Search the Community
Showing results for tags 'mbam'.
-
Hello, hoping for some help from with a strange issue I have on a customer site I am currently unable to build Dell Optiplex 5040 devices with Windows 10 1909 x64 Enterprise from an Endpoint manager 1910 MDT integrated task sequence. The task sequence fails when trying to execute the Invoke-MbamClientDeployment.ps1 script. I have detailed the high level tasks below and attached the SMSTS.log. BIOS upgraded to latest version BIOS Reset to factory settings BIOS Password Set BIOS Standard config applied UEFI Boot enabled TPM Cleared & activated TPM Converted from 1.2 to 2.0 TPM Cleared again and reactivated OS Deployed Drivers deployed MBAM TPMPassTheHash step completed DOTNET Enabled C++ Redists applied Security Patches Applied The MBAM Group MBAM_XTS_AES256 applied to reg PreBoot Input Protectors for Tablets applied to reg MDOP MBAM 2.5 SP1 Installed MBAM Client Hot Fix KB4505175 Applied Sleep 2 mins DisableRootAutoUpdate (Certificate applied) Restart Set PowerShell Execution Policy Set to bypass Set PowerShell Execution Policy powershell.exe -command Initialize-TPM Is run **THE STEP THAT FAILS** Invoke-MbamClientDeployment.ps1 with the below parameters Parameters - -RecoveryServiceEndpoint "https://MBAM:443/MBAMRecoveryAndHardwareService/CoreService.svc" -StatusReportingServiceEndpoint "https://MBAM:443/MBAMComplianceStatusService/StatusReportingService.svc" –IgnoreEscrowOwnerAuthFailure -EncryptionMethod "XTSAES256" **The Post Steps** Reset TPM Policy EnableRootAutoUpdate The TPM status is Enabled, Activate & NOT owned The above works on all other models tested but fails on the 5040 The actual error message received is contained in the smsts.log file attached and the extract is below. The device is also in a staging OU that receives no Group Policy. The device does register in MBAM if continue on error is checked on the offending task and the computer object moved to the correct OU but will not encrypt. The same task sequence works on the other Dell models tested e.g. 5050 I have logged in after and BitLocker throws a internal error if you try to run it manually. **THE ENVIRONMENT**** A single site deployment of Endpoint Manager 1910 with two distribution points deploying Windows 10 1909 x64 enterprise with a MDT Integrated task sequence. The Dell command tool kit has been integrated into End Point Manager and drives the BIOS/TPM config steps in the task sequence. The Dell TPM conversion tool is used to convert the TPM to 2.0. The devices been build are production Windows 7 and are been repurposed as Windows 10 x64 Enterprise 1909
-
Hi There, Anyone here has hands-on experience on implement Bit-Locker To-Go? In my environment we use SCCM CB-1902 and MBAM server & client. We have single drive in all the client and it has been protected using MBAM agent. Now looking for encryption the removal disc \USB automatically, when it insert. How can I achieve this? Please free to ask me, if required more information. BR, Biju
-
- bitlocker
- bitlocker encryption
-
(and 4 more)
Tagged with:
-
InvokeMbamClientDeployment.ps1 return error 1
Takechico posted a topic in Configuration Manager 2012
Please guys, I need a help, cuz I become a mad. I have spent a lot of time for this problem, and can't solve it. I'm trying to deploy MBAM client 2.5 SP1 (September update) on Windows 10 1803 with storing recovery keys on MBAM server via SCCM2012 r2 task sequence. I have deployed MBAM server at our SQL Server with SCCM integration ( at another server with sccm 2012 r2). Also I've configure MBAM services with SSL certificate, which is created by CA. The problem is error 0x00000001 in " InvokeMbamClientDeployment.ps1" step during Task Sequence. It's absolutely strange , but when I do this step manually after logon, It works perfectly. After googling this issue, I have find many solutions, but no one helped me. Also, I can't understand how can I find the logs of this script. When task sequence get error, folder with logs doesn't created. This is my task sequence with many fixes that I can find at internet : 1) Install MBAM 2.5 SP1 with SP1 and restart 2) Disable certificate update, this step can avoid the problem with error 0x803d0006 3) Incert MBAM Cer : I copy CA certificate to ROOT, because windows 10 1803 have the problem with it. Also, I find another advice with Remove Auto Provision by a command : powershell.exe -command “New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft -Name FVE; Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSEnablePrebootInputProtectorsOnSlates -Value 1 -Type DWord -Force; Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\Tpm\WMI -Name NoAutoProvision -Value 1 -Type DWord -Force 4) For My script I have this parametrs : powershell.exe -ExecutionPolicy Bypass -File Invoke-MbamClientDeployment.ps1 -RecoveryServiceEndpoint https://servername.domain.com/MBAMRecoveryAndHardwareService/CoreService.svc -EncryptionMethod UNSPECIFIED -IgnoreEscrowOwnerAuthFailure -IgnoreReportStatusFailure I don't have any ideas how to solve it. Please help me))-
- sccm2012r2
- bitlocker
-
(and 1 more)
Tagged with:
-
Hello Everyone. I am trying to integrate SCCM 2012 R2 with MBAM 2.5 But I have problem with importing BitLocker Policy (Win32Reg_MBAMPolicy) When I run mofcomp against sms_def.mof C:\Users\scwi\Desktop>mofcomp mbam.mof Microsoft ® MOF Compiler Version 6.3.9600.16384 Copyright © Microsoft Corp. 1997-2006. All rights reserved. Parsing MOF file: mbam.mof MOF file has been successfully parsed Storing data in the repository... An error occurred while creating object 2 defined on lines 10 - 42: 0X80041002 Class, instance, or property 'SMS_Class_Template' was not found. Compiler returned error 0x80041002 Ok so I queried my WMI and I do have that class. It has to be there since I successfully importerd BitLocker Encryption Details (Win32_BitLockerEncryptionDetails) all the MOF files I got I have from MS websites below. https://technet.microsoft.com/en-us/library/dn645321.aspx https://technet.microsoft.com/en-us/library/dn656927.aspx I was able to import - Computer System Ex - Operating System Ex - Win32_BitLockerEncryptionDetails) when I removed this portion from the script: #pragma namespace ("\\\\.\\root\\cimv2\\SMS") #pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL) [ SMS_Report(TRUE), SMS_Group_Name("BitLocker Policy"), SMS_Class_ID("MICROSOFT|MBAM_POLICY|1.0")] Class Win32Reg_MBAMPolicy: SMS_Class_Template { [sMS_Report(TRUE),key] string KeyName; //General encryption requirements [sMS_Report(TRUE)] UInt32 OsDriveEncryption; [ SMS_Report (TRUE) ] UInt32 FixedDataDriveEncryption; [ SMS_Report (TRUE) ] UInt32 EncryptionMethod; //Required protectors properties [ SMS_Report (TRUE) ] UInt32 OsDriveProtector; [ SMS_Report (TRUE) ] UInt32 FixedDataDriveAutoUnlock; [ SMS_Report (TRUE) ] UInt32 FixedDataDrivePassphrase; //MBAM Agent fields //Policy not enforced (0), enforced (1), pending user exemption request (2) or exempted user (3) [sMS_Report(TRUE)] Uint32 MBAMPolicyEnforced; [sMS_Report(TRUE)] string LastConsoleUser; //Date of the exemption request of the last logged on user, //or the first date the exemption was granted to him on this machine. [sMS_Report(TRUE)] datetime UserExemptionDate; //Errors encountered by MBAM agent. [ SMS_Report (TRUE) ] UInt32 MBAMMachineError; [ SMS_Report (TRUE) ] string EncodedComputerName; }; I tried to integrate MBAM and sccm but I am getting this error : Unexpected Configurator error. Description: Exception thrown from feature provider. Exception: System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlResultObjectBase.get_Item(String name) at Microsoft.Mbam.Setup.Common.CmIntegration.SmsEntities.SmsCollection.get_CollectionId() at Microsoft.Mbam.Setup.Common.CmIntegration.Implementors.CmObjectsManager.TryDeleteInvalidCollection(ISmsCollection collection) at Microsoft.Mbam.Setup.Common.CmIntegration.Implementors.CmObjectsManager.CreateAndInitializeCollection[T,U](T collectionSettings, Boolean& updated, ISmsCollection& collectionBeforeUpdate) at Microsoft.Mbam.Setup.Common.CmIntegration.Implementors.CmObjectsManager.CreateCollection(String collectionSettingsFilePath, CultureInfo desiredCulture, CMVersion cmVersion, Boolean& updated, ISmsCollection& collectionBeforeUpdate) at Microsoft.Mbam.Setup.Common.CmIntegration.CMObjects.CreateCmCollections() at Microsoft.Mbam.Setup.Common.ActionItem.Run() at Microsoft.Mbam.Setup.Common.ActionItemQueue.Run() at Microsoft.Mbam.Setup.Common.CmIntegration.CmIntegrationProvider.Enable(IProgress`1 progress, CancellationToken cancellationToken, CmIntegrationConfiguration configuration) at Microsoft.Mbam.Setup.Common.FeatureProviderBase`1.<>c__DisplayClass34`1.<InvokeAsync>b__33() at System.Threading.Tasks.Task`1.InnerInvoke() at System.Threading.Tasks.Task.Execute() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Mbam.Setup.Common.FeatureProviderBase`1.<InvokeAsync>d__36`1.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Mbam.Setup.Common.FeatureProviderBase`1.<>c__DisplayClass2.<<EnableAsync>b__0>d__4.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Mbam.Setup.Common.FeatureProviderBase`1.<EnableAsync>d__8.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Mbam.Setup.Configurator.CMUIFeatureModel.<EnableTransacted>d__4.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Mbam.Setup.Configurator.BatchTaskModel.<>c__DisplayClass5.<<Commit>b__1>d__7.MoveNext() I am assuming it is because I don't have BitLocker Policy imported to my default client inventory because MBAM 2.5 Integration wizard creates device collection MBAM managed devices . It feels like I tried everything but I know I don't so I decided to ask all the generous people to help me here.
-
actually i made a task sequence for MBAM to encrypt all drives - it starts only, when i´m login to Windows 10, but i need it while the tasksequence is running, before starting installing Office 365 and so on. Have anyone experience for this step? the mbam-client config (last step) set the registry for "no delay" and the mbam-client-Trigger -> reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v TriggerMBAM /d "%ProgramFiles%\Microsoft\MDOP MBAM\MBAMClientUI.exe" /f will not run, have tried on different places in the tasksequence, but nothing worked ... is it in generall possible to start the encryption while running the "Installation" ... Thx for your help.
-
How can I retrieve a Recovery Key for a machine no longer in AD
soultrain99 posted a question in Deploy 7
Setting: I have an MBAM server 2.5. sp1 which is integrated with SCCM 2012 r2. The Recovery Keys are in its DB as well as AD. Scenario: I took a hard drive out of a machine (WS1) and placed into a USB HD enclosure which i attached to another machine (WS2).`The drive came up saying it's encrypted and if i try to unlock it, It asked for the Recovery PW. I noticed that when i used the the self-service page to recover a the password it said "invalid Key" I looked at the SQL and ran this query: SELECT TOP 1000 [Id] ,[LastUpdateTime] ,[VolumeId] ,[RecoveryKeyId] ,[RecoveryKey] ,[RecoveryKeyPackage] ,[Disclosed] FROM [MBAM Recovery and Hardware].[RecoveryAndHardwareCore].[Keys] I saw the Recovery ID key in SQL and tried it via AD and it gave me the same password. When i opened the AD object and looked under the bitlocker Tab i saw all the recovery IDs there was one that was never made it to MBAM DB. I used that one and it unlocked. I have 2 questions: 1) How can it populate the MBAM DB simultaneously as AD? 2) Lets say that I had removed the (WS1) computer 1 year ago and needed to recover the data. Where would i find the key? I just want to make the recovery process as painless as possible for the Helpdesk. -
Hi Everyone, I am trying to automate MBAM Encryption during the OSD Task Sequence using the "StartMBAMEncryption.wsf" script provided in the following blog. http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx The command I use is - cscript.exe StartMBAMEncryption.wsf /MBAMServiceEndPoint:http://<MBAM Server Name>/MBAMRecoveryAndHardwareService/CoreService.svc I have used the script in both a "Install a Package" & "Run Command Line" group & both fail with the below error. Failed to run the action: Install a Package The system cannot find the file specified. (Error: 80070002; Source: Windows) Yet if I exit out of the Task Sequence, log onto the Laptop, & run the exact same command, MBAM Encryption starts first time without any problems. Any help would be much appreciated. Thanks! Jordan,
-
Hi I have deployed Mbam 2.5 in our environment and the first tests (manual deployment of mbam client and encryption) have been successfull.(tpm and volume recovery work fine) However when trying to use the latest features, we can't get the TPM owner password to be backed up in Mbam. We use pre provisionning wih used space during the task sequence and it works fine. The user is prompted at first logon for the Pin and drive recovery is reported to the DB. However TPM password is not present. Whatever we tried, the TPM did not show up unless we suppressed pre provisionning. Has someone been able to take ownership of the TPM with preprovisioning ? During the TS, at the preprovisioning step, the Tpm shows as Enabled, Activated and Not owned, then in the log it shows that pre provisioning takes ownership. Of course, this prevents Mbam to do the same so no backup of TPM. in the following post, someone from Microsoft states that ownership is not taken, but it seems it does anyway. http://social.technet.microsoft.com/Forums/en-US/b915cd54-6371-4b28-aac7-bd3103dfd7ca/preprovisioning-bitlocker-mbam-and-tpm-password?forum=mdopmbam Thanks in advance for your feedback bruno
-
Hello, I was curious if anyone is using MBAM and also storing the Bit Locker recovery keys in active directory? We are starting to Bit Locker all of our workstations, and we are currently storing the recovery keys in active directory. I was thinking about implementing MBAM also, but management wants the keys to be in active directory. Can you store the keys in a MBAM database as well as in active directory? My searches have given me conflicting information. Any help is much appreciated Ron
- 6 replies
-
- MBAM
- Active Director Bitlocker
-
(and 3 more)
Tagged with:
-
Currently I am in the process of testing out the GPO settings including a pilot group of users for MDOP MBAM Bitlocker encryption. The only question I have is how do you suppress that box where it ask for Postpone/Start; (below image). I am doing this on machines who already have Windows 7 and deployed without Bitlocker enabled. First project was XP -> Windows 7 migrations. Now we are circling back around enabling Bitlocker on existing machines. All clients have MDOP MBAM 2.0 installed already. Everything works as I have intended, but with Postpone and Start GUI popping up to initiate it from the user. So we are looking to have it without any user interactions soon as Policy kicks in, so forth. I did try using the supplied regkey template in C:\Program Files\Microsoft\MDOP MBAM but I can't figure out what keys to add/remove, if any that could run without user interaction. Adding NoStartDelay DWORD doesn't seem to do anything other than display the pop-up sooner than the default 90 minute random cycle. Any suggestions is greatly appreciated. Eric Lenovo Shop - Desktops/Laptops 2000+ nodes - Windows 7 x64-bit SCCM 2012 (non-SP/CU) MBAM Server v.2.0 (non-SP1) - Stand-alone configuration with SQL
- 3 replies
-
- bit locker
- windows 7
-
(and 3 more)
Tagged with:
-
I am just curious if there are steps beyond the typical enable TPM and BitLocker steps if you have an MBAM back-end. Has anyone setup an OSD for this scenario? I assume the MBAM client piece needs to be installed as well. Just trying to find the best way to encrypt laptops during the imaging process and have them connect up with MBAM or maybe i'm going about this all wrong. Any info would be great. Thanks, EDIT: Found the link below which I believe will do what I need. http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx If anyone has any info to add, please feel free to do so.
-
Hi, I recently installed a Microsoft Bitlocker administration and monitoring server in my production environment (all componenets installed on the same machine) after installation i opened Group policy managment console and created a new GPO, while searching i discovered that while the admx files resides on the machine under %systemroot%\policyDefinitions\ it does not show me the new MBAM options when i am editing the GPO, all i can see is "Policy definitions retrieved from the central store" from what i understand i should see them under Computer Configuration -> Administrative Templates -> Windows componenets Can someone please help me? Regards, Adi