Jump to content


ukg_matt

Bitlocker - Drives not Encrypting

By ukg_matt, in System Center Configuration Manager (Current Branch)

Recommended Posts

ukg_matt    0

ukg_matt
Posted

I’ve been following the Bitlocker management tutorial here. Apart from the previous MBAM Install error over here, everything has gone as expected, apart from actual device encryption…..

I’ve configured everything as per the tutorial, I have a set of devices, I have the configuration base line to deploy the reg keys to force encryption to start, I’ve configured and deployed the policy to the machines. The clients have the MDOP client.

 

If I run “(Get-WmiObject -Class mbam_Volume -Namespace root\microsoft\mbam).ReasonsForNoncompliance” on any of the clients, I get the 3 codes returned, 1, 16 and 3. From here the error codes are as follows :

1              MBAM Policy requires this volume to be encrypted but it is not.

3              MBAM Policy requires this volume use a TPM protector, but it does not.

6              Policy requires minimum cypher strength is XTS-AES-256 bit, actual cypher strength is weaker than that.

The policy I configured in SCCM is XTS-AES-256, do I need to do something else? Configure a GPO maybe?

 

I wasn’t sure exactly what other detail to include so feel free to ask me for some logs etc.

Share this post

Link to post
Share on other sites


anyweb    462

anyweb
Posted

no GPO's needed, can you attach (or email me) the 2 bitlocker related logs in c:\windows\ccm\logs and can you do a teamviewer session so i can take a look ?

Share this post

Link to post
Share on other sites

APd    0

APd
Posted

Did you work this out? We've been encrypting with MBAM for a while now successfully, now we're having a rash of computers not encrypting because "actual cypher strength is weaker" and it's not clear what has changed.

Share this post

Link to post
Share on other sites

Carl Davis    1

Carl Davis
Posted

Hi Niall,

I have used your guides to implement SCCM MBAM 1910 and it went in successfully.  I am however facing an issue where the clients - even though they receive the policies and the registry change to encrypt without user action - I find that nothing happen until I manually run MBAMClientUI.exe.

I've even changed the MBAM Registry to implement "NoStartupDelay" and no joy.  I've had one or two successful when the MDOP client pops up but the rest just sit there.

Any advice is greatly appreciated and I look forward to hearing from you

Regards

Carl Davis

P.S - AMAZING GUIDES BTW - Thank you for taking the time to write and video

,

 

  • Like 1

Share this post

Link to post
Share on other sites

ukg_matt    0

ukg_matt
Posted
On 2/6/2020 at 3:06 PM, APd said:

Did you work this out? We've been encrypting with MBAM for a while now successfully, now we're having a rash of computers not encrypting because "actual cypher strength is weaker" and it's not clear what has changed.

My problems was/is that the SCCM Bitlocker policy could not be enforced...

What do the event logs say on both server and clients?

Share this post

Link to post
Share on other sites

ukg_matt    0

ukg_matt
Posted
6 minutes ago, Carl Davis said:

Hi Niall,

I have used your guides to implement SCCM MBAM 1910 and it went in successfully.  I am however facing an issue where the clients - even though they receive the policies and the registry change to encrypt without user action - I find that nothing happen until I manually run MBAMClientUI.exe.

I've even changed the MBAM Registry to implement "NoStartupDelay" and no joy.  I've had one or two successful when the MDOP client pops up but the rest just sit there.

Any advice is greatly appreciated and I look forward to hearing from you

Regards

Carl Davis

P.S - AMAZING GUIDES BTW - Thank you for taking the time to write and video

,

 

What do the event logs say on both server and clients?

Share this post

Link to post
Share on other sites

Carl Davis    1

Carl Davis
Posted
45 minutes ago, ukg_matt said:

 

Hi Matt, 

The MBAM logs on the event viewer keep repeating "Volume Enactment Successful and CoreService Up

Please see the attached from the clients....

 

Which event logs from the server do you need?  This is a site with multiple roles on multiple servers 🙂

 

Thank you

Capture.PNG

BitlockerManagement_GroupPolicyHandler.log

Share this post

Link to post
Share on other sites

ukg_matt    0

ukg_matt
Posted
19 minutes ago, Carl Davis said:

Hi Matt, 

The MBAM logs on the event viewer keep repeating "Volume Enactment Successful and CoreService Up

Please see the attached from the clients....

 

Which event logs from the server do you need?  This is a site with multiple roles on multiple servers 🙂

 

Thank you

Capture.PNG

BitlockerManagement_GroupPolicyHandler.log 24.65 kB · 0 downloads

What does the MBAM > Admin client log show?

The server event logs are 

Application and Service Logs > Microsoft > Windows > MBAM-Web > Admin

Application and Service Logs > Microsoft > Windows > MBAM-Web > Operational 

Share this post

Link to post
Share on other sites

anyweb    462

anyweb
Posted

what policy settings have you configured and have you verified the client is indeed in the collection where you deployed it ?

Share this post

Link to post
Share on other sites

Syntax    0

Syntax
Posted

Good day Niall and everyone, I just replied since its the same topic as what I'm getting but different error msg (not error msg actually). I just got some machines that is not compliant but this machines has the same specs as any compliant machines I have. 

image.thumb.png.9d29b4782483409120d90fcc8e382c41.png

Share this post

Link to post
Share on other sites

anyweb    462

anyweb
Posted

are you saying they are reporting as non compliant but are in fact, compliant ? if so have you installed the hotfix available for 1910 in the console ?

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Go To Topic Listing
×
×
  • Create New...