We help IT Professionals succeed at work.

Group policy for MBAM/Bitlocker for Windows 7 and Windows 10 machines

2,207 Views
Last Modified: 2017-07-12
Our environment is mainly Windows 7 Ent with a few Windows 10 Ent starting to trickle in.  We have MDOP MBAM 2.5 SP1 integrated with SCCM 1610.  Yesterday we installed the Dec Servicing Hotfix KB3198158 which appears to have installed fine.  We are now trying to change the appropriate GPO settings.  From what I have read online, I believe we supposed to leave the current MBAM settings in the GPO at AES-256 for Windows 7 machines.  We should enable the setting in the Bitlocker Encryption section to  "Choose Drive encryption method and cipher strength (windows 1511 or later) and choose XTS-AES 256 for WIndows 10 machines that are 1511 or 1607.  For some reason we are not seeing this setting under the Bitlocker Encryption section.   How do we get this setting to appear?  Can you please help me out?  

Please let me know if you need additional information.

Thanks.
MLStev01
Comment
Watch Question

Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Commented:
You need the latest ADMX templates for Windows 10 and Server 2016.

https://www.microsoft.com/en-us/download/details.aspx?id=53430

Author

Commented:
Ok we found the correct template to import for the W10 bitlocker settings.   We enabled the XTS-ASE 256 drive encryption setting under Bitlocker which also applied it under MBAM.  

I am trying to bitlock a Surface Pro 4 with W10 1607 Ent. I upgraded the MBAM client to 2.5.1126.0  
I try running the MBAM client and nothing it happening.
When I look in EventViewer I am seeing two different messages.

EventID 18.  Unable to connect to the MBAM recovery and Hardware Service.    Error Code -2143485952.  Details "The input data was not in the expected format or did not have the expected value"

EventID 2.  An error occurred while applying MBAM policies.  Error code -2147023266.  Details "Datea of this type is not supported"

Is there something in the GPO or a setting on the MBAM server that needs to be changed or configured?

MLStev01
Bradley FoxLAN/WAN Systems Administrator
CERTIFIED EXPERT

Commented:
I wish I could help you out here; we are utilizing Bitlocker in our environment on Laptops but we did not implement MBAM.  We deploy with SCCM and store the Bitlocker information in AD, but we just encrypt them as the last step in the imaging task sequence.  If we need a recovery key we just look it up on the computer object in ADUC.
LAN/WAN Systems Administrator
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
We are having issues trying to get a Surface Pro 4 and and a Yoga 20FRS2J00 to bitlock using MBAM.  The devices have Windows 10 1511 Ent on them.   We are seeing the message below in the EventViewer for both devices.  We have imaged a Dell OptiPlex 7010 in legacy bios mode and it encrypts fine with Mbam with XTS-AES 256 encryption method which is what we want.  We also have imaged 2 Dell GX5040's with same image, one with TPM 1.2 and the other with TPM 2.0 UEFI mode and they encrypted with XTS-AES 256 fine using Mbam.   We recently upgraded our MBAM server to 2.5 SP1 with December 2016 servicing release. These machines have Mbam client 2.5.1126.0.  We are using the currently ADMX templates for bitlocker.  

Does anyone have any ideas for us?    Thanks.

MLstev01

=================Event ID 2===============================

An error occurred while applying MBAM policies.

Volume ID:\\?\Volume{6ab6a008-6623-11e5-aa03-90b11c7b8807}\

Error code:

-2143485952

Details:

The input data was not in the expected format or did not have the expected value.

Task Category:

VolumeEnactmentFailed

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions