Jump to content


Recommended Posts

can you explain further what you mean by this ? are you seeing it ignoring settings you've defined in your policy ?

Share this post


Link to post
Share on other sites

I see that if I enable this policy on workstation it will prompt by bitlocker management to encrypt C:\ and enter the PIN password, so the policy works but after encryption is finish I have noticed that it encrypted only C:\ system drive.

MicrosoftTeams-image (10).png

 

Should I wait some time for encrypt fixed drive or it should encrypt after mbam prompt both disks?

Edited by Thomas123

Share this post


Link to post
Share on other sites
On 4/24/2020 at 6:02 PM, anyweb said:

is Volume d a physical disk in the computer or what ? 

In this case is second physical drive but the same situation is on only one physical drive but 2 partition, i checked few workstation and that Policy never encrypt D partition 

Share this post


Link to post
Share on other sites

ok and you are using Configmgr 1910 ? I think it would be worth re-testing this with ConfigMgr 2020

Share this post


Link to post
Share on other sites

Right, ConfigMgr1910. I will install also hotfixes available on my site. There is something related to bitlocker.

 

https://support.microsoft.com/en-us/help/4537079/update-rollup-for-microsoft-endpoint-configuration-manager-current-bra

 

So in your opinion there is unknown bug and my configuration should work? What will be happend if I create another bitlocker policy and run on these computers? It will skip and nothing will be happend or there is a chance that MBAM encrypt D:\ drive?

Share this post


Link to post
Share on other sites

i haven't tested your scenario in 1910 or 2002 so it could be a bug, can you test in a lab ?

Share this post


Link to post
Share on other sites

Yes i will test but also I just read again MBAM documentation and I thing that i found my bad configuration. In 1910 you cannot specify auto-unlock for fixed drive or passwor policie (I see that feature is now available in 2002 version). The documentation clearly say that:

 

Fixed data drive encryption
Suggested configuration: Enabled

Manage your requirement for encryption of fixed data drives. If you enable this setting, BitLocker requires users to put all fixed data drives under protection. It then encrypts the data drives.

When you enable this policy, either enable auto-unlock or the settings for Fixed data drive password policy.

Configure auto-unlock for fixed data drive: Allow or require BitLocker to automatically unlock any encrypted data drive. To use auto-unlock, also require BitLocker to encrypt the OS drive.
If you don't configure this setting, BitLocker doesn't require users to put fixed data drives under protection. - I think this is it :)

If you disable this setting, users can't put their fixed data drives under BitLocker protection. If you disable this policy after BitLocker encrypts fixed data drives, BitLocker decrypts the fixed data drives.

Share this post


Link to post
Share on other sites
On 4/28/2020 at 9:44 AM, anyweb said:

great, looks like you've solved it !

Not really, I cannot set up auto-unlock for fixed drive. I  installed Hot Fix to 1910 and there is still same problem. Also update to 2002 is not visible in my tenant (is that normal?). There is no alert on MBAM log on client site, there is no alert on SCCM site, currently workstation is Compilant. Any ideas what should I do except update sccm to 2002 (does it stable version?)

Share this post


Link to post
Share on other sites

2002 won't show up unless you use the early update ring script, or wait for it to release to slow ring (soon)

 

https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/checklist-for-installing-update-2002#early-update-ring

Share this post


Link to post
Share on other sites

Anyweb, Thanks for making my life easy.

I do have one question.

Step 5. 

That MBAM popup ...we want to deploy it without that popup like no user interaction and it just run in the background without user to click in start. Is that possible? 

 

Share this post


Link to post
Share on other sites

yes its possible, if you are using SCCM 1910 follow my video

 

if you are using MEM 2002 then set the corresponding settings in the wizard to have no delay

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

FYI on 2002 version (official since 11.05.2020) everything looks good! I needed to configure Auto-Unlock option and disable password requirement (in 1908 version this tab wasn't available). Now, after encrypted C:\ I got prompt to encrypt also D:\ but without any PIN.

Share this post


Link to post
Share on other sites

Hi Niall

Thanks for the great video tutorials and past SCCM guides.

This is my first experience of MBAM and I've managed to follow your guides to deploy MBAM polices and portals in SCCM 1910 and MECM 2002. I now want to move on to including MBAM in the OSD task sequence. There are a few posts on various forums with conflicting information but no complete guide and mostly written for standalone MBAM or Windows 7.

If you have time please create a new step\video to show how it's done by the professionals :)

Share this post


Link to post
Share on other sites
On 5/6/2020 at 1:46 PM, anyweb said:

yes its possible, if you are using SCCM 1910 follow my video

if you are using MEM 2002 then set the corresponding settings in the wizard to have no delay

Hi Niall,

Thank you, I deployed it to 10 test units over the VPN.

Only 1 so far worked as intended.

Few Question.

- I can see in my BitlockerMangaement GroupPolicyHandler that its trying to enforce keys into registry. But I am not seeing them other then those 2 custom one enforce using baselines. Is there way for it get force more frequently?  

Screen Shot

I will be updating SCCM to 2002 soon too.

Share this post


Link to post
Share on other sites

is your mdop client agent installed ? what's present in the FVE reg key ?

Share this post


Link to post
Share on other sites

that's the MDOPBitLockerManagent key, what's the parent FVE key? also is your configmgr client agent the correct version ? is the computer in a collection targeted with the bitlocker management policy ?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...