ukg_matt Posted January 23, 2020 Report post Posted January 23, 2020 I’ve been following the Bitlocker management tutorial here. Apart from the previous MBAM Install error over here, everything has gone as expected, apart from actual device encryption….. I’ve configured everything as per the tutorial, I have a set of devices, I have the configuration base line to deploy the reg keys to force encryption to start, I’ve configured and deployed the policy to the machines. The clients have the MDOP client. If I run “(Get-WmiObject -Class mbam_Volume -Namespace root\microsoft\mbam).ReasonsForNoncompliance” on any of the clients, I get the 3 codes returned, 1, 16 and 3. From here the error codes are as follows : 1 MBAM Policy requires this volume to be encrypted but it is not. 3 MBAM Policy requires this volume use a TPM protector, but it does not. 6 Policy requires minimum cypher strength is XTS-AES-256 bit, actual cypher strength is weaker than that. The policy I configured in SCCM is XTS-AES-256, do I need to do something else? Configure a GPO maybe? I wasn’t sure exactly what other detail to include so feel free to ask me for some logs etc. Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted January 23, 2020 Report post Posted January 23, 2020 no GPO's needed, can you attach (or email me) the 2 bitlocker related logs in c:\windows\ccm\logs and can you do a teamviewer session so i can take a look ? Quote Share this post Link to post Share on other sites More sharing options...
APd Posted February 6, 2020 Report post Posted February 6, 2020 Did you work this out? We've been encrypting with MBAM for a while now successfully, now we're having a rash of computers not encrypting because "actual cypher strength is weaker" and it's not clear what has changed. Quote Share this post Link to post Share on other sites More sharing options...
Carl Davis Posted February 11, 2020 Report post Posted February 11, 2020 Hi Niall, I have used your guides to implement SCCM MBAM 1910 and it went in successfully. I am however facing an issue where the clients - even though they receive the policies and the registry change to encrypt without user action - I find that nothing happen until I manually run MBAMClientUI.exe. I've even changed the MBAM Registry to implement "NoStartupDelay" and no joy. I've had one or two successful when the MDOP client pops up but the rest just sit there. Any advice is greatly appreciated and I look forward to hearing from you Regards Carl Davis P.S - AMAZING GUIDES BTW - Thank you for taking the time to write and video , 1 Quote Share this post Link to post Share on other sites More sharing options...
ukg_matt Posted February 11, 2020 Report post Posted February 11, 2020 Edited Quote Share this post Link to post Share on other sites More sharing options...
ukg_matt Posted February 11, 2020 Report post Posted February 11, 2020 On 2/6/2020 at 3:06 PM, APd said: Did you work this out? We've been encrypting with MBAM for a while now successfully, now we're having a rash of computers not encrypting because "actual cypher strength is weaker" and it's not clear what has changed. My problems was/is that the SCCM Bitlocker policy could not be enforced... What do the event logs say on both server and clients? Quote Share this post Link to post Share on other sites More sharing options...
ukg_matt Posted February 11, 2020 Report post Posted February 11, 2020 6 minutes ago, Carl Davis said: Hi Niall, I have used your guides to implement SCCM MBAM 1910 and it went in successfully. I am however facing an issue where the clients - even though they receive the policies and the registry change to encrypt without user action - I find that nothing happen until I manually run MBAMClientUI.exe. I've even changed the MBAM Registry to implement "NoStartupDelay" and no joy. I've had one or two successful when the MDOP client pops up but the rest just sit there. Any advice is greatly appreciated and I look forward to hearing from you Regards Carl Davis P.S - AMAZING GUIDES BTW - Thank you for taking the time to write and video , What do the event logs say on both server and clients? Quote Share this post Link to post Share on other sites More sharing options...
Carl Davis Posted February 11, 2020 Report post Posted February 11, 2020 45 minutes ago, ukg_matt said: Hi Matt, The MBAM logs on the event viewer keep repeating "Volume Enactment Successful and CoreService Up Please see the attached from the clients.... Which event logs from the server do you need? This is a site with multiple roles on multiple servers 🙂 Thank you BitlockerManagement_GroupPolicyHandler.log Quote Share this post Link to post Share on other sites More sharing options...
ukg_matt Posted February 11, 2020 Report post Posted February 11, 2020 19 minutes ago, Carl Davis said: Hi Matt, The MBAM logs on the event viewer keep repeating "Volume Enactment Successful and CoreService Up Please see the attached from the clients.... Which event logs from the server do you need? This is a site with multiple roles on multiple servers 🙂 Thank you BitlockerManagement_GroupPolicyHandler.log 24.65 kB · 0 downloads What does the MBAM > Admin client log show? The server event logs are Application and Service Logs > Microsoft > Windows > MBAM-Web > Admin Application and Service Logs > Microsoft > Windows > MBAM-Web > Operational Quote Share this post Link to post Share on other sites More sharing options...
Carl Davis Posted February 11, 2020 Report post Posted February 11, 2020 Hi Ya, MBAM-WEB empty on site Servers and MBAM > Admin client - no events.... Thank you Carl Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted February 11, 2020 Report post Posted February 11, 2020 what policy settings have you configured and have you verified the client is indeed in the collection where you deployed it ? Quote Share this post Link to post Share on other sites More sharing options...
Syntax Posted February 24, 2020 Report post Posted February 24, 2020 Good day Niall and everyone, I just replied since its the same topic as what I'm getting but different error msg (not error msg actually). I just got some machines that is not compliant but this machines has the same specs as any compliant machines I have. Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted February 24, 2020 Report post Posted February 24, 2020 are you saying they are reporting as non compliant but are in fact, compliant ? if so have you installed the hotfix available for 1910 in the console ? Quote Share this post Link to post Share on other sites More sharing options...
Syntax Posted February 24, 2020 Report post Posted February 24, 2020 nope sorry to confuse you. It is reporting non-compliant and checked the machines and bitlocker is not implemented. Quote Share this post Link to post Share on other sites More sharing options...
ukg_matt Posted February 26, 2020 Report post Posted February 26, 2020 I have just resolved something like this in my environment. I looked in the BitlockerManagement_GroupPolicyHandler.log and I found errors ' Failed to open GPO (0x80004005)', I googled and found this, although it’s not an identical issue I thought it was worth a shot so I deleted C:\Windows\System32\GroupPolicy\Machine\Registry.pol after that I refreshed the policy on the machine a few time and the devices began to encrypt. I hope this helps! Quote Share this post Link to post Share on other sites More sharing options...
Syntax Posted March 3, 2020 Report post Posted March 3, 2020 On 2/26/2020 at 4:30 AM, ukg_matt said: I have just resolved something like this in my environment. I looked in the BitlockerManagement_GroupPolicyHandler.log and I found errors ' Failed to open GPO (0x80004005)', I googled and found this, although it’s not an identical issue I thought it was worth a shot so I deleted C:\Windows\System32\GroupPolicy\Machine\Registry.pol after that I refreshed the policy on the machine a few time and the devices began to encrypt. I hope this helps! This works. Thanks. Quote Share this post Link to post Share on other sites More sharing options...
Kirill_L Posted March 26, 2020 Report post Posted March 26, 2020 Hi Guys, I have two problems with new SCCM Bitlocker solution. We have succesfully deployed new SCCM 1910 Bitlocker Policy. Also we`ve deployed Configuration Baseline to Enforce Bitlocker Encryption. For some stations all looks good for another unfortunatelly no. We use XTS-AES-128 bit All workstations have Windows 10 Some workstations have a problem with MBAMClientUI.exe. It is not popup for the local user The same stations have a problem with encryption enforcement. It is not starts in the background... I`ve tried to delete C:\Windows\System32\GroupPolicy\Machine\Registry.pol but nothing happens. It was just recreated after policies evaluation time. But still the same result. Encryption is not starting Do you have any ideas how we can resolve this issue? If we start MBAMClientUI.exe manually it works. We can click Postpone or Start. Quote Share this post Link to post Share on other sites More sharing options...
Pierre-Paul Posted May 12, 2020 Report post Posted May 12, 2020 @Kirill_L I have the exact same issue, the only difference is the Windows 10 build. We are using 1809. But other than that, everything is the same. Quote Share this post Link to post Share on other sites More sharing options...
Kingskawn Posted August 20, 2021 Report post Posted August 20, 2021 We are have this error too Kirill_L but we install bitlocker through Intune, not from SCCM, the machines are co-managed. But for some weird thing 2% of our machines don't receive the encryption policy so 300 machines are still without encryption. The others went well Quote Share this post Link to post Share on other sites More sharing options...
AVP.Riga Posted August 5, 2022 Report post Posted August 5, 2022 Sorry, Guys. I have the issues with MBAM too. MBAM event admin log is: Unable to connect to the MBAM Recovery and Hardware service. Error code: -2147024809 Details: The parameter is incorrect. And.... ReasonsForNoncompliance : {1, 15, 3} Could you please give some advices, I tried to google it, without any success. SCCM version is: 2103 I tried to delete C:\Windows\System32\GroupPolicy\Machine\Registry.pol and enforce MBAM by changing: SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement OsEnforcePolicyPeriod compliance rule = 0 SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseOsEnforcePolicy compliance rule = 1 Thank you in advance and have a great weekend! Quote Share this post Link to post Share on other sites More sharing options...