none
MBAM MDT Encryption not starting

    Pergunta

  • Hi,

     

    I am trying to start the encryption with MDT, but it's not working properly. The encryption is not started. I can't get it started, not even by hand.

    I am doing this on non-domain joined clients. I only want to start the TPM encryption.

    What i've done:

    - Made sure the TPM is enabled.

    - Made sure the TPM is active

    - Made sure the TPM is not owned (it also doesn't work , when it is owned)

    - Added the MBAMDeploymenKeyTemplate.reg and adjusted the settings for non-domain joined clients

    - Restarted the MBAMAgent

    - Restarted the pc

     

    Regkeys in HKLM\Software\MBAM

    DeploymentTime : REG_DWORD, value 1

    UseKeyRecoveryService: REG_DWORD, value 0

    What am I missing ?

     

    Regards,

    Patrick

     

    segunda-feira, 17 de outubro de 2011 14:02

Todas as Respostas

  • Check the MBAM logs in the Even Viewer - Under Applications Logs.

    Also, try to launch the client manually to see if it gives you a specific error message - Client should be under program files\MBAM or MDOP folder\ MBAMClientUI.exe

     


    Regards, Vik Singh
    segunda-feira, 17 de outubro de 2011 15:19
  • Nothing is logged in the Eventvwr, not in Admin or Operational Log.

    I've tried running the MBAMCLientUI.exe, but as long as no policies are set in HKLM\Software\Policies\FVE\MDOP MBAM nothing is happening. This policies can not be set, because the machine isn't yet joined to the domain.

    Regards,

    Patrick

    terça-feira, 18 de outubro de 2011 07:08
  • What is the error message you are seeing when you try to start it?

    Check for events in eventlog.

     


    Sumesh P - Microsoft Online Community Support
    terça-feira, 18 de outubro de 2011 07:25
    Moderador
  • Have you reviewed the whitepaper for MBAM and MDT.

    Using MBAM Data Encryption With MDT : http://go.microsoft.com/fwlink/?LinkId=229053


    Sumesh P - Microsoft Online Community Support
    terça-feira, 18 de outubro de 2011 07:35
    Moderador
  • Hi,

     

    Yes, I used this whitepaper as input. I haven't implemented the Task Sequence steps yet, as I wanted to test this manually first.

     

    So I checked the status of the TPM Chip and then added the RegKeys and restarted the MBAMAgent service. Nothing is happening, even when I ran the MBAMClientUI.exe manually. I've imported the policies used in the domain for MBAM and then ran the MBAMClientUI.exe. Now the screen pops up.

    I want the encryption proces to be started (TPM only, no PIN) before joining the machine to the domain. When a user receives the laptop the encryption should allready be done, only a PIN needs to be provides.

    Regards,

    Patrick

    terça-feira, 18 de outubro de 2011 07:51
  • Hi I Have similar Issues. Installed SQL with TDE, MBAM Created GPOs on OU, joined computer and added to OU and installed MBAM client. But nothing happens, no Alerts in eventlog but when I run Gpresult /R the MBAM Policy is applied. The test notebook is a Dell Latitude D820 so the TPM is the correct version. I verified the URLS For the GPO https://mbam.morne.local//MBAMComplianceStatusService/StatusReportingService.svc https://mbam.morne.local/MBAMRecoveryAndHardwareService/CoreService.svc What am I missing? Is SP1 for Windows 7 a requirement?
    segunda-feira, 24 de outubro de 2011 19:00
  • Similar Issues? The client not launching automatically? If yes, what happens if you launch it manually?

    Sp1 is not a requirement.


    regards, Vik Singh
    segunda-feira, 24 de outubro de 2011 19:10
  • It Encrypts the Drive when I lauch it Manually. When I go to "Computer Compliance Report" it shows up as non-Compliant (I Disabled Compliance checking just to test) It does not show at all in "Enterprise Compliance Report" My major concern at the moment is that MBAM does not launch Automatically after the GPO is applied? Must the Bitlocker Service be set to Manual?
    segunda-feira, 24 de outubro de 2011 21:08
  • Do you think it will help if I De-crypt and Reset the TPM maybe?
    segunda-feira, 24 de outubro de 2011 21:18
  • Hi, Replace the following text in the MBAMDeploymentKeyTemplate.reg and us it in your task-sequence. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "NoStartupDelay"=dword:00000001 "Installed"=dword:00000001 "KeyRecoveryOptions"=dword:00000001 "UseKeyRecoveryService"=dword:00000001 "DeploymentTime"=dword:00000001 "KeyRecoveryServiceEndPoint"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,\ 6d,00,62,00,61,00,6d,00,31,00,3a,00,38,00,31,00,2f,00,4d,00,42,00,41,00,4d,\ 00,52,00,65,00,63,00,6f,00,76,00,65,00,72,00,79,00,41,00,6e,00,64,00,48,00,\ 61,00,72,00,64,00,77,00,61,00,72,00,65,00,53,00,65,00,72,00,76,00,69,00,63,\ 00,65,00,2f,00,43,00,6f,00,72,00,65,00,53,00,65,00,72,00,76,00,69,00,63,00,\ 65,00,2e,00,73,00,76,00,63,00,00,00 "DisableMachineVerification"=dword:00000001 Best regards, Magnus Mourujärvi
    terça-feira, 25 de outubro de 2011 11:58
  • Magnus,

     

    this won't help as I am not trying to use the ServiceEndpoint. I just want to start the TPM only encryption.

     

    I will try the "DisableMachineVerification"=dword:00000001 option to see if this might trigger the encryption to start.

     

    Regards,

    Patrick

    terça-feira, 25 de outubro de 2011 12:05
  • Is your issue resolved, or you still want more help?
    Manoj Sehgal
    segunda-feira, 31 de outubro de 2011 19:40
  • No, the problem still exists. We decided to use the normal encryption method for the time being.

     

    If you know the solution to this problem, please help.

     

    Regards,

    Patrick

    terça-feira, 1 de novembro de 2011 08:35
  • Patrick,

    http://www.microsoft.com/download/en/details.aspx?id=27555

    If you read this white paper Using MBAM Data Encryption with MDT, it works as it is written.

    The purpose of this document is to encrypt the volume with TPM before a user gets the machine.

    The steps describe works correctly.

    Once the machine is put in the final OU, then the regular GPOs are applied for MBAM.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]


    "NoStartupDelay"=dword:00000001

    "DeploymentTime"=dword:00000001

    "Installed"=dword:00000001

    "KeyRecoveryOptions"=dword:00000001

    "UseKeyRecoveryService"=dword:00000001

    "KeyRecoveryServiceEndPoint"=

    http://<yourserverhere>/MBAMRecoveryAndHardwareService/CoreService.svc


    net start mbamagent

     


    Manoj Sehgal
    terça-feira, 8 de novembro de 2011 15:54
  • If you want to just start the encryption manually through MBAM, Do the following steps. It worked for me:-

    --- first install the MBAM Policy template on the client machine.

    ---configure the MBAM policies locally on that machine.

    ---then install the MBAM client on the client machine.

    --- then visit to the location "C:\Program Files\Microsoft\MDOP MBAM and run the application MBAMClientUI.(for 32 bit machine)

    It will prompt for you to start the the encryption process. For starting the encryption process manually, you don't have to create the registry entry or to import the reg template.

    make the confirmation so that it can help others too......


    Gaurav Ranjan
    quinta-feira, 5 de janeiro de 2012 12:49
  • Gaurav,

    If a user wants to start the encryption, then easiest method is to:

    1. Just install MBAM client on Win7 machine.

    2. Make sure MBAM GPOs are configured correctly and applied to Win7 machines.

     

    After 90 mins, we will prompt user to start encryption.

    No additional registry entries required.

    No need to launch MBAMClientUI.exe manually. MBAMClientUI.exe is only used if you do not get the regular MBAM prompt to start encryption.

    -Manoj

     


    Manoj Sehgal
    sábado, 7 de janeiro de 2012 02:25
  • i have asked few other questions on another posts but you have not replied on that. I need some help on bit-locker scenario with MBAM

    http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/343bec4a-7b47-498b-a177-643002a59bea?prof=requiredo
    http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/9ca8b9e0-64fb-407d-8ee7-b46098dc4223/

    Please do a reply on that posts too............


    Gaurav Ranjan
    sábado, 7 de janeiro de 2012 06:17
  • I, too, am having problems with encyption starting.  I am testing with Windows 7 64-bit.  I have seen a number of posts saying that the MDT whitepaper steps work with 32-bit Windows 7, but encounters problems when running 64-bt.  I am attempting to start the scripted solution described here from a command prompt to test:

    http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx?PageIndex=2&wa=wsignin1.0&CommentPosted=true#comments

    I can connect to the MBAM service point from the test maching using IE with the URL that is specified in the MBAM registry entries.  The script tells me the TPM is enabled, activated and Endorsement Key Pair is present.  If I start the Bitlocker applet in control panel, it says the drive is ready for encryption. 

    There are no errors in the application or system event logs.
    Are the error codes generated by the StartMBAMEncryption.wsf script documented anywhere? 

    Can anyone provide troubleshooting guidance?

    I will cross-post to SCCM\OSD forum

    TIA,

    Tom

    quinta-feira, 14 de junho de 2012 23:11
  • I finally got this to work by skipping my testing phase and just using the task sequence as described in the step-by-step located here:

    http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx?PageIndex=2&wa=wsignin1.0&CommentPosted=true#comments

    It still fails if I attempt to run the StartMBAMEncryption script from a command prompt.  So much for due diligence!

    But at least it runs in the TS.

    HTH,

    Tom

    terça-feira, 19 de junho de 2012 11:59