none
MBAM Clients Not Reporting? RRS feed

  • Question

  • Hi guys,

    I'm testing MBAM with a 2 server topology. Both of them Win 2008 R2 w/SP1 and SQL Server 2008 R2 with all necessary prerequisites.

    I deploy a MBAM policy to an OU that contains a Win7 machine and force it to retrieve the policy, then I installed the MBAM agent in the Win7 w/SP1 laptop (which already has bitlocker enabled), but I see not data in MBAM reports.

    I know Enterprise Compliant Report can take up to 6 hours before showing any info, but I ran the Computer Client Report and the result is the same.

    I checked events in both servers (Application Log) and in the client machine (Microsoft-Windows-MBAM Admin and Operational), but their all clean… the server logs shows just Informational events, and the Win7 machine has no events at all.

    Is there any other place where I can take a look to find the cause of this “error”??, any help will be very appreciated.

    Regards,

    -JP

    Wednesday, October 26, 2011 8:55 PM

Answers

  •  

    1. Makes sure GPO's are set correctly and applied to the client.

    2. MBAM Logs on client:

    Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> MBAM

     

    3. To start encryption on client do this:

    1st option:


    1.  Policies for MBAM on client:
    On Windows 7 client open registry
     
    HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
    Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1
     
    2.  There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client.
     
    If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1.
     
    Restart the MBAM Client Service and then client will talk to server in 1 minute.

     
    If you hit this error on client, then follow the work around on this KB which I wrote
     
    2612822 Computer Record is Rejected in MBAM
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;2612822

     


    To remove Hardware capability check delay do this:

    To do remove the timer:
                1. HKLM\software\microsoft\MBAM\HWExemptionTimer
                2. HKLM\software\microsoft\MBAM\HWExemptionType
                3. Restart the MBAM agent: (BitLocker management client service)

    Or

    Change HKLM\software\microsoft\MBAM\HWExemptionType = 2

    2nd Option:

    To pop-up MBAM client manually do this:

    On Windows 7 client machine, browse to c:\programfiles\microsoft\mdopmbam\

    Double click on MBAMClientUI.exe and it will prompt a user to start the encryption.

    I hope this helps.


    Manoj Sehgal
    • Marked as answer by JPMuniz Friday, October 28, 2011 1:17 PM
    Thursday, October 27, 2011 1:31 PM
  • Manoj,

    I rechecked the GPO and some settings weren´t saved (“Configure MBAM services”, “Fixed data drive encryption settings”, among others), so machines have never been reported to the MBAM server…
    My fault then, and thank you very much for your help!

    Regards,
    -JP

    • Marked as answer by JPMuniz Friday, October 28, 2011 1:17 PM
    Friday, October 28, 2011 1:17 PM

All replies

  •  

    1. Makes sure GPO's are set correctly and applied to the client.

    2. MBAM Logs on client:

    Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> MBAM

     

    3. To start encryption on client do this:

    1st option:


    1.  Policies for MBAM on client:
    On Windows 7 client open registry
     
    HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
    Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1
     
    2.  There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client.
     
    If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1.
     
    Restart the MBAM Client Service and then client will talk to server in 1 minute.

     
    If you hit this error on client, then follow the work around on this KB which I wrote
     
    2612822 Computer Record is Rejected in MBAM
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;2612822

     


    To remove Hardware capability check delay do this:

    To do remove the timer:
                1. HKLM\software\microsoft\MBAM\HWExemptionTimer
                2. HKLM\software\microsoft\MBAM\HWExemptionType
                3. Restart the MBAM agent: (BitLocker management client service)

    Or

    Change HKLM\software\microsoft\MBAM\HWExemptionType = 2

    2nd Option:

    To pop-up MBAM client manually do this:

    On Windows 7 client machine, browse to c:\programfiles\microsoft\mdopmbam\

    Double click on MBAMClientUI.exe and it will prompt a user to start the encryption.

    I hope this helps.


    Manoj Sehgal
    • Marked as answer by JPMuniz Friday, October 28, 2011 1:17 PM
    Thursday, October 27, 2011 1:31 PM
  • thank Manoj!

    1. The GPO were correctly applied, I checked yesterday (gpupdate /force and gpresult /R).

    2. The MBAM Log is empty (both Admin and Operational)

    3. This machine is already encrypted with bitlocker, and what I need is this machine to report their status (TPM and Bitlocker enabled) to the server so I can see this info in reports.

    Is there any way in which I can told the MBAM agent to report to server?

     

    Regards,

    -JP

    Thursday, October 27, 2011 6:46 PM
  • If machine is already encrypted then the recovery key and complaince status will be shown by MBAM.

     

    To verify keys in SQL check this blog.

    http://blogs.technet.com/b/askcore/archive/2011/08/04/how-to-verify-bitlocker-recovery-keys-in-sql-db-using-mbam.aspx

     

    Can you reinstall the MBAM client and see if there are any errors in MBAM

    MBAM Logs on client:

    Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> MBAM

     


    Manoj Sehgal
    Thursday, October 27, 2011 8:11 PM
  • Thanks Manoj,

    There's something wrong I think...
    I searched for the “HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement” registry key but it didn’t exists. Besides, in the “HKLM\Software\Microsoft\MBAM” key I just had the “Installed” REG_DWORD with value= 1.
    The MBAM Logs still empty (Admin and Operational in Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> MBAM)

    So, here is what I did next:

    1.       I uninstalled the agent
    2.       Decrypt the disc
    3.       Reboot the machine
    4.       Install the agent
    5.       Reboot the machine again
    6.       Run the UI (c:\program files\microsoft\mdop mbam\MBAMClientUI.exe)

    And… nothing happened :/

    This behavior is the same that I had when the disk was encrypted… the UI didn’t work neither. (bug maybe?... I tried with 2 different bits)
    I also checked the DB for “Encryption Keys” but nothing, and in the “MBAM Compliance Status” DB, I looked for data in the ComplianceCore.Machines, and this table is empty too.

    How does the agent know which is the server that it has to report to?

    Regards,
    -JP

    PD: logs in servers are clean... no warning or errors.

    Thursday, October 27, 2011 8:42 PM
  • Manoj,

    I rechecked the GPO and some settings weren´t saved (“Configure MBAM services”, “Fixed data drive encryption settings”, among others), so machines have never been reported to the MBAM server…
    My fault then, and thank you very much for your help!

    Regards,
    -JP

    • Marked as answer by JPMuniz Friday, October 28, 2011 1:17 PM
    Friday, October 28, 2011 1:17 PM
  •  
    HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
    Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1
       
    If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1.
     


    Are these values compatible also with MBAM 2.0 client?
    Friday, October 18, 2013 4:55 AM
  • hi guys

    I have the same issue whereby i have configured a MBAM single server in the test environment and installed the MBAM client on a test encrypted laptop. i have followed the steps above and i still can't see my client on the MBAM server.

    When i check the logs on my test client laptop, i get the following" The MBAM policies were applied successfully"

    I already have Bitlocker AD managed setup and i am planning on migrating to MBAM, please can anyone assist not sure what else to do.

    thanks

    Thursday, March 13, 2014 11:46 AM
  • Thank you, this worked perfectly to speed up my process, but the policy was reseted by AD when the system restarted. But if I just do gpupdate it works fine. Thank you again
    Saturday, August 16, 2014 4:43 AM