encrypt which will take took long. I also saw deploy the MBAM gpo to the already encrypted clients but the MBAMUI doesn't launch. Do you have a write up on this process?

      Reply
      • rah muhammad on February 28, 2018 10:19 PM

        I meant to say decrypt then deploy mbam for encryption.

        Reply
    2. ramg1967 on January 14, 2018 8:24 PM

      Hi Pierrick - I too had same issue with those 2 DB. I did the same (gave sysadmin permission) and everything went well with Web application feature install.

      Ram

      Reply
    3. Vinod Kumar on September 16, 2017 12:36 AM

      Hi Eshwar . Thanks. I followed up the same steps. But I get Used Space only encryption. We are seeing that the Invoke MBAM Powershell script fails during the task sequence. So we have the following in TS:
      1. Convert BIOS to UEFI
      2. Set Registry value for XTS_AES256
      3. Pre-provision Bitlocker
      4. Apply OS
      5. Persist TPM Owner with the script SaveWinPETpmOwnerAuth.wsf
      6. Apply Drivers/Apps
      7. Install MBAM with Dec 2016 Patches
      8. Invoke MBAM Script - Invoke-MbamClientDeployment.ps1

      When i run the manage-bde -Status C: - I get the following
      BitLocker Version : 2.0
      Conversion Status: Used Space only Encrypted
      Encryption Method: XTS-AES 256
      Protection Status: Protection Off
      Lock Status: Unlocked
      Identification Field: Unknown

      Reply
    4. Jabez Wray on April 25, 2017 2:19 AM

      Great walk through overall! I am just refining the solution a little and it occurred to me that MBAM reports are available in 2 places in my installation

      1 - MBAM DB server using its locally installed SSRS instance with MBAM 'Reports' installed

      and

      2 - SCCM Primary Site server that has SSRS installed and has MBAM 'SCCM Integration' installed

      Can i remove the Reports from the MBAM DB server and drop the "Audit and Compliance" Database? Isn't SCCM agent handling all of the compliance data anyways? Leaving MBAD DB essentially just for Key recovery?

      Thanks again!

      Reply
      • Eswar Koneti on May 9, 2017 10:04 PM

        No,you cannot ,as they are for 2 different purpose. When you integrate MBAM with SCCM ,it create few collections,Configuration Items and reports. These reports are basic and just give you if clients are bitlockered or not but if you look at the reports that are created in MBAM are completely different . SCCM reports are generated against SCCM database but MBAM reports are completely from MBAM audit and compliance with bitlocker retrieval keys etc.

        Regards,
        Eswar

        Reply
    5. ITguy88 on March 11, 2017 3:14 AM

      Great series!! One question, I'll be deploying BitLocker to approx 1800 devices and approx 300 or so had BitLocker turned on when imaged, manually. I'll be setting up MBAM as it is not in our environment yet. In the past at other companies I've done this and these type devices with BitLocker manually turned on we had to decrypt then encrypt using MBAM policies. Is that not the case now with 2.5 SP1? for recovery purposes and management, etc? I am hoping we will not have to do this. all devices are Win7

      Reply
      • Eswar Koneti on March 11, 2017 3:18 PM

        with my experience, when you install MBAM client on already bitlockered devices ,it wont try to de crypt for MBAM to encrypt again for sending the bitlocker keys to MBAM database . without doing de -crypt,MBAM will simply collect the bitlocker recovery key and other information ,forwarded it to MBAM server. http://windowsitpro.com/security/q-if-i-deploy-microsoft-bitlocker-administration-and-monitoring-client-machine-already-encr

        Regards,
        Eswar

        Reply
    6. Ram on February 28, 2017 2:32 AM

      Hi - Followed all the parts (1-7) and successfully deployed MBAM 2.5 SP1. Thanks for sharing such a detailed instruction. Look forward to more documents on other subjects in the future.

      Reply
      • Eswar Koneti on February 28, 2017 10:52 AM

        thanks & Sure ,more post will be added in the near future on MBAM.

        Regards,
        Eswar

        Reply
    7. Joseph Hoang on September 19, 2016 9:29 PM

      Hello Eswar,

      Do you know if MBAM 2.5 sp1 is compatible with windows 10 professional clients?

      Thanks,
      Joseph

      Reply
      • admin on September 20, 2016 8:57 AM

        As per the technet article https://technet.microsoft.com/en-us/itpro/mdop/mbam-v25/mbam-25-supported-configurations
        they did not specifically mentioned about windows 10 professional but you can give a try how it works.

        Reply
    8. Peter on August 9, 2016 3:34 PM

      Thanks! Used your guide to deploy a stand-alone MBAM setup in production!
      Had some trouble with the reporting services but figured it out!

      Great job!

      Reply
      • Eswar Koneti on August 9, 2016 3:53 PM

        Hi Peter,
        Glad it helped you.

        Thanks,
        Eswar

        Reply
    9. Calvin on May 17, 2016 3:30 AM

      This is a really useful post Can this client be deployed during an OSD task sequence?

      Reply
      • Eswar Koneti on May 17, 2016 8:02 AM

        Hi Calvin, yes you can deploy the client during Osd.

        Reply
    10. David D. on February 18, 2016 6:11 AM

      Eswar
      On a semi related note, I have been trying to find a solution to decrypt Bitlocker enabled drives. I have been researching and trying "manage-bde -off c:" within a SCCM Package and program but it keeps failing. I have also tried "C:\Windows\System32\wbem\win32_encryptablevolume.mof" but am having no luck. First I did get the error in this link https://support.microsoft.com/en-us/kb/2756402
      so I added the mofcomp.exe. I think the SCCM package is also failing to compile the mof. The only error in the execmgr.log is mofcomp.exe win32_encryptablevolume.mof failed with exit code 1 and Program: Decrypt Drive failed with exit code 1. Any Ideas?

      Reply
    11. KM on January 30, 2016 12:07 AM

      Hello Eswar,

      Is windows 10 compatible with MBAM 2.0? We tried encrypting a windows 10 machine using MBAM 2.0 but it looks like the encryption happens but the recovery keys are not sent to the MBAM database. Any help would be appreciated. Thanks!

      Reply
      • Eswar Koneti on January 30, 2016 4:11 PM

        Not really,you must upgrade to MBAM 2.5 SP1. more info,please refer https://technet.microsoft.com/en-us/library/mt427465(v=vs.85).aspx

        Reply
    12. Protect My Identity on January 21, 2016 1:44 PM

      Eswar,

      I have to say that you post really helped me wrap my head around MBAM 2.5 SP1.
      I have successfully deployed the product flawlessly into a test environment and production environment.
      Thanks for your efforts and time put into this post.

      Reply
      • Eswar Koneti on January 25, 2016 8:36 AM

        glad it helped, thanks.

        Reply
    13. John Rolstead on January 20, 2016 5:26 AM

      Great outline of the steps Eswar,
      An important part for me was the fact that SCCM integration means no compliance web service created on the web server; therefore setting the group policy to disabled for the compliance URL. that helped.

      Does the client see any prompts if TPM is disabled in BIOS? I am rolling out to desktops that were not enabled before today.

      Best regards,
      John

      Reply
      • Eswar Koneti on January 25, 2016 8:34 AM

        welcome Jhon. Nope, client wont see any prompt if the tpm is disabled is bios and i believe you can suppress the prompts if at all any using gpo.

        Reply
    14. Yuriy on January 10, 2016 11:33 PM

      Hello!

      Will there be a part 8? We upgraded our environment to MBAM 2.5 SP1. Trying to get Windows 10 clients to report back (so far, two Surface tablets) and having some issues.

      In computer compliance report, Computer details is blank, yet the computer volume is reporting the information. Local event log for MBAM operational log does show policies applied and key being escrowed.

      I know the drive in encrypted but we need the report to say that (compliance / compliant) to avoid any "legal" issues.

      Reply
      • Eswar Koneti on January 27, 2016 12:32 AM

        what does the eventviewer says ? are you using sccm along with MBAM ? check the configmgr reports

        Reply
        • jimmy on October 18, 2016 4:55 AM

          Hello, I have followed your instruction over and over again and checked every detail but I still can't get pass "configure web applications". under web service application pool domain account: got error" The web service application pool account is not valid" and under "SQL Server reporting services URL" The SQL Server Reporting Services URL that points to the MBAM reports is not vaild.

          I don't know what to do for search online and add mbam_hd_apppool to "log in a batch account" still is not working.

          Hope to hear back from you.

          Reply
          • Eswar Koneti on October 20, 2016 10:59 PM

            did you check the event viewer logs ? please refer this post ,how to check for errors during installation of any MBAM components .http://eskonr.com/2016/10/install-mbam-2-5-sp1-on-remote-sql-and-integrate-with-sccm-configmgr-1606-notes-and-scripts/

            Thanks,
            Eswar

            Reply
            • Mike Virata on October 10, 2017 3:55 AM

              Hello, I have the exact same error and have been SCOURING the internet for a while now and nothing works.

              The web service application pool account is not valid" and under "SQL Server reporting services URL" The SQL Server Reporting Services URL that points to the MBAM reports is not vaild.

              I can browse to the URL fine, I just can't install the web applications part, it's literally the LAST PART of the installation I can't figure out.

              If anyone has any ideas I'd be happy to hear it, I may have to contact MS about it.

              Reply
              • Faisal on January 23, 2020 3:10 PM

                Hello,
                I've the same error of "The web service application pool account is not valid" I've done all but got stuck at Configure Web Applications.

            • Faisal on January 23, 2020 3:13 PM

              Hello,
              I've the same error of "The web service application pool account is not valid" I've done all but got stuck at Configure Web Applications.

              Reply
    15. Phat on December 12, 2015 9:39 PM

      Hi sir,
      Will there be part 8 ? I'm having a problem with Windows 8.1 Pro Client with this error: A message containing a fault was received from the remote endpoint.
      By the way, great guide from you.
      Thanks !

      Reply
      • Eswar Koneti on December 13, 2015 11:32 PM

        can you check the eventviewr for the errors also check the communication from the endpoint to MBAM server.

        Reply
        • Phat on December 14, 2015 9:27 AM

          Hi Sir,
          I managed to solve the issue with some SQL Server error, but i having another problem with this error: "Failure to connect to the MBAM Compliance and Status service prevented the transfer of encryption status data (Warning - ID 43)".
          Also the Enterprise Compliance not show the Managed Computer (i'm not using SCCM) just AD and MBAM.
          Thanks in advance.

          Reply
          • Eswar Koneti on December 21, 2015 4:52 PM

            Did you check the services ? Did you run the reports with enough permissions rights ?

            Reply
            • Pierrick on February 22, 2017 6:02 PM

              Hi,

              All last messages concern user right of MBAM_HD_AppPool in SQL on the 2 Database for Compliance and Hardware. I had the same problem like Jimmy and Phat. I added Sysadmin Role on MBAM_HD_AppPool and all is working. I will try to find restrictive rights for MBAM_HD_AppPool in SQL because Sysadmin Role is too much!!

              Hope this help!

              Reply

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.