Jump to content


Recommended Posts

FVE only has MDOP folder. I have the latest ConfigMagr Client. Also my laptop is in the correct collection.

 

 

Share this post


Link to post
Share on other sites

ok you don't understand what i'm saying, do you have teamviewer so i can take a look ?

Share this post


Link to post
Share on other sites
19 hours ago, anyweb said:

that's the MDOPBitLockerManagent key, what's the parent FVE key? also is your configmgr client agent the correct version ? is the computer in a collection targeted with the bitlocker management policy ?

May be is this what you mean? http://prntscr.com/sjx7f3

17 hours ago, anyweb said:

ok you don't understand what i'm saying, do you have teamviewer so i can take a look ?

Yes I do.

 

 

Share this post


Link to post
Share on other sites

5-20-20

So after looking at the log BitlockerManagement_GroupPolicyHandler I saw its try to inject registry keys. See the screen shot below.

http://prntscr.com/skckgu

But when I check registry are not there. Any idea? Hope I am making sense. :)

Share this post


Link to post
Share on other sites

and once again it's complaining that what's in FVE is not compliant,

so what are the registry keys you have listed in FVE ?

this path..

 

image.png

Share this post


Link to post
Share on other sites
6 minutes ago, anyweb said:

and once again it's complaining that what's in FVE is not compliant,

so what are the registry keys you have listed in FVE ?

this path..

 

image.png

sry.. I posted in my edited reply...one above.

https://prnt.sc/sjx7f3

 

Share this post


Link to post
Share on other sites

ok well there's nothing there at all so this is not working, pm me your teamviewer details if you want me to connect and take a look

Share this post


Link to post
Share on other sites

So after doing more testing found out that its the VPN issue. My test machine even the laptops when they go to office network the keys get populates and encryption starts Silently.

Now the question is why it don't get populated when its connected to VPN even after it try check in with SCCM server once connected?

Share this post


Link to post
Share on other sites

I've asked a PM in Microsoft for comment on this, it could be that your vpn solution is blocking some communication between the clients and the MP, but let's see what he says

Share this post


Link to post
Share on other sites

Hi Niall, 

 

I'm currently running MECM 2002 and I have followed your guides but I want to use the bitlocker encryption certificate  so I have followed the Microsoft documentation. I have created the cert but I get and error when trying to produce the policy in MECM. The error is Plain text storage of recovery information required when the Bitlocker Management encryption certificate has not been deployed. Where do I have to deploy it too? I have two management points both on prem one is an IBCM both using HTTPS. Thank you

EDIT: I had the policy open while I created the cert. Closing the policy window and relaunching fixed the issue. Thank you

Edited by Hectaaaa
Fixed it.
  • Like 1

Share this post


Link to post
Share on other sites

thanks for posting the solution so others will find it !

 

Share this post


Link to post
Share on other sites

Quick Question, 

Currently we are in the process of switching to co management but still pilot testing. I just found out that Intune has it's own Bitlocker management tools so did I waist all my time setting up on-prem MBAM? or can I still use it to access and manage key information? If I can still use it, is it possible to setup the Self service portal on an IBCM point? It is currently setup on the primary management point that is setup for Intranet clients only. 

 

Also sorry if I am posting this in the wrong area still learning how to navigate the site. 

Thank you,

Share this post


Link to post
Share on other sites

Having your Bitlocker Management keys stored on your on premise database (ConfigMgr) is an asset to many customers, and also gives you time to migrate to Intune and see the different ways it can manage your recovery keys,

you could create an Azure web app proxy to connect back to the on-premise  server handling the requests.

  • Like 1

Share this post


Link to post
Share on other sites

Hello Windows-Noob ;)

I have implemented already 2 years ago IBCM - PKI infrastructure - however when I try to execute Bitlocker I 'm still getting following error

Unable to find suitable Recovery Service MP. Forcing policy non-compliant.

I always thought everything was going well ;)  - no issues with deploying software - no issues with policies/ configuration baseline - no issues with windows updates BUT we have a SCCM HTTP (lab) and there I saw that the client indicates his 'Assigned Management Point' and that is not the case with our non domain/workgroup machines. In LocationServices LOG there is the following error  1 internet MP errors in the last 10 minutes, threshold is 5.

So my guess is there is something wrong !! I saw blogs on the internet for IBCM PKI enabled where Assigned Management Point entry is filled in.

Anyone ?

bitlocker_1.png

bitlocker_2.png

bitlocker_3.png

bitlocker_4.png

Share this post


Link to post
Share on other sites

hiya and welcome,

can you look at the network tab of your IBCM client ? my (co managed, forced internet client) looks like this

image.png

Share this post


Link to post
Share on other sites

Hey Niall,

Thanks for answering ... 

Can I have a printscreen of your 'General' ?

FQDN is automatically filled in ? Do you use CMG ? OUrs is a DP MP reachable from 'internet' 

bitlocker_5.png

Share this post


Link to post
Share on other sites

yes i'm using a CMG in this lab but i haven't tested Bitlocker Management in that regard and i believe the functionality it just not there yet without a workaround suggested by Marc in another thread.. Here's the requested screenshot.

image.png

Share this post


Link to post
Share on other sites

Marc in another thread ?

 

Thanks for the screenshot - I see that also here assigned management is not filled in or is that just when a client connects to 'Currently intranet' ?

 

But that does not resolve my issue for bitlocker Unable to find suitable Recovery Service MP. Forcing policy non-compliant 

Share this post


Link to post
Share on other sites

Hello i got same problem.

Unable to find suitable Recovery Service MP. Forcing policy non-compliant.

all is in HTTPS. 

And also in my SCCM SQL database there is no recovery keys, although i got VM that is compliant and encrypted.

Anybody help?

Thank you

EDIT:
 
I was able to figure this out but now i have problem with client  that have MBAM agent.
It couldn't send data to SCCM SQL DB.

On workstation event viewer ADMIN log is howing - >
EVENT ID :2 (VolumeEncactmentFailed)

Eror code:
-2143485947

Details:
Access was denied by the remote endpoint

we have multiple domains

Share this post


Link to post
Share on other sites

Hi Niall

Great informative information as always. Just a question from me , does it support Windows 7 client? I couldnt see this info on any of the official documentation but just wondered if in practice it does still work.

 

Thanks

Suki

Share this post


Link to post
Share on other sites

Hi Suki, thank you, i presume it would as it's the exact same one that's been in use by MBAM for the last number of years, however Windows 7 itself is EOL.

Share this post


Link to post
Share on other sites

Hi Niall,

I followed your guides/videos to migrate from using Bitlocker in a task sequence with keys archived to AD to MEMCM 2002 Bitlocker Management. I'm seeing an issue on machines previously managed where even after decrypting the OS drive and allowing the new policy to dictate the encryption settings those machines still stay at "used space only" encryption. Machines that had never had Bitlocker before use "full volume encryption". I can see the cipher strength has changed to match the new policy and the machines report "compliant". Is there a setting somewhere that I may be missing that forces FVE instead of used space only?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...