Jump to content


NSCOTT

SCCM and Bitlocker migration, failing with error code 18

Recommended Posts

I'm really confused and need some assistance. Long story short, we've been using straight GPO's for bitlocker forever. Management wants some reports that i cannot currently generate without SCCM or MBAM ingesting this service... as MBAM is going away in the future, so i'm just importing it all, or trying, into SCCM. 

- Computer

1. Decrypted the drive

2. Tossed the computer into an OU that has absolutely no bitlocker policies enabled  (verified via RSOP) 

- SCCM / MP 

- setup policies within SCCM 

- setup the web portals (we only wanted helpdesk, which is working) 

---- MPControl.log is showing it's verifying it's installed and running 

Info

However, on the computer that i'm deploying out to, it's never starting the encryption, but i can get out to HTTPS//fqdn.com as well as HTTPS://FQDN.com/sms_mp_mbam/coreservice.svc 

Tried TPM only and TPM And pin - same thing is happening

 

Screenshot 2024-06-19 at 7.43.52 AM.png

Screenshot 2024-06-19 at 9.11.29 AM.png

Screenshot 2024-06-18 at 7.39.35 AM.png

Screenshot 2024-06-18 at 4.00.29 PM.png

Screenshot 2024-06-18 at 4.00.20 PM.png

Screenshot 2024-06-18 at 4.00.13 PM.png

Screenshot 2024-06-18 at 4.00.08 PM.png

 

Screenshot 2024-06-18 at 3.59.56 PM.png

Screenshot 2024-06-18 at 3.51.06 PM.png

Screenshot 2024-06-19 at 9.22.49 AM.png

Edited by NSCOTT
wrong screenshot

Share this post


Link to post
Share on other sites

which version of ConfigMgr is this ? and please take a look at my troubleshooting blogs to give you some ideas

 

Share this post


Link to post
Share on other sites

Alright, following along with your troubleshooting documentation and doing setup from scratch again 

  • MP is EHTTP 
  • IIS Site on MP is HTTPS 
  • Client is in an OU with no GPO's for BL
  • Client is completely decrypted
  1. Created Policy
  2. Deployed it to my test collection
  3. MP created folder G:\SMS_CCM\Microsoft Bitlocker Management Solution 
  4. MP created IIS site SMS_MP_MBAM
    1. SSL settings defaulted to "Require SSL" and "client certificates > ignore" (keeping this setup for now)
  5. Client received and installed the MDOP MBAM software 
  6. Client - Manage-bde -status shows fully decrypted, protection off, bitlocker version 2.0
  7. Client - Bitlockermanagementhandler.log gives error "Could not check enrollment URL" 
    1. screenshots below
  8. Client - Bitlockermanagement_grouppolicyhandler.log shows the same "could not check enrollment URL" error
  9. Client - Policyagentprovider.log does show settings changes right after i created the change
  10. Client - Regedit under the FVE group doesn't show "KeyRecoveryServiceEndPoint" 
    1. Screenshots below
  11. Event viewer still showing the error "unable to connect to the MBAM recovery and hardware service" 
  12. Client - can get to the HTTPS site of the MP via the following 
    1. https://<FQDN>/  
    2. https://<FQDN>/sms_mp_mbam/ (asks for ID and PW) 
    3. https://<FQDN>/sms_mp_mbam/coreservice.svc 
      1. Screenshot below
  13. changed SSL settings on SMS_MP_MBAM to accept client certs - same issue 
  14. changed SSL settings on the default MP site to accept client certs - same issue

it's somehow unable to communicate but i'm really unsure how if it's able to get to the HTTPS sites without any issue 

Screenshot 2024-06-20 at 8.45.18 AM.png

Screenshot 2024-06-20 at 8.50.32 AM.png

Screenshot 2024-06-20 at 8.50.43 AM.png

Screenshot 2024-06-20 at 9.08.36 AM.png

Share this post


Link to post
Share on other sites

bumping back up as i'm trying this again.

Imaged fresh computers and am no longer receiving that error pop up saying bitlocker could not be enabled. it's all silent now... so i've got that going for me. 

I am however still getting the bitlocker "unable to connect to the MBAM recovery and hardware service" under > microsoft windows mbam / admin in event viewer 

Anyone else got any ideas? https is enabled and cert bound on the IIS site on the MP. 

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.