I am trying to start the encryption with MDT, but it's not working properly. The encryption is not started. I can't get it started, not even by hand.
I am doing this on non-domain joined clients. I only want to start the TPM encryption.
What i've done:
- Made sure the TPM is enabled.
- Made sure the TPM is active
- Made sure the TPM is not owned (it also doesn't work , when it is owned)
- Added the MBAMDeploymenKeyTemplate.reg and adjusted the settings for non-domain joined clients
- Restarted the MBAMAgent
- Restarted the pc
Regkeys in HKLM\Software\MBAM
DeploymentTime : REG_DWORD, value 1
UseKeyRecoveryService: REG_DWORD, value 0
What am I missing ?
Todas as Respostas
Check the MBAM logs in the Even Viewer - Under Applications Logs.
Also, try to launch the client manually to see if it gives you a specific error message - Client should be under program files\MBAM or MDOP folder\ MBAMClientUI.exe
Regards, Vik Singh
Nothing is logged in the Eventvwr, not in Admin or Operational Log.
I've tried running the MBAMCLientUI.exe, but as long as no policies are set in HKLM\Software\Policies\FVE\MDOP MBAM nothing is happening. This policies can not be set, because the machine isn't yet joined to the domain.
Yes, I used this whitepaper as input. I haven't implemented the Task Sequence steps yet, as I wanted to test this manually first.
So I checked the status of the TPM Chip and then added the RegKeys and restarted the MBAMAgent service. Nothing is happening, even when I ran the MBAMClientUI.exe manually. I've imported the policies used in the domain for MBAM and then ran the MBAMClientUI.exe. Now the screen pops up.
I want the encryption proces to be started (TPM only, no PIN) before joining the machine to the domain. When a user receives the laptop the encryption should allready be done, only a PIN needs to be provides.
Hi I Have similar Issues. Installed SQL with TDE, MBAM Created GPOs on OU, joined computer and added to OU and installed MBAM client. But nothing happens, no Alerts in eventlog but when I run Gpresult /R the MBAM Policy is applied. The test notebook is a Dell Latitude D820 so the TPM is the correct version. I verified the URLS For the GPO https://mbam.morne.local//MBAMComplianceStatusService/StatusReportingService.svc https://mbam.morne.local/MBAMRecoveryAndHardwareService/CoreService.svc What am I missing? Is SP1 for Windows 7 a requirement?
It Encrypts the Drive when I lauch it Manually. When I go to "Computer Compliance Report" it shows up as non-Compliant (I Disabled Compliance checking just to test) It does not show at all in "Enterprise Compliance Report" My major concern at the moment is that MBAM does not launch Automatically after the GPO is applied? Must the Bitlocker Service be set to Manual?
Hi, Replace the following text in the MBAMDeploymentKeyTemplate.reg and us it in your task-sequence. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "NoStartupDelay"=dword:00000001 "Installed"=dword:00000001 "KeyRecoveryOptions"=dword:00000001 "UseKeyRecoveryService"=dword:00000001 "DeploymentTime"=dword:00000001 "KeyRecoveryServiceEndPoint"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,\ 6d,00,62,00,61,00,6d,00,31,00,3a,00,38,00,31,00,2f,00,4d,00,42,00,41,00,4d,\ 00,52,00,65,00,63,00,6f,00,76,00,65,00,72,00,79,00,41,00,6e,00,64,00,48,00,\ 61,00,72,00,64,00,77,00,61,00,72,00,65,00,53,00,65,00,72,00,76,00,69,00,63,\ 00,65,00,2f,00,43,00,6f,00,72,00,65,00,53,00,65,00,72,00,76,00,69,00,63,00,\ 65,00,2e,00,73,00,76,00,63,00,00,00 "DisableMachineVerification"=dword:00000001 Best regards, Magnus Mourujärvi
this won't help as I am not trying to use the ServiceEndpoint. I just want to start the TPM only encryption.
I will try the "DisableMachineVerification"=dword:00000001 option to see if this might trigger the encryption to start.
If you read this white paper Using MBAM Data Encryption with MDT, it works as it is written.
The purpose of this document is to encrypt the volume with TPM before a user gets the machine.
The steps describe works correctly.
Once the machine is put in the final OU, then the regular GPOs are applied for MBAM.
net start mbamagent
If you want to just start the encryption manually through MBAM, Do the following steps. It worked for me:-
--- first install the MBAM Policy template on the client machine.
---configure the MBAM policies locally on that machine.
---then install the MBAM client on the client machine.
--- then visit to the location "C:\Program Files\Microsoft\MDOP MBAM and run the application MBAMClientUI.(for 32 bit machine)
It will prompt for you to start the the encryption process. For starting the encryption process manually, you don't have to create the registry entry or to import the reg template.
make the confirmation so that it can help others too......
If a user wants to start the encryption, then easiest method is to:
1. Just install MBAM client on Win7 machine.
2. Make sure MBAM GPOs are configured correctly and applied to Win7 machines.
After 90 mins, we will prompt user to start encryption.
No additional registry entries required.
No need to launch MBAMClientUI.exe manually. MBAMClientUI.exe is only used if you do not get the regular MBAM prompt to start encryption.
i have asked few other questions on another posts but you have not replied on that. I need some help on bit-locker scenario with MBAM
Please do a reply on that posts too............
I, too, am having problems with encyption starting. I am testing with Windows 7 64-bit. I have seen a number of posts saying that the MDT whitepaper steps work with 32-bit Windows 7, but encounters problems when running 64-bt. I am attempting to start the scripted solution described here from a command prompt to test:
I can connect to the MBAM service point from the test maching using IE with the URL that is specified in the MBAM registry entries. The script tells me the TPM is enabled, activated and Endorsement Key Pair is present. If I start the Bitlocker applet in control panel, it says the drive is ready for encryption.
There are no errors in the application or system event logs.
Are the error codes generated by the StartMBAMEncryption.wsf script documented anywhere?
Can anyone provide troubleshooting guidance?
I will cross-post to SCCM\OSD forum
I finally got this to work by skipping my testing phase and just using the task sequence as described in the step-by-step located here:
It still fails if I attempt to run the StartMBAMEncryption script from a command prompt. So much for due diligence!
But at least it runs in the TS.