none
Prompt user to encrypt with BitLocker (MBAM)

    Domanda

  • Hi,

    we deployed Microsoft BitLocker Administration and Monitoring for testing. MBAM client is installed on a test system and MBAM GPOs are applied to a test system.

    How can I prompt the user to encrypt the drives with BitLocker? Thanks!


    Windows Server 2008 R2

    Windows SQL Server 2008 R2

    Windows 7 Ultimate

    giovedì 27 ottobre 2011 11:07

Risposte

Tutte le risposte

  • 1st option:


    1.  Policies for MBAM on client:
    On Windows 7 client open registry
     
    HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
    Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1
     
    2.  There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client.
     
    If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1.
     
    Restart the MBAM Client Service and then client will talk to server in 1 minute.

     
    If you hit this error on client, then follow the work around on this KB which I wrote
     
    2612822 Computer Record is Rejected in MBAM
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;2612822

    MBAM Logs on client:

    Event Viewer -> Application and Services Logs -> Microsoft ->  Windows -> MBAM

     

    If you have enabled Allow Hardware Compatability Check Policy then,


    To remove Hardware capability check delay do this:

    To do remove the timer:
                1. HKLM\software\microsoft\MBAM\HWExemptionTimer
                2. HKLM\software\microsoft\MBAM\HWExemptionType
                3. Restart the MBAM agent: (BitLocker management client service)

    Or

    Change HKLM\software\microsoft\MBAM\HWExemptionType = 2

    2nd Option:

    To pop-up MBAM client manually do this:

    On Windows 7 client machine, browse to c:\programfiles\microsoft\mdopmbam\

    Double click on MBAMClientUI.exe and it will prompt a user to start the encryption.


    Manoj Sehgal
    giovedì 27 ottobre 2011 13:27
  • Hi,

     

    Did your issue solved? Please feel free to give me any update.

     

    Thanks.

     

    Regards, 

    Leo   Huang

    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    martedì 1 novembre 2011 09:41
  • to pop-up MBAM client manually works.

    but automatic pop-up doesn't work with any of the solution options after restarting the MBAM service.

    mercoledì 2 novembre 2011 15:26
  • Things to check:

    1. The MBAM prompt will not be seen if you have taken a RDP session to the Win7 client machine.

    You will have to be on the console of the machine to see the prompt automatically.

    2. Check MBAM logs on win7 client

    Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> MBAM --> Admin

    If you see some errors let me know.


    Manoj Sehgal
    mercoledì 2 novembre 2011 18:10
  • Hi Korbinian,

     

    How’s everything going on? Did your problem solved by the suggestion of Manoj Sehgal? Please feel free to give any update here.

     

    Thank you for your understanding and cooperation.

     

    Regards,

    Leo   Huang

     

    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    lunedì 7 novembre 2011 09:51
  • Hi,

     

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to  reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

     

    BTW,  we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

     

    Regards,

    Leo   Huang

    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    giovedì 10 novembre 2011 07:14
  • Hi there,

     

    I have the same problem - all MBAM and GPO settings in place and all working correctly, but no auto start. Manual kick-off of encyption by running the suggested .exe works fine.

    I checked the logs like you say under: Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> MBAM --> Admin and I have the following errors;

    Event ID: 11 The computer is exempted from encryption.

    Machine's hardware status: Unknown

     

    Could this be the cause?

    Regards,

    Mark

    mercoledì 11 gennaio 2012 14:44
  • Computer is exempted from encryption

    Check HKCU\Software\Microsoft\MBAM

    and delete MBAM and then try again.

     


    Manoj Sehgal
    mercoledì 11 gennaio 2012 20:24
  • Manoj,

     

    We've implemented MBAM and everything is working correctly. The pop up to notify the user to bitlock is also working but I would like to make the pop up appear more often as some of the users just continue to click POSTPONE. Is there a way to increase the pop up?

     

    Thanks,

    Ray


    Ray
    martedì 17 gennaio 2012 16:35
  • Im also having trouble with the prompting.

     

    I install the wim image with WinPE.

    Then in runonce:

    I import registry settings (hklm/software/microsoft/mbam) and I overwrite the policies\microsoft\fde\ so I need TPMonly to start encryption.

    Then I install the client.msi and encryption starts.

    After reboot group policy sets TPMandPIN, but when log on with a user I dont get prompted to set pin.

    If I start clientui.exe then I get message "Your company have changed the bitlocker policy" then I can press next, type pin twice, and it succesfully finishes. If I press postpone and restarts I dont get the prompt again.

    Ive set all client delays to 1 minute. I dont get any error in eventvwr.

    If a user press postpone, what happens? does it make a runonce key or what?

    martedì 31 gennaio 2012 19:47
  • Hi in the Event Viewer i  can see the following:

    this computer is exempted from encryption

    computers won start the encryption automaticlly :(

    please HELP!


    אם תשובתי סייע בפתרון לשאלה, אנא הצבע כמועיל, תודה. Best Regards, Ori Husyt - אורי הוסיט

    sabato 18 febbraio 2012 18:53
  • Hi Booray,

    Try with the changes to the registry entries as proposed by Manoj.

    HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
    Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1

    I think this will reduce the frequency for the pop-up to come up more often. Please do reply if it worked.


    Gaurav Ranjan

    mercoledì 22 febbraio 2012 06:19
  • Hi Ori,

    If you have enabled Allow Hardware Compatability Check Policy then
    Change HKLM\software\microsoft\MBAM\HWExemptionType = 2

    So that MBAM agent can know the machine is non-exempted and can start the encryption. This has worked for me. I hope it will work for you as well. If it, then do a reply so that it will be helpful to other with the same issue.


    Gaurav Ranjan

    • Proposto come risposta PARTH SARTHY venerdì 23 marzo 2012 04:24
    mercoledì 22 febbraio 2012 06:24
  • Gaurav,

    This did not resolve the problem. First problem is we use a GPO to set the settings so even though you change the registry it changes back, but I changed the GPO to 1 and 1 from 90 and 360 but it still did not resolve the issue. Any advice would be greatly appreciated, even though MBAM is working for us we still have about 17 to 18% of the PCs not bitlocked because the users just keep postponing.

    Ray


    Ray

    martedì 3 luglio 2012 20:19
  • Ray

    You can achieve this solution by following steps in the below blog

    http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

    In this case, you will change the reg keys for MBAM for machines as mentioned in blog and then when you start the BitLocker Management Client Service, we will start the encryption process.

    After encryption is finished, you can then apply regular MBAM GPOs to these machines, so that they will report as compliant.

    -Manoj


    Manoj Sehgal

    mercoledì 4 luglio 2012 03:30
  • If this is the case, You can have an automated encryption ion which, the user will not be prompted to start or postpone the encryption. what it will do:- it will start the encryption without any prompt.

    Can you implement that?


    Gaurav Ranjan

    sabato 10 novembre 2012 05:12
  • Think the last few posts may be related to a question we have...

    We do not want the encryption prompts to pop up and/or the end user to be able to postpone encryption.  Is there a way to force the ecnryption in a silent manner without the end user getting prompted?  Win7 workstations and MBAM installed on Server 2008 R2.  We're using the MBAM GPO.

    Thanks in advance!

    venerdì 30 novembre 2012 23:31
  • Yes You can,

    You need to import the "MBAMRegEntries.reg" file to have an unattended encryption. This post will help you:-

    http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx


    Gaurav Ranjan

    sabato 1 dicembre 2012 05:06