none
Bypass MBAM policy check when running Invoke-MbamClientDeployment.ps1 RRS feed

  • Question

  • Posted this on MBAM user voice page, but figured I'd check here as well to see if any one else ran into this or has a workaround.

    https://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring/suggestions/10495350-bypass-mbam-policy-check-when-running-invoke-mbamc

    When running the invoke-mbamclientdeployment.ps1 script on a device that has the MBAM group policies targeted the script will fail during the pre-reqs check phase.

    During a new build or refresh this wouldn't be an issue, but doesn't work on a new implementation of MBAM where existing machines are not encrypted. I use a task sequence to check for some pre-reqs, enable TPM and reboot, install the MBAM agent, then start encryption right away. When it gets to the step to run the PowerShell script it fails with the following error.

    "MBAM policy was detected. Verify that the OU used for pre-deployment does not apply MBAM policy."

    In the past I was using the StartMBAMEncryption script from the DeploymentGuys blog which still works, but would rather use the supported PowerShell script.

    Please add a parameter to the cmdlet to bypass checking pre-reqs or at least allow encryption to start even if a MBAM group policy is already targeted to the device.

    Sunday, November 1, 2015 12:54 AM

All replies

  • You mention task sequences, you wouldn’t happen to be having the issue reported here would you?

    Brandon
    Windows Outreach Team- IT Pro
    MDOP for IT Pros at TechNet

    Thursday, December 10, 2015 6:35 PM
    Moderator
  • Mine is a bit different, but thanks for posting as it made me look at the original post I had on the MBAM user voice forum. Someone commented there to just open the PowerShell script and comment out the lines for that pre-req check.

    And now my hand hurts from smacking myself in the head for that duh moment...

    Friday, December 11, 2015 3:47 PM
  • This was the answer posted on the MBAM user voice forum in case anyone runs into this. Haven't tested yet, but don't see why it wouldn't work.

    Serveran      commented      ·          <time datetime="2015-11-05" pubdate="">November 05, 2015 09:08</time>               ·          Delete…              

    comment out the

    Function IsMbamPolicyApplied()
    {
    <#
        .SYNOPSIS
            Determines if MBAM policy has been applied to the machine.

        .DESCRIPTION
           Determines if MBAM policy has been applied to the machine. This script
           may not succeed it MBAM policy is detected.

        .RETURNVALUE
            True if MBAM policy is detected, False otherwise.
    #>

        [psobject]$mbamVolume = Get-WmiObject -Query ("SELECT Compliant FROM Mbam_Volume WHERE BitLockerManagementVolumeType = '1'") -Namespace $MbamWmiNamespace

    and


        if (IsMbamPolicyApplied)
        {
            Throw "MBAM policy was detected. Verify that the OU used for pre-deployment does not apply MBAM policy."
        }

    Friday, December 11, 2015 3:49 PM
  • I feel very stupid here, but I cannot make it work. If I comment out or delete those lines, I get an error in ps script. Is it possible to someone copy paste the working script without GPO checks?
    Thursday, January 28, 2016 4:51 PM
  • Hi all,

    I have the exact issue here. I have commented out the mentioned lines, the script starts with an error message that variable $mbamVolume is missing. I guess the lines:

        if($mbamVolume-eq$null)

        {

           

    Throw"Failed to execute WMI Mbam_Volume.EscrowRecoveryKey. Make sure MBAM client is 2.5 SP1 or greater."


        }

       

    return-not($mbamVolume.Compliant -eq"2")

     needs also to be commented out. because the already out commented line:

    [psobject]$mbamVolume = Get-WmiObject -Query ("SELECT Compliant FROM Mbam_Volume WHERE BitLockerManagementVolumeType = '1'") -Namespace $MbamWmiNamespace

    Declares the variable  $mbamVolume.

    However, is this a real supported answer from the MBAM Team?

    BR

    Ben

    Monday, November 28, 2016 3:28 PM
  • However, is this a real supported answer from the MBAM Team?

    BR

    Ben

    MBAM team will release enchased PS1 script in next MBAM version, whenever it will be released.
    Tuesday, November 29, 2016 7:35 AM
  • Hello Yannara,

    Thanks for the update. However, I have so far mixed feelings with this modified version of the script. The two test clients which I had, havent escrowed the tpm info´s to MBAM although the script haven´t reported any issue. I will continue tests...

    But I guess I will deploy with the official script without applied GPO´s. I will set the regkeys for used space option manually before, I run the script and start it with the unspecified parameter. That was the orginally reason why I deployed with applied GPO´s (we don´t use the WINPE encryption).

    BR

    Ben

    Tuesday, November 29, 2016 12:48 PM
  • With GPO check overcommented, I´m able to encrypt and escrow the recovery key to DP during OSD, but never the TPM password. No errors occuring. I also tried these scripts with 1607 in OSD, runs fine, no errors, but no TPM hash either...

    http://ccmexec.com/2016/11/mbam-tpm-password-hash-and-windows-10-1607/

    Tuesday, November 29, 2016 1:11 PM
  • With GPO check overcommented, I´m able to encrypt and escrow the recovery key to DP during OSD, but never the TPM password. No errors occuring. I also tried these scripts with 1607 in OSD, runs fine, no errors, but no TPM hash either...

    http://ccmexec.com/2016/11/mbam-tpm-password-hash-and-windows-10-1607/

    I'm having the same issue.  Is there a better work around because my machines are showing as non compliant. 
    Tuesday, January 17, 2017 8:04 PM
  • better workarround for what ? Are your machines encrypted and Show up as non compliant or are they not encrypted ?

    /Oliver

    Wednesday, January 18, 2017 7:13 AM
  • better workarround for what ? Are your machines encrypted and Show up as non compliant or are they not encrypted ?

    /Oliver

    Since I have commented out the Policy check, my machines showing as noncompliant in our reports.  

    Policy: Operating System Drive = Encryption Required: TPM

    Policy: Fixed Data Drive = Encryption Required: Password

    I'm not really sure why it is showing this when the drive is actually encrypted.


    • Edited by JoseEspitia Wednesday, January 18, 2017 5:59 PM
    Wednesday, January 18, 2017 4:30 PM
  • Hi,

    the invoke script does not have anything todo with compliance. I suggest you made a new sep. thread for your problem.

    /Oliver

     
    Wednesday, January 18, 2017 8:01 PM