none
2.0 integration in ConfMgr - client not working, recovery key not stored

    Question

  • I had to open my own thread, because the other one did not proceed. So I´ve integrated 2.0 into ConfMgr 2012 SP1 which is running on Server 2012 and SQL 2012 in a same box. Service web sites are installed also on same IIS with port 8080. Traffic not encrypted.

    I have 3 scenarios, none of them works:

    1. Already encrypted client with installed mbam x64 client. Recovery key is not saved to database, after couple days of waiting.

    2. New installation with traditional Bitlocker steps in Task Sequence, encryption with PIN code and fresh mbam client installation. Same story - no sight of recovery key in database.

    3. Fresh installation with mbam, without any encryption in task sequence. Starting mbam client gui, entering pin code - encryption attemp fails right away.

    Error 1: An error occurred while sending encryption status data. Error code: 0x803d0013 Details: A message containing a fault was received from the remote endpoint.

    Error 2: An error occured while applying MBAM policies. Volume ID:\\?\Volume{5a8628bf-1f0f-11e3-bf47-0017422e3925}\ Error code: 0x803d0013

    - Group policies is set to the correct endpoint with FQDN and 8080 port. Client access the file coreservice.svc published in IIS
    - Group policies sets the reporting point to disabled, only the management is enabled (as it should be)
    - SQL´s search text feature is installed afterwards, after MBAM integration
    - Group Polices are enabled only through MBAM policy node

    A side question - is it possible to install Web service on a default IIS site, so both ConfMgr´s MP and Mbam´s site would function through 80 port?


    • Edited by yannara Monday, September 23, 2013 7:25 PM
    Monday, September 23, 2013 7:21 PM

Answers

  • ok, i got it to work for me.. reading into this post :


    http://technet.microsoft.com/en-us/library/dn186167.aspx


    I realized I had not set the option:

    Enabled. Set Select protector for operating system drive. Required to save operating system drive data to the MBAMKey Recovery server.

    it all started working. Funny that this was never mention in any of the posts I googled, but after searching and searching through MBAM gpo setting I finally found it..

    Hope this makes it work for you.


    Tod Elliott

    • Marked as answer by yannara Wednesday, October 02, 2013 1:44 PM
    Tuesday, October 01, 2013 5:11 PM

All replies

  • I am also have this same issue. I did enable the status reporting and did find data in the database, after that i went back to GPO and removed the status reporting url.

    Tod Elliott

    Thursday, September 26, 2013 5:07 PM
  • I am also have this same issue. I did enable the status reporting and did find data in the database, after that i went back to GPO and removed the status reporting url.

    Tod Elliott


    I don´t quite catch you, so your problem is solved or not? Are you able to see the recovery keys in web service? The reporting url must be removed in GPO, because ConfMgr is taking care of reports.
    • Edited by yannara Thursday, September 26, 2013 8:10 PM
    Thursday, September 26, 2013 8:10 PM
  • No, My problem is not solved. The recovery keys are not in the db.

    Tod Elliott

    Thursday, September 26, 2013 8:12 PM
  • Have you created the DisableMachineVerification registry key on the MBAM server- Infact you have installed all the components on a SCCM Server. Make sure to restart the MBAM server after creating the registry key.

    Gaurav Ranjan


    Saturday, September 28, 2013 8:33 AM
  • Have you created the DisableMachineVerification registry key on the MBAM server- Infact you have installed all the components on a SCCM Server. Make sure to restart the MBAM server after creating the registry key.

    Gaurav Ranjan


    Yes I have, and server have been restarted after that.

    I´m thinking, that the only mess I could cause here by my own, to configure bitlocker group policies in the wrong way. What is the minimum settings I need in GPO, to make the client send the recovery key to database? Only the client management? I could strip down everything else, and see of that will work. Configuring policies with mbam requires, that no traditional Bitlocker policies should be configured. But I recall, that TPM should be configured though. Could Tod paste his GPOs here (maybe screenshot?). I could do that too, later when I will be next to my lab.

    Saturday, September 28, 2013 9:41 AM
  • I have only configure the GPO to have the url to the recovery and hardware db. Nothing else.

    Tod Elliott

    Monday, September 30, 2013 7:41 PM
  • ok, i got it to work for me.. reading into this post :


    http://technet.microsoft.com/en-us/library/dn186167.aspx


    I realized I had not set the option:

    Enabled. Set Select protector for operating system drive. Required to save operating system drive data to the MBAMKey Recovery server.

    it all started working. Funny that this was never mention in any of the posts I googled, but after searching and searching through MBAM gpo setting I finally found it..

    Hope this makes it work for you.


    Tod Elliott

    • Marked as answer by yannara Wednesday, October 02, 2013 1:44 PM
    Tuesday, October 01, 2013 5:11 PM
  • Nice going Tod, after your imput here, I made overall new GPO and made sure that one policy setting was enabled, and now things started rolling! I´m not sure, what was wrong in my case, but somehow I had a mixup with policies. Because now, the mbam client does not error anything in event viewer, after the newest policy was applied and previous GPO was removed.
    Wednesday, October 02, 2013 1:44 PM