SCCM diet

Online notes for reference

Installing MBAM 2.5 integrated with SCCM 2012 – Part 7

In Part-1 of installing MBAM 2.5 , We installed MBAM 2.5 server OS, Installed SQL , Configured reporting services, Downloaded MDOP 2013 and downloaded configuration files for SCCM and other software as needed.

In Part-2 of installing MBAM 2.5, We created service account , User id’s and groups to be used for installing and configuring MBAM .We also set SPN for application pool account.

In Part-3 of installing MBAM 2.5 , We updated inventory in SCCM and installed SCCM integration components

In Part-4 of installing MBAM 2.5, We installed and configured MBAM database and reports

In Part-5 of installing MBAM 2.5 , We are going to install and configure MBAM Web services and administration portal.

In Part-6 of installing MBAM 2.5, we are going to add Group Policy Templates and configure group policies for windows clients.

In Part 7 we are going to encrypt the OS drive on a Windows 8 virtual machine.

Install MBAM Client

 

From MBAM 2.5 install directory , Go to x64 folder and run MBAMClientSetup.exe . There are no prompts , But the client will be installed.

 

In Part -6 we configured an applied Active Directory group policies to allow MBAM to encrypt drive without compatible TPM chip.

Update group policies after installing MBAM client.

MBAMwin801

 

After updating the group policies , I had to wait for about 30 minutes for this screen to show up . So patience is must 🙂

If you want to speed up things , Add a reg key

HKLM\Software\Microsoft\MBAM

Key Name – NoStartupDelay

Value -1

MBAMwin802

Before going any further please ensure that no virtual CD rom is empty and ISO file is mounted.

Enter password ,Enter minimum of 8 characters ( as set in group policy in part-6 )

MBAMwin803

Click on create password  and the encryption will start.

MBAMwin804

At this point drive is encrypted . You can click on exit . If you want to change the password you can do later from control panel.

MBAMwin805

Restart the virtual machine which just finished encrypting , This is the first screen you will get.

Enter password and enter

MBAMwin806

Now the client is encrypted.

Lets review compliance information stored on SCCM Server .

Report below shows the compliance status . If there is another windows 8 virtual machine and if it was not encrypted compliance will not be 100% .

MBAMwin807

 

Report below show enterprise compliance status . This gives SCCM admins good idea of how many machines are pending bit locker roll out .

MBAMwin808

 

Bit locker Password recovery :

Steps below can be used if user forgot bit locker password .

When computer reboots , at the password screen press esc to get bit locker recovery options

Copy the first 8 characters of bit locker key.

MBAMwin809

 

Go to administration and monitoring website on MBAM server.

click on drive recovery options and enter first 8 digits on the key , I just selected first option OS boot order changed

MBAMwin810

 

Submit to get a recovery key for the drive

MBAMwin811

Copy this key and use it to login to machine

MBAMwin812

Once logged in you can reset the password again.

Go to control panel , Bit locker encryption option and reset the password.

 

This concludes part 7

 

Advertisements

31 responses to “Installing MBAM 2.5 integrated with SCCM 2012 – Part 7

  1. Bobbi June 26, 2014 at 1:21 pm

    Thank you so much for posting all of this, it was extremely helpful for my MBAM deployment!

  2. Neil July 15, 2014 at 7:06 am

    Top notch write up kind sir! Invaluable information! Thank you!

    • Ritvik Sharma July 15, 2014 at 7:17 am

      Glad to help ! Thanks for reading Neil.

      • Neil July 30, 2014 at 4:02 am

        Quick question. I’ve integrated this with my sites Primary Site Server, however we have a CAS hierarchy with a total of five primary site servers. We’ve only been testing in my location so it’s been fine so far. Going forward and rolling out to the business, how can I make the reports visible on each PSS or indeed the CAS? Only a handful of admins have access to the CAS so things don’t get broken. Ideally we need the PSS at each location to manage MBAM. Can you integrate with multiple primaries?
        Thanks in advance.

        • Ritvik Sharma July 30, 2014 at 7:44 am

          Hi Neil, It will depend upon how security is setup in your hierarchy. If all admins don’t have access to all the primaries then I would think adding it to CAS will make more sense . Also to access the reports, Admins just needs permissions to reports and you have to provide access to CAS server itself.
          In addition I would also suggest to post the question in TechNet forums too for greater visibility .

  3. Buani “ManBiaNchi” Mlungwana July 18, 2014 at 5:06 am

    well done , worked perfectly in my enviroment

  4. Prashant July 28, 2014 at 9:40 am

    This is the best guide i have seen so far. Great Job!! May be you can mention about the registry keys that can be added/modified to get the encryption prompt without the waiting period.. ALL in all Excellent.
    Do you perhaps have the whole guide in a PDF or word document?
    Many Thanks
    Prashant

    • Ritvik Sharma July 29, 2014 at 10:06 am

      Thanks for reading Prashant and thanks for your generous comments !
      I don’t have these posts in a single pdf or word doc. As you suggested , I have updated the post with registry keys need to start MBAM encryption right away.

      • Prashant July 30, 2014 at 2:45 am

        Hi Ritvik,
        Thanks for the update. Quick question – when installing mbam 2.5 in standalone mode, do we run the setup of the Databases on the SQL server itself or can we run the setup from the MBAM Application server? Also do we run the setup for Reports part on the SQL server itself? I know we have to run the Web Applications portion on the MBAM application server
        Thanks

        • Ritvik Sharma July 30, 2014 at 7:47 am

          I would install the database when logged on to the database server itself to avoid permissions and firewalls issue if any caused by installing remotely. If you SQL server is also running SQL reporting services then yes install reports on the same . Hope this helps

  5. John September 25, 2014 at 1:49 pm

    Ritvik, excellent write up.. One question.. After going through all of this, we have integrated with SCCM and I am not receiving the automated, ‘Your grace period has expired window..’ appearing on our test machines. I let the test desktop sit through the weekend and nothing. Group policy was applied prior to the MBAM client being installed on the test machines but I would think that would be fine. Anything you can think of as to why it is not kicking off automatically? Yes, I also added the reg key you provided above and still nothing. GP is running and applying correctly to the pc although I did choose to disable the ‘Configure use of passwords for fixed/OS drives’. Everything else appears to be okay and aligned with this write up. Thanks in advance!

    • John September 26, 2014 at 12:02 pm

      Ok. I have gone ahead and ensured everything looks fine. Quite literally the only thing I have not chosen in GP is the ‘Configure use of passwords for fixed/os drives.’ We do not want our users to have to put in a password on boot up and then again at logon which is why we have chosen this. Is this the reason it is not kicking off the automatic encryption of both my drives? Will I need to create a task sequence in SCCM to turn on bitlocker for both drives in this case then? When I look in SCCM I see my test machines as showing not compliant for both drives and not encrypted. Any additional information would be appreciated.

      • John September 26, 2014 at 12:11 pm

        Sorry for all the emails. We have two partitions, C and D. The requirement is for the encryption to kick off automatically and for users to not have to use passwords when the machine is booting up. All we would like is a single point of logon at the CTRL-ALT-DELETE screen. I am confused now as to whether or not the GP\MDOP will take care of this automatically, as shown above, or if a task sequence is needed to accomplish this for both of my partitions?

        • Ritvik Sharma September 27, 2014 at 12:30 pm

          Hi John, No problem with emails . For machines which have TPM you need to go through another set of steps to have TPM enabled in bios and let Bit locker take ownership of it before it starts encrypting. If those steps are configured and added in task sequence is then bitlocker will work on client machines.
          You may want to search there are lots of blogs detailing client side implementation. Also steps differ based on if it a HP or Dell or Lenevo.
          Hope this is somewhat helpful.

      • Ritvik Sharma September 27, 2014 at 12:27 pm

        Hi John, Sorry for the late reply. I have been very busy last few weeks. This lab is totally done on virtual machines also since only for windows 8 can I set policies for OS drives. I do not think this will apply to Windows 7 machines . If you are using window 8 then only this policy will apply.
        For both drives ( for example c and d ) , if they are both on same hdd then bit locker will take care of that . Because bit locker will encrypt the whole HDD.

  6. Lee December 1, 2014 at 6:19 pm

    Hey Ritvik, Thank you so much for your write up! This is super helpful for our MBAM + SCCM Deployment. However, I have a quick question for you. For some reason I’m not able to recovery the password from SelfServcie Page. I got an error message “An Unknown error has occurred. Please contact the Helpdesk or IT department” when I type in the Recovery Key ID. I have a feeling the recovery key is not adding to the DB correctly. I’m using https and If I go to https://mymbamserver/MBAMRecoveryAndHardwareService/CoreService.svc.. I’m getting “Service: This is a windows communication Foundation service.” “Metadata publishing for this service is currently disabled” Is that normal? Thanks in advance for your help!

    • Ritvik Sharma December 2, 2014 at 9:39 am

      Hi Lee ,
      Please check following things
      Permissions to Helpdesk and Advanced helpdesk group to the Database
      Also try launching IE as admin for the first time and see if that helps .
      For WCF please check all the prerequisites are installed . Are you installing MBAM on Windows Server 2012 R2 ?

      • Lee December 2, 2014 at 1:25 pm

        Ritvik,
        Thanks for your quick reply! I’m testing with my own credential and I’m a domain admin. I added the whole domain admin group to both helpdesk and advanced helpdesk group.

        Yes, I’m running MBAM on Windows Server 2012 R2 with SQL Server 2012 with latest SP and updates. All DB and Reporting servers are on the same mbam server. Both .Net 3.5 and 4.5 are installed and HTTP Activation/Non-HTTP Activation under WCF Services were enabled already.

        • Ritvik Sharma December 2, 2014 at 1:31 pm

          Hi Lee , I have not tested with https but Ryan comment below that message is “Metadata publishing for this service is currently disabled”is normal.
          If possible can you try http and see if the error changes ?

          • Lee December 2, 2014 at 7:11 pm

            Ritvik,

            Thanks again! I fixed the problem by changing the host name under site binding from mymbamserver to mymbamserver.company.com and everything works fine now!!

    • Ryan December 2, 2014 at 11:44 am

      Hi Lee,

      The message “Metadata publishing for this service is currently disabled” is totally normal

      Thanks

  7. Lee December 2, 2014 at 7:18 pm

    Ritvik,

    I do have another question for you. What happen if the MBAM server or the recovery database is corrupted? Users and admins will not be able to recovery the keys then. What is the best practices DR for recovery keys? Should I also save keys to AD DS too by enable the GPO “Choose how BitLocker-protected fixed drives can be recovered”. I’m not sure if the keys can be saved both on the SQL and the AD DS at the same time. What do you think?

    Like always… Thanks in advance~

  8. RM May 12, 2015 at 4:35 pm

    Where’s part 7?

  9. Nicholas Pryor May 17, 2017 at 9:34 am

    Ritvik, Thanks for the great guide, this is one of the few sites that talks about configuring MBAM when not using a TPM.

    • Ritvik Sharma May 17, 2017 at 10:47 am

      Thanks Nicholas.
      When I was setting up my MBAM server, I had to refer to numerous blogs and MS documentation and thought of writing this. So it is easier to setup MBAM if someone was looking for this information.

  10. Chan August 29, 2017 at 10:57 am

    Hi Ritvik,
    Thanks for the details guide.
    But i still unable to open SCCM reports with Error: the “MBAM Policy” does not exist.

    Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: