In part 6 here,we have created MBAM collection ,application for MBAM 2.5 SP1 agent and deployed to our Clients and did the bitlocker drive encryption for windows 8.1 Client.We have also retrieved the bitlocker recovery key using self service portal and reviewed the bitlocker compliance reports.
In this part 7 of MBAM 2.5 SP1 multi series guide,we will do the bitlocker drive encryption for windows 10 ,also see the new features(Configure pre-boot recovery message and URL) included for windows 10. To know more whats new in MBAM 2.5 SP1 ,refer TechNet document here
I have created a windows 10 RTM 10240 virtual machine ,installed SCCM 2012 R2 SP1 client ,waited for few min to let MBAM 2.5 SP1 agent deploy automatically .( The MBAM collection was created to get all workstations ,deployed MBAM agent to this collection,more info ,refer part 6 ).
Login to windows 10 client,verify MBAM agent installed or not either from C:\program files\Microsoft\MDOP MBAM or from software center or from SCCM 2012 monitoring console/Reports.
lets check the GPO if the policies applied or not. For this,Open registry key , HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE.
From below snippet,you can see that ,Configure pre-boot recovery message and URL’s configured via GPO are applied which is new in MBAM 2.5 SP1.
You can either wait for the GPO to start the MBAM agent or manually trigger MBAMclientUI.exe from C:\program files\Microsoft\MDOP MBAM
As I Discussed in my previous post here ,cannot bitlocker the drive using MBAM agent on virtual machines .To check,go to event viewer,Microsoft-Windows-MBAM/Admin ,check the error code.
An error occurred while applying MBAM policies.
Volume ID:\\?\Volume{3968637d-842e-45c4-abb5-5f3a6421ec72}\Error code:
-2144272219Details:
BitLocker Drive Encryption only supports Used Space Only encryption on thin provisioned storage.
But in physical machines,it should work (atleast you will not see this error).So I go and do bitlocker manually .Go to control panel ,open Bitlocker drive encryption ,Turn on bitlocker
PowerShell commands to enable bitlocker https://technet.microsoft.com/en-us/library/jj649837(v=wps.630).aspx
Restart the Computer
Enter the bitlocker password that you have set earlier ,login to the client using your domain password.
After you login,wait for while until the drive encryption is done.
After the completion of encryption , reboot the client .This time ,we don’t enter the password to login instead ,we use recovery key and see the
As you can see from below snippet,pre-boot recovery message and URL which are customized in our group policy ,can help to recover the bitlocker key from another client by entering the first 8-digit number into selfservice portal.
With this,we have completed the bitlocker drive encryption for windows 10 using MBAM 2.5 SP1.
In the next post part 8,we will see the troubleshooting steps ,how and where to start for any bitlocker encryption issues related to MBAM.
35 Comments
Hi Eswar,
I have another question. When going from bitlocker to mbam is there a recommended process? I read decrypt then encrypt which will take took long. I also saw deploy the MBAM gpo to the already encrypted clients but the MBAMUI doesn't launch. Do you have a write up on this process?
I meant to say decrypt then deploy mbam for encryption.
Hi Pierrick - I too had same issue with those 2 DB. I did the same (gave sysadmin permission) and everything went well with Web application feature install.
Ram
Hi Eshwar . Thanks. I followed up the same steps. But I get Used Space only encryption. We are seeing that the Invoke MBAM Powershell script fails during the task sequence. So we have the following in TS:
1. Convert BIOS to UEFI
2. Set Registry value for XTS_AES256
3. Pre-provision Bitlocker
4. Apply OS
5. Persist TPM Owner with the script SaveWinPETpmOwnerAuth.wsf
6. Apply Drivers/Apps
7. Install MBAM with Dec 2016 Patches
8. Invoke MBAM Script - Invoke-MbamClientDeployment.ps1
When i run the manage-bde -Status C: - I get the following
BitLocker Version : 2.0
Conversion Status: Used Space only Encrypted
Encryption Method: XTS-AES 256
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: Unknown
Great walk through overall! I am just refining the solution a little and it occurred to me that MBAM reports are available in 2 places in my installation
1 - MBAM DB server using its locally installed SSRS instance with MBAM 'Reports' installed
and
2 - SCCM Primary Site server that has SSRS installed and has MBAM 'SCCM Integration' installed
Can i remove the Reports from the MBAM DB server and drop the "Audit and Compliance" Database? Isn't SCCM agent handling all of the compliance data anyways? Leaving MBAD DB essentially just for Key recovery?
Thanks again!
No,you cannot ,as they are for 2 different purpose. When you integrate MBAM with SCCM ,it create few collections,Configuration Items and reports. These reports are basic and just give you if clients are bitlockered or not but if you look at the reports that are created in MBAM are completely different . SCCM reports are generated against SCCM database but MBAM reports are completely from MBAM audit and compliance with bitlocker retrieval keys etc.
Regards,
Eswar
Great series!! One question, I'll be deploying BitLocker to approx 1800 devices and approx 300 or so had BitLocker turned on when imaged, manually. I'll be setting up MBAM as it is not in our environment yet. In the past at other companies I've done this and these type devices with BitLocker manually turned on we had to decrypt then encrypt using MBAM policies. Is that not the case now with 2.5 SP1? for recovery purposes and management, etc? I am hoping we will not have to do this. all devices are Win7
with my experience, when you install MBAM client on already bitlockered devices ,it wont try to de crypt for MBAM to encrypt again for sending the bitlocker keys to MBAM database . without doing de -crypt,MBAM will simply collect the bitlocker recovery key and other information ,forwarded it to MBAM server. http://windowsitpro.com/security/q-if-i-deploy-microsoft-bitlocker-administration-and-monitoring-client-machine-already-encr
Regards,
Eswar
Hi - Followed all the parts (1-7) and successfully deployed MBAM 2.5 SP1. Thanks for sharing such a detailed instruction. Look forward to more documents on other subjects in the future.
thanks & Sure ,more post will be added in the near future on MBAM.
Regards,
Eswar
Hello Eswar,
Do you know if MBAM 2.5 sp1 is compatible with windows 10 professional clients?
Thanks,
Joseph
As per the technet article https://technet.microsoft.com/en-us/itpro/mdop/mbam-v25/mbam-25-supported-configurations
they did not specifically mentioned about windows 10 professional but you can give a try how it works.
Thanks! Used your guide to deploy a stand-alone MBAM setup in production!
Had some trouble with the reporting services but figured it out!
Great job!
Hi Peter,
Glad it helped you.
Thanks,
Eswar
This is a really useful post Can this client be deployed during an OSD task sequence?
Hi Calvin, yes you can deploy the client during Osd.
Eswar
On a semi related note, I have been trying to find a solution to decrypt Bitlocker enabled drives. I have been researching and trying "manage-bde -off c:" within a SCCM Package and program but it keeps failing. I have also tried "C:\Windows\System32\wbem\win32_encryptablevolume.mof" but am having no luck. First I did get the error in this link https://support.microsoft.com/en-us/kb/2756402
so I added the mofcomp.exe. I think the SCCM package is also failing to compile the mof. The only error in the execmgr.log is mofcomp.exe win32_encryptablevolume.mof failed with exit code 1 and Program: Decrypt Drive failed with exit code 1. Any Ideas?
Hello Eswar,
Is windows 10 compatible with MBAM 2.0? We tried encrypting a windows 10 machine using MBAM 2.0 but it looks like the encryption happens but the recovery keys are not sent to the MBAM database. Any help would be appreciated. Thanks!
Not really,you must upgrade to MBAM 2.5 SP1. more info,please refer https://technet.microsoft.com/en-us/library/mt427465(v=vs.85).aspx
Eswar,
I have to say that you post really helped me wrap my head around MBAM 2.5 SP1.
I have successfully deployed the product flawlessly into a test environment and production environment.
Thanks for your efforts and time put into this post.
glad it helped, thanks.
Great outline of the steps Eswar,
An important part for me was the fact that SCCM integration means no compliance web service created on the web server; therefore setting the group policy to disabled for the compliance URL. that helped.
Does the client see any prompts if TPM is disabled in BIOS? I am rolling out to desktops that were not enabled before today.
Best regards,
John
welcome Jhon. Nope, client wont see any prompt if the tpm is disabled is bios and i believe you can suppress the prompts if at all any using gpo.
Hello!
Will there be a part 8? We upgraded our environment to MBAM 2.5 SP1. Trying to get Windows 10 clients to report back (so far, two Surface tablets) and having some issues.
In computer compliance report, Computer details is blank, yet the computer volume is reporting the information. Local event log for MBAM operational log does show policies applied and key being escrowed.
I know the drive in encrypted but we need the report to say that (compliance / compliant) to avoid any "legal" issues.
what does the eventviewer says ? are you using sccm along with MBAM ? check the configmgr reports
Hello, I have followed your instruction over and over again and checked every detail but I still can't get pass "configure web applications". under web service application pool domain account: got error" The web service application pool account is not valid" and under "SQL Server reporting services URL" The SQL Server Reporting Services URL that points to the MBAM reports is not vaild.
I don't know what to do for search online and add mbam_hd_apppool to "log in a batch account" still is not working.
Hope to hear back from you.
did you check the event viewer logs ? please refer this post ,how to check for errors during installation of any MBAM components .http://eskonr.com/2016/10/install-mbam-2-5-sp1-on-remote-sql-and-integrate-with-sccm-configmgr-1606-notes-and-scripts/
Thanks,
Eswar
Hello, I have the exact same error and have been SCOURING the internet for a while now and nothing works.
The web service application pool account is not valid" and under "SQL Server reporting services URL" The SQL Server Reporting Services URL that points to the MBAM reports is not vaild.
I can browse to the URL fine, I just can't install the web applications part, it's literally the LAST PART of the installation I can't figure out.
If anyone has any ideas I'd be happy to hear it, I may have to contact MS about it.
Hello,
I've the same error of "The web service application pool account is not valid" I've done all but got stuck at Configure Web Applications.
Hello,
I've the same error of "The web service application pool account is not valid" I've done all but got stuck at Configure Web Applications.
Hi sir,
Will there be part 8 ? I'm having a problem with Windows 8.1 Pro Client with this error: A message containing a fault was received from the remote endpoint.
By the way, great guide from you.
Thanks !
can you check the eventviewr for the errors also check the communication from the endpoint to MBAM server.
Hi Sir,
I managed to solve the issue with some SQL Server error, but i having another problem with this error: "Failure to connect to the MBAM Compliance and Status service prevented the transfer of encryption status data (Warning - ID 43)".
Also the Enterprise Compliance not show the Managed Computer (i'm not using SCCM) just AD and MBAM.
Thanks in advance.
Did you check the services ? Did you run the reports with enough permissions rights ?
Hi,
All last messages concern user right of MBAM_HD_AppPool in SQL on the 2 Database for Compliance and Hardware. I had the same problem like Jimmy and Phat. I added Sysadmin Role on MBAM_HD_AppPool and all is working. I will try to find restrictive rights for MBAM_HD_AppPool in SQL because Sysadmin Role is too much!!
Hope this help!