Hi Niall, thanks for your awesome work with this videos! I am stuck With the key "recoveryserviceendpoint" not being deployed to Clients. When i add it manually, Policy by MECM 2203 just deletes its right away when the policy gets applied. On machines at the primary location, this seems not to be any issue, but at secondary sites, i have connection issues, MBAM Eventlog states problems with connection to the management point. Do you have any idea where i can search for a solution? :-( Thanks!
a lot has changed since i did this video, i think the 'recoveryserviceendpoint' was removed in CM2103 so it's no longer needed. IS there a gap you are trying to fill ? if so what ?
@@ncbrady I finally figured that the Problem seems to be the bitlocker Policy. I Recreated the device collection and the policy and moved some of the clients to the new policy and boom, problems went away. Thanks anyways for getting back to me!
Excellernt series ! I'm shortly going to be involved in a project to migrate MBAM off SCCM to Azure/ Intune - have you been involved with that ? Any guidance on that will be greaat! 😁
@@mattaljanabi5022 this video was originally created for SCCM 1910, a lot has changed since then, i believe that since sccm 2111 or so the reg keys in use changed somewhat so what you might be seeing is normal. Continue with the videos and guides until you are done.
Thanks!, I think that network unlock is more of a bitlocker feature than anything to do with mbam or the bitlocker management in Configmgr, so i can't comment on it as i have not tested it.
@@Kyawn88 start here www.windows-noob.com/forums/topic/16614-how-can-i-install-system-center-configuration-manager-current-branch-version-1902-on-windows-server-2019-with-sql-server-2017-part-1/ then do this www.windows-noob.com/forums/topic/16252-how-can-i-configure-pki-in-a-lab-on-windows-server-2016-part-1/ then convert ConfigMgr to HTTPS by doing this www.windows-noob.com/forums/topic/16300-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-1/
the Bitlocker Management policies that you create in ConfigMgr create a corresponding CI - for more info on this and the everything related to Bitlocker Management in ConfigMgr 1910 and later, see www.niallbrady.com/2019/11/13/want-to-learn-about-the-new-bitlocker-management-in-microsoft-endpoint-manager-configuration-manager/
Thanks so much for the video. I have a questin " If we have HA setup on ConfigManager, and if Passive Server becomes " Active" , do we need to make any changes ? or the functionality available by default ? . In another words what are the HA and DR for bitlocker in 1910 ?
@@ncbrady Sorry for that. I'm implementing bitlocker to my environment how all laptop we have have TPM w10, v1909 and some 20H. And my Server 2016 v1607. My Objective is when a user on the PC it wont prompt user for bitlockerkey. we don't have MBAM or SCCM in place. my 2nd Q is can i just install bitlocker w/o MBAM or SCCM just use only GPO. if so please do you have a step by step video? Thank you
@@Akira29H don't you manage your computers in your environment ? if so with what ? if not, then you are going to have a tough job going forward (not just including BitLocker implementation), you can look at this thread for some ideas - www.reddit.com/r/sysadmin/comments/aburax/how_to_enable_bitlocker_via_gpo/
Thankyou for these excellent guides! So everything good MECM created website, added tables to SQL and forced the encryption of a machine in test. Problem is when I turned off Bitlocker on the test machine, the policy never forced Bitlocker back on again. Is this meant to happen or do you think there is something wrong with my setup?
if the computer is in a collection that has the bitlocker management policy configured to encrypt and if you are using CM2002 or later then yes it should automatically encrypt with no user interaction (as long as you've configured it that way), if you are still using CM1910 then you'll need to do the registry key configuration items as i explain in a later video, so which version are you using ?
@@butrosbutros12 ok if you are on 2002 then it will autoencrypt provided that the computer get's the correct policy and that the policy is configured with 0 delay for non-compliance grace period, so did you confirm that ? did you try to restart the mdop agent to speed it up ? the default is 90 minutes otherwise
@@ncbrady Yep, grace period is enabled but set to 0. I reduced the default down to 3 minutes but still no joy. I can see it processing policy in the handler.log but doesn't actually start the encryption. I should note this was a machine migrated from GPO Bitlocker policy to SCCM.
@@butrosbutros12 verify you don't have any policy from on premise MBAM first and then verify that you are not RDP'd to it by any chance ? it won't start encryption if you are...
Hi Neil, After deploying MBAM policy on 1910. I cannot seem to PEX boot new hyper V devices now. I have also tried to create brand new Hyper V devices. Have you come across this. The pxe boot was working before I enabled MBAM. Thta per of the side is all working. Thanks for your video on that.
did you add your root cert to your configmgr site server as per my guide, it's the end of step 4 here www.windows-noob.com/forums/topic/16301-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-2/
hi Niall thank you for the great videos as always !. does this tutorial work in a lab environment with hyper-v vms ? specifically the auto encrypt part. i have spent several hours and still unable to start encryption automatically with out user initiates it. i have the two reg keys set, everything else is in place. i can right-click and turn on bitlocker but that defeats the purpose. i have enabled secure-boot and tpm in gen2 vms . what else could go wrong ? or VMs are not good for this example ?
hi, it works fine with hyper-v vm's just make sure to enable the virtual tpm, use Generation 2 vm's and that you are using windows 10 2004 or later (actually after version 1809 should be ok...)
@@ncbrady thanks i will try , any log file i can check ? all of my hyper-v vms are gen2, 20H2, secure boot enabled, tpm enabled , . TPM administration in control panel shows it is ready. but each time i reboot the machines i get "bitlocker could not be enabled, the bitlocker encryption key can not be obtained. verify that TPM is enabled and ownership has been taken.... same message again and again.
@@550891 you don't need to set the reg keys (to enforce encryption) if using Configmgr versions released after 1910, i can remote in if you have time tomorrow, drop me an email and i can take a look
I've deployed Bitlocker policy to test devices but it does not show this key "KeyRecoveryServiceEndPoint" and also "UseKeyRecoveryService" is set to 0 instead 1. What could be wrong?
@@ncbrady Yes, I did. I think it is about certificate problem. Checking bitlocker log file it shows that client tried to check MP recovery but it gets invalid cert. By the way, my MEMCM is 2002 so I just have the web IIS cert only.
Hey Niall, could you tell me what happens when I deploy an MBAM 1910 Policy to a device that already had BDE enabled (via TS) that did Used Space Only? Since 1910 MBAM uses FVE, would the device still show as Compliant?
hi, it will only show as compliant if the encryption algorithm matches or is greater than the configured policy, it will not re-encrypt the device. If you want to force FDE then you'll need to decrypt the device and re-encrypt with your desired policy.
@@ncbrady niall brady okay, Yes I understand about the algorithm needing to match. Let's say my existing machines use 128/Used Space and future Bitlocker Management policy will be 128/Full. Will the existing machines show as Compliant when the Policy is deployed to them to get their keys into SCCM? Or does Bitlocker not care about Full vs Used?
Thank so much for sharing this. I have gone through your video. I have used 256 ASE in Bitlocker but when the disk was encrypted on my VM it came up as ASE 128. Any suggestions why that happened and how I can change it to 256. Under Bitlocker policy it is 256. Thanks again for sharing this video
hi, you must have missed something then, verify that the computer is processing policy from your Bitlocker policy that you deployed, check the configurations tab to see if the configuration baseline is listed...and whether it's compliant or not..
configured this today but in my testing i got Unable to connect to the MBAM Recovery and Hardware service. Error code: -2143485947 Details: Access was denied by the remote endpoint.
Hello, i have a problem with encrypting the client, my client - MBAM - Admin log contain warning: Unable to connect to the MBAM Recovery and Hardware service. Event id: 18, Error code:-2143485933 Task category: CoreServiceDown. Can you help pls?
Thank you for these videos. But we have a problem. All looks ok. Client received a policy. Policy shows as non-complaint but Bitlocker windows is not starting on physical Windows 10 machine. Nothing in MBAM logs. Only that ploicy was applied... Nothing on the server side in the logs for mbam-web...
@@ncbrady Hi. Thanks for the fast reply. Problem was solved. It was the issue with encryption algorithm. Although we have disabled link for Bitlocker GPO in our AD it fighted with SCCM Bitlocker Policy where we had another encryption algorithm. When we`ve set the same algorithm to the same we have in standard GPO it started to work. Thank you again for the great job!!!
Hi Niall, thanks for your awesome work with this videos!
I am stuck With the key "recoveryserviceendpoint" not being deployed to Clients. When i add it manually, Policy by MECM 2203 just deletes its right away when the policy gets applied.
On machines at the primary location, this seems not to be any issue, but at secondary sites, i have connection issues, MBAM Eventlog states problems with connection to the management point.
Do you have any idea where i can search for a solution? :-( Thanks!
a lot has changed since i did this video, i think the 'recoveryserviceendpoint' was removed in CM2103 so it's no longer needed. IS there a gap you are trying to fill ? if so what ?
@@ncbrady I finally figured that the Problem seems to be the bitlocker Policy. I Recreated the device collection and the policy and moved some of the clients to the new policy and boom, problems went away. Thanks anyways for getting back to me!
@@chrizzlibaer great to hear it !
Excellernt series ! I'm shortly going to be involved in a project to migrate MBAM off SCCM to Azure/ Intune - have you been involved with that ? Any guidance on that will be greaat! 😁
Thanks so much for sharing this. I think no one has created this
Hi Niall, Thanks first for your all videos, not just that. my SCCM server HTTPS , but the log did not see the MP. what I have to do?
thanks Matt, but i don't understand your question, have you followed everything in this guide ? which version of SCCM are you using ?
@@ncbrady Niall, yes I did. SCCM is Https, but I cannot see in the client regkey is not pointing to the server (MP) which is my SCCM.
@@mattaljanabi5022 this video was originally created for SCCM 1910, a lot has changed since then, i believe that since sccm 2111 or so the reg keys in use changed somewhat so what you might be seeing is normal. Continue with the videos and guides until you are done.
Amazing video series! I wanted to ask if you knew whether this form of MBAM management is network unlock enabled/compatible?
Thanks!, I think that network unlock is more of a bitlocker feature than anything to do with mbam or the bitlocker management in Configmgr, so i can't comment on it as i have not tested it.
@@ncbrady That's fair enough, guess I better get my own lab up and running and give it some testing myself! Thanks for the reply :)
@@Kyawn88 start here www.windows-noob.com/forums/topic/16614-how-can-i-install-system-center-configuration-manager-current-branch-version-1902-on-windows-server-2019-with-sql-server-2017-part-1/ then do this www.windows-noob.com/forums/topic/16252-how-can-i-configure-pki-in-a-lab-on-windows-server-2016-part-1/ then convert ConfigMgr to HTTPS by doing this www.windows-noob.com/forums/topic/16300-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-1/
Great video. Do you manually create the CI for Bitlocker Mgt in CM or does CM create them for you when a policy is deployed to a device collection?
the Bitlocker Management policies that you create in ConfigMgr create a corresponding CI - for more info on this and the everything related to Bitlocker Management in ConfigMgr 1910 and later, see www.niallbrady.com/2019/11/13/want-to-learn-about-the-new-bitlocker-management-in-microsoft-endpoint-manager-configuration-manager/
Great work, Niall, thanks a lot mate.
Thanks so much for the video. I have a questin " If we have HA setup on ConfigManager, and if Passive Server becomes " Active" , do we need to make any changes ? or the functionality available by default ? . In another words what are the HA and DR for bitlocker in 1910 ?
Sir need to implement bitlocker bypass user action when turning on pc without Mba m can manageable..? Do you have step by step config
i don't understand your question, can you try and ask it in another way ?
@@ncbrady Sorry for that. I'm implementing bitlocker to my environment how all laptop we have have TPM w10, v1909 and some 20H. And my Server 2016 v1607. My Objective is when a user on the PC it wont prompt user for bitlockerkey.
we don't have MBAM or SCCM in place. my 2nd Q is can i just install bitlocker w/o MBAM or SCCM just use only GPO. if so please do you have a step by step video? Thank you
@@Akira29H don't you manage your computers in your environment ? if so with what ? if not, then you are going to have a tough job going forward (not just including BitLocker implementation), you can look at this thread for some ideas - www.reddit.com/r/sysadmin/comments/aburax/how_to_enable_bitlocker_via_gpo/
Thankyou for these excellent guides! So everything good MECM created website, added tables to SQL and forced the encryption of a machine in test. Problem is when I turned off Bitlocker on the test machine, the policy never forced Bitlocker back on again. Is this meant to happen or do you think there is something wrong with my setup?
if the computer is in a collection that has the bitlocker management policy configured to encrypt and if you are using CM2002 or later then yes it should automatically encrypt with no user interaction (as long as you've configured it that way), if you are still using CM1910 then you'll need to do the registry key configuration items as i explain in a later video, so which version are you using ?
Hi Niall. Thanks for replying. I am using 2002. I watched your video about creating the registry items but doesn't apply to me.
@@butrosbutros12 ok if you are on 2002 then it will autoencrypt provided that the computer get's the correct policy and that the policy is configured with 0 delay for non-compliance grace period, so did you confirm that ? did you try to restart the mdop agent to speed it up ? the default is 90 minutes otherwise
@@ncbrady Yep, grace period is enabled but set to 0. I reduced the default down to 3 minutes but still no joy. I can see it processing policy in the handler.log but doesn't actually start the encryption. I should note this was a machine migrated from GPO Bitlocker policy to SCCM.
@@butrosbutros12 verify you don't have any policy from on premise MBAM first and then verify that you are not RDP'd to it by any chance ? it won't start encryption if you are...
Hi Neil, After deploying MBAM policy on 1910. I cannot seem to PEX boot new hyper V devices now. I have also tried to create brand new Hyper V devices. Have you come across this. The pxe boot was working before I enabled MBAM. Thta per of the side is all working. Thanks for your video on that.
did you add your root cert to your configmgr site server as per my guide, it's the end of step 4 here www.windows-noob.com/forums/topic/16301-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-2/
hi Niall thank you for the great videos as always !. does this tutorial work in a lab environment with hyper-v vms ? specifically the auto encrypt part. i have spent several hours and still unable to start encryption automatically with out user initiates it. i have the two reg keys set, everything else is in place. i can right-click and turn on bitlocker but that defeats the purpose. i have enabled secure-boot and tpm in gen2 vms . what else could go wrong ? or VMs are not good for this example ?
hi, it works fine with hyper-v vm's just make sure to enable the virtual tpm, use Generation 2 vm's and that you are using windows 10 2004 or later (actually after version 1809 should be ok...)
@@ncbrady thanks i will try , any log file i can check ? all of my hyper-v vms are gen2, 20H2, secure boot enabled, tpm enabled , . TPM administration in control panel shows it is ready. but each time i reboot the machines i get "bitlocker could not be enabled, the bitlocker encryption key can not be obtained. verify that TPM is enabled and ownership has been taken.... same message again and again.
@@550891 you don't need to set the reg keys (to enforce encryption) if using Configmgr versions released after 1910, i can remote in if you have time tomorrow, drop me an email and i can take a look
I've deployed Bitlocker policy to test devices but it does not show this key "KeyRecoveryServiceEndPoint" and also "UseKeyRecoveryService" is set to 0 instead 1. What could be wrong?
did you remember to enable client management in your policy also ?
@@ncbrady Yes, I did. I think it is about certificate problem. Checking bitlocker log file it shows that client tried to check MP recovery but it gets invalid cert. By the way, my MEMCM is 2002 so I just have the web IIS cert only.
Hello, quick question. Can I deploy a Test Lab using Azure AD VM's or will Hardware requirements be impossible to reproduce?
Of course thank you for all this.
Hey Niall, could you tell me what happens when I deploy an MBAM 1910 Policy to a device that already had BDE enabled (via TS) that did Used Space Only? Since 1910 MBAM uses FVE, would the device still show as Compliant?
hi, it will only show as compliant if the encryption algorithm matches or is greater than the configured policy, it will not re-encrypt the device. If you want to force FDE then you'll need to decrypt the device and re-encrypt with your desired policy.
@@ncbrady niall brady okay, Yes I understand about the algorithm needing to match. Let's say my existing machines use 128/Used Space and future Bitlocker Management policy will be 128/Full. Will the existing machines show as Compliant when the Policy is deployed to them to get their keys into SCCM? Or does Bitlocker not care about Full vs Used?
Great content.
thank you !
Thank you a lot for sharing this...
Thank so much for sharing this. I have gone through your video. I have used 256 ASE in Bitlocker but when the disk was encrypted on my VM it came up as ASE 128. Any suggestions why that happened and how I can change it to 256. Under Bitlocker policy it is 256. Thanks again for sharing this video
hi, you must have missed something then, verify that the computer is processing policy from your Bitlocker policy that you deployed, check the configurations tab to see if the configuration baseline is listed...and whether it's compliant or not..
How can I send you beer money for doing this? Thank you.
configured this today but in my testing i got
Unable to connect to the MBAM Recovery and Hardware service.
Error code:
-2143485947
Details:
Access was denied by the remote endpoint.
So I fixed it - the issue was that I used multiple bindings in IIS. Removing the additional one fixed it. Thanks for walkthrough niall!
Hello, i have a problem with encrypting the client, my client - MBAM - Admin log contain warning: Unable to connect to the MBAM Recovery and Hardware service. Event id: 18, Error code:-2143485933 Task category: CoreServiceDown. Can you help pls?
are you running in HTTPS mode on both the client and the management point ?
@@ncbrady yes, the pki seems to work ok in client and also management point
Thank you for these videos. But we have a problem. All looks ok. Client received a policy. Policy shows as non-complaint but Bitlocker windows is not starting on physical Windows 10 machine. Nothing in MBAM logs. Only that ploicy was applied... Nothing on the server side in the logs for mbam-web...
and is the ConfigMgr client version the same as the primary ? is the MDOP client agent installed
@@ncbrady Hi. Thanks for the fast reply. Problem was solved. It was the issue with encryption algorithm. Although we have disabled link for Bitlocker GPO in our AD it fighted with SCCM Bitlocker Policy where we had another encryption algorithm. When we`ve set the same algorithm to the same we have in standard GPO it started to work. Thank you again for the great job!!!
@@Est0qu3 so you disabled the link but perhaps the clients hadn't updated their policy yet...
First comment! ;)