Jump to content


Recommended Posts

Hi. Great article, and I watched your vid as well. very helpful. I'm installed SCCM 1910 in my lab (which has only VMs), and configured and BitLocker Policy. MBAM client is installed on the VMs as expected. Event viewer indicates that MBAM policies were applied successfully.

The machines however, are not popping up the MBAM interface telling me to encrypt. I saw in your video, that the interface popped up on the VM, and then gave you an error when you tried to encrypt - mine aren't even popping up. Any idea why ?

 

Thanks in advance

Share this post


Link to post
Share on other sites

thanks for the thanks,. first thing though, is your 1910 lab in HTTPS mode ? if not you cannot use MBAM integration, it must be in HTTPS mode.

if you need help with https mode see the following links, i converted one of my labs from http to https yesterday using these guides, it's not that hard if you pay attention to the guides:

*to learn how to setup PKI and convert MEM CM from HTTP to HTTPS see windows-noob.com/forums/topic/1 and then once complete, do this windows-noob.com/forums/topic/1

Share this post


Link to post
Share on other sites

I just did a migration from MBAM to SCCM MBAM and wanted to share my findings, maybe its usefull to someone else.

Everything worked for me except I wouldn't see any recovery keys in the SCCM database.
There seems to be an issue where the MBAM recovery part in IIS is not working, SMS_MP_MBAM exists but if you click it you will get a "file not found"
I realised this is a similair issue as Anyweb describes in the OP but its not exactly the same.

The solution is the same, open the .cab file and extract it in for example "D:\Program Files\SMS_CCM\Microsoft BitLocker Management Solution" and run the mbamrecoveryserviceinstaller.ps1 script to set the acl's on the files.
The recovery url should also be viewable after that, in my case that was https://sccmserverfqdn/SMS_MP_MBAM/CoreService.svc

I also had to replace the old MBAM Recovery Service Endpoint with the new URL (https://sccmserverfqdn/SMS_MP_MBAM/CoreService.svc) to get clients to report the recovery keys to the SCCM database. 
This also causes existing MBAM clients to report their recovery keys again.

Share this post


Link to post
Share on other sites

Hi everyone,

we got the SCCM MBAM working as well.

Just like alparliament we currently use Sophos Safeguard for Bitlocker key management. If we deploy MBAM it works for AD clients and after a while it gets the same Recovery Key ID as in Safeguard. Fine.

But what about workgroup clients? The logs show that there is a sync between client and server but no keys and workgroup machines are in the database.

Thanks

Matthias

 

Share this post


Link to post
Share on other sites

hi @CellFreak

so to be clear, are you saying you upgraded to ConfigMgr 1910 and enabled the MBAM feature, and then you could see some domain joined clients storing the keys in ConfigMGr's database in the MBAM tables, but it's not working for workgroup joined computers ?

please clarify this

Share this post


Link to post
Share on other sites

Hi Niall, I would like to thank you for making such detailed documents and videos. But I have a question. I have looked at your videos and your documents and I am a bit confused.  Even in this document you mentioned 

"Update: Initially PKI/HTTPS was required (in TP1905) for BitLocker Management in SCCM, however from Technical version 1909 it was no longer required, and became optional (but recommended). For more info see this blog post. I'm including the important note from that text below.

Note: Microsoft recommends but doesn't require the use of HTTPS. For more information, see How to Set Up SSL on IIS (or see my two links below)."

But in the video as well as the comments you said SCCM should be in HTTPS mode. 

Could you please clarify? Thanks again for your detailed documentations. 

Edited by Shaq
Typo
  • Like 1

Share this post


Link to post
Share on other sites

hi Shaq,

the reason I stated that HTTPS was required was because it was in TP1905, but then it wasn't in TP1909, but in ConfigMgr 1910 Current Branch it is again, required.

but... going forward I think that a future release of ConfigMgr (maybe 2002) will allow you to use eHTTP or HTTPS, that would make it much easier to use the MBAM capabilities but remember HTTPS is more secure regardless.

 

cheers

niall

  • Thanks 1

Share this post


Link to post
Share on other sites

Quote

...so to be clear, are you saying you upgraded to ConfigMgr 1910 and enabled the MBAM feature, and then you could see some domain joined clients storing the keys in ConfigMGr's database in the MBAM tables, but it's not working for workgroup joined computers ?

Hi @anyweb

yes, exactly.

Keys of workgroup clients are not stored in the MBAM tables.

As far as I know, MBAM does not work with workgroup clients, but now that it is integrated in SCCM or MEM, i thought it might work.

Edited by CellFreak

Share this post


Link to post
Share on other sites

Thanks for the video you posted on Youtube! I really like that you didn’t edit out your troubleshooting. Seeing you troubleshoot gives the video a higher value then simply showing a 100% working environment!    
 

We have created our own version of Anders Rodland’s “ConfigMgr Client Health” that also deal with Bitlocker issues. This runs completely silent. Logs are gathered with Splunk.

1. MDOP seems like a “user-driven” experience?  We want the entire process to run without any user interaction. If something fails, we analyse the logs with Splunk, update our “Client Health” and fix the problem without ever notifying the user.

2. Will MDOP automatically fix issues that prevents Bitlocker from functioning?

-          We already have a fully working AD environment and documented routines to recover keys etc

-          Preferable, don’t want yet another agent installed in our environment

-          Our Bitlocker compliance is at 99.5% (With yearly audits)

-          Bitlocker all machines new machines during setup.  

What are we missing out, by not using MBAM?

Share this post


Link to post
Share on other sites

Thanks for the video you posted on Youtube! I really like that you didn’t edit out your troubleshooting. Seeing you troubleshoot gives the video a higher value then simply showing a 100% working environment!    

 

thank you !

1. it can be completely silent see >

 

2. MDOP is not a self healing product, but you can use CI/CB's in ConfigMgr to achieve this (via compliance),

MDOP offers the helpdesk and self service portals, encryption of the database and traffic between client and the database.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.