ukg_matt

I have just resolved something like this in my environment. I looked in the BitlockerManagement_GroupPolicyHandler.log and I found errors ' Failed to open GPO (0x80004005)', I googled and found this, although it’s not an identical issue I thought it was worth a shot so I deleted C:\Windows\System32\GroupPolicy\Machine\Registry.pol after that I refreshed the policy on the machine a few time and the devices began to encrypt. I hope this helps!

What does the MBAM > Admin client log show? The server event logs are Application and Service Logs > Microsoft > Windows > MBAM-Web > Admin Application and Service Logs > Microsoft > Windows > MBAM-Web > Operational

What do the event logs say on both server and clients?

My problems was/is that the SCCM Bitlocker policy could not be enforced... What do the event logs say on both server and clients?

Edited

I’ve been following the Bitlocker management tutorial here. Apart from the previous MBAM Install error over here, everything has gone as expected, apart from actual device encryption….. I’ve configured everything as per the tutorial, I have a set of devices, I have the configuration base line to deploy the reg keys to force encryption to start, I’ve configured and deployed the policy to the machines. The clients have the MDOP client. If I run “(Get-WmiObject -Class mbam_Volume -Namespace root\microsoft\mbam).ReasonsForNoncompliance” on any of the clients, I get the 3 codes returned, 1, 16 and 3. From here the error codes are as follows : 1 MBAM Policy requires this volume to be encrypted but it is not. 3 MBAM Policy requires this volume use a TPM protector, but it does not. 6 Policy requires minimum cypher strength is XTS-AES-256 bit, actual cypher strength is weaker than that. The policy I configured in SCCM is XTS-AES-256, do I need to do something else? Configure a GPO maybe? I wasn’t sure exactly what other detail to include so feel free to ask me for some logs etc.

scrap that, i re-enabled [Convert]::ToBase64String($bytes) and [Convert]::FromBase64String($encodedCert) and the script is working. My issues were 2 fold, first was that I had to export the Bitlocker Managemanet cert from SQL and import it manually using certlm.msc, the second issue was that I didn't have an SQL Server Identification Cert that was named 'ConfigMgr SQL Server Identification Certificate' so I generated one... Re-ran the script again et voila Thanks again to anyweb and AS-NRY.

Hi Thanks for the tip, AS-NRY, it has moved my install script on somewhat but it still doesn't complete successfully. Get-CertificateFromSqlServer : Unable to export ConfigMgr SQL Server Identification Certificate from *******.***.local At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller_2.ps1:1171 char:16 + $success = Get-CertificateFromSqlServer $SqlServerName + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-CertificateFromSqlServer Install-MBAMWebSites : Failure acquring SQL identity certificate. At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller_2.ps1:1324 char:5 + Install-MBAMWebSites -SqlServerName $SqlServerName -SqlInstanceNa ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-MBAMWebSites

I have amended the mbaminstaller script with the correct report server URL. Thanks

replied via email!

Hi Nial I've been following your MBAM in SCCM guide from here and we're already converted from HTTP to HTTPS. I needed to encrypt the recovery data so i followed this Microsoft guide. Now I'm attempting to install the MBAM websites with the mbamwebsiteinstaller.ps1 script, and I'm given the following errors.... Unable to find ConfigMgr SQL Server Identification Certificate + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException + PSComputerName : azukssccm.ukg.local Get-CertificateFromSqlServer : Unable to export ConfigMgr SQL Server Identification Certificate: Exception calling "FromBase64String" with "1" argument(s): "Invalid length for a Base-64 char array or string." At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1171 char:16 + $success = Get-CertificateFromSqlServer $SqlServerName + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-CertificateFromSqlServer Install-MBAMWebSites : Failure acquring SQL identity certificate. At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1324 char:5 + Install-MBAMWebSites -SqlServerName $SqlServerName -SqlInstanceNa ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-MBAMWebSites Any help would be much appreciated. Thanks