Avatar of DCrats
 asked on

Group policy for MBAM/Bitlocker for Windows 7 and Windows 10 machines

Our environment is mainly Windows 7 Ent with a few Windows 10 Ent starting to trickle in.  We have MDOP MBAM 2.5 SP1 integrated with SCCM 1610.  Yesterday we installed the Dec Servicing Hotfix KB3198158 which appears to have installed fine.  We are now trying to change the appropriate GPO settings.  From what I have read online, I believe we supposed to leave the current MBAM settings in the GPO at AES-256 for Windows 7 machines.  We should enable the setting in the Bitlocker Encryption section to  "Choose Drive encryption method and cipher strength (windows 1511 or later) and choose XTS-AES 256 for WIndows 10 machines that are 1511 or 1607.  For some reason we are not seeing this setting under the Bitlocker Encryption section.   How do we get this setting to appear?  Can you please help me out?  

Please let me know if you need additional information.

Windows 10Windows 7* policyEncryption

Avatar of undefined
Last Comment

8/22/2022 - Mon
Bradley Fox

You need the latest ADMX templates for Windows 10 and Server 2016.


Ok we found the correct template to import for the W10 bitlocker settings.   We enabled the XTS-ASE 256 drive encryption setting under Bitlocker which also applied it under MBAM.  

I am trying to bitlock a Surface Pro 4 with W10 1607 Ent. I upgraded the MBAM client to 2.5.1126.0  
I try running the MBAM client and nothing it happening.
When I look in EventViewer I am seeing two different messages.

EventID 18.  Unable to connect to the MBAM recovery and Hardware Service.    Error Code -2143485952.  Details "The input data was not in the expected format or did not have the expected value"

EventID 2.  An error occurred while applying MBAM policies.  Error code -2147023266.  Details "Datea of this type is not supported"

Is there something in the GPO or a setting on the MBAM server that needs to be changed or configured?

Bradley Fox

I wish I could help you out here; we are utilizing Bitlocker in our environment on Laptops but we did not implement MBAM.  We deploy with SCCM and store the Bitlocker information in AD, but we just encrypt them as the last step in the imaging task sequence.  If we need a recovery key we just look it up on the computer object in ADUC.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Bradley Fox

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

We are having issues trying to get a Surface Pro 4 and and a Yoga 20FRS2J00 to bitlock using MBAM.  The devices have Windows 10 1511 Ent on them.   We are seeing the message below in the EventViewer for both devices.  We have imaged a Dell OptiPlex 7010 in legacy bios mode and it encrypts fine with Mbam with XTS-AES 256 encryption method which is what we want.  We also have imaged 2 Dell GX5040's with same image, one with TPM 1.2 and the other with TPM 2.0 UEFI mode and they encrypted with XTS-AES 256 fine using Mbam.   We recently upgraded our MBAM server to 2.5 SP1 with December 2016 servicing release. These machines have Mbam client 2.5.1126.0.  We are using the currently ADMX templates for bitlocker.  

Does anyone have any ideas for us?    Thanks.


=================Event ID 2===============================

An error occurred while applying MBAM policies.

Volume ID:\\?\Volume{6ab6a008-6623-11e5-aa03-90b11c7b8807}\

Error code:



The input data was not in the expected format or did not have the expected value.

Task Category: