locked
move client to new mbam server RRS feed

  • Question

  • Greatings All!

    I have a problem I could use some help with. 

    We've been using windows 7 bitlocker and MBAM v1 in a mix of production and development devices to test encryption and policy.  Everything works fine in the developement envrionment, and now that we have the production MBAM environment online I want to move devices over to it.  I've updated GPO with the production URLs but none of the devices are registering.  Is there any way to force the client to upload their recovery keys and complaince status to the new production environment?  I've read that the client should do this automatically once they reach the update frequency, however I've changed the time to 1 minute on my machine but still nothing.

    Getting these errors in Event logs

    An error occurred while sending encryption status data.

    Error code:

    0x803d0011

    Details:

    The operation was not supported by the remote endpoint.


    Tuesday, April 30, 2013 4:55 PM

Answers

  • Just to close this out, we worked together and found an issue with the URL in the GPO for the compliance service.  Once that was corrected, everything functioned as expected.
    Wednesday, May 1, 2013 2:58 PM
    Moderator

All replies

  • Have you looked into MBAM 2.0 that was released a few weeks ago?  What should happen is that the client will wake up and re-escrow the key as appropriate in your new environment.  However, the TPM hashes will not migrate over from one environment to another.  Have you tried restoring your dbs from dev into test and installing MBAM on top of it?
    Tuesday, April 30, 2013 5:52 PM
    Moderator
  • Hi Lance,

    I discovered that the Recovery keys are actually being re-escrowed to the production servers but isn't updating the complaince report page.  The "Enterprise Compliance Report" page shows zero devices but the recovery and hardware database has several entries of recovery key, hostnames, etc.

    Tuesday, April 30, 2013 9:20 PM
  • Just to close this out, we worked together and found an issue with the URL in the GPO for the compliance service.  Once that was corrected, everything functioned as expected.
    Wednesday, May 1, 2013 2:58 PM
    Moderator
  • I'm having the same issue, in my case I'm standing up a new MBAM server for a new company, everything looks like it should be happy, recovery keys are showing up in AD, there is hardware data and keys in the MBAM Recovery and Hardware SQL database, but the MBAM Compliance Status DB is empty. So far I cant find any events on the server that would indicate what the problem is
    Wednesday, May 1, 2013 2:59 PM
  • First, if you are using MBAM, I wouldn't store keys in AD as well.  The reason is that there is no auditing on who views the keys in AD, once someone writes down the key, it doesn't change, and if you use MBAM, we will change the key once it is recovered, so AD and MBAM will be out of sync, which can cause confusion.

    Check the MBAM event logs on the client and report back on any errors in the MBAM Admin event log.

    Wednesday, May 1, 2013 3:17 PM
    Moderator
  • I think I may have found the problem, just not sure how to fix it. I was able to compare a properly functioning MBAM Server to the one that's been giving me problems. When browsing to the Directory

    However, on the server that's not working, I get the following when browsing to the same directory:

    Wednesday, May 1, 2013 3:26 PM
  • Can you check the client logs though and report any errors?  Can you validate that the compliance web service address is accurate in your GPO?  I don't believe that message is an issue.
    Wednesday, May 1, 2013 3:34 PM
    Moderator
  • Except on an MBAM server that's working that I have access to I get this when navigate to the same directory:

    And the client logs show only one error:

    "An error occurred while sending encryption status data, the operation was not supported by the remote endpoint."

    Iit looks like the Status Reporting Service in IIS wasn't correctly or completely created by MBAM Setup, so while the IIS Virtual Directory exists, the Service itself is missing, which is causing the client to throw the error.


    Wednesday, May 1, 2013 3:42 PM
  • So, as it turns out... I'm just a moron.

    In rushing to set up the new MBAM server I copied and pasted the Reporting Service URLS into the Group Policy template, and... had the same URL for both the Recovery Service endpoint and MBAM Status endpoint.

    Amazing how things work properly when they are configured correctly.

    Microsoft should include in all setup instructions: Warning: Do not proceed without caffeine.

    Thanks for your help though

    • Proposed as answer by dustin.adam Wednesday, May 1, 2013 4:19 PM
    Wednesday, May 1, 2013 4:19 PM
  • Glad you got it resolved!
    Wednesday, May 1, 2013 6:01 PM
    Moderator