Link to home
Avatar of DCrats
DCrats

asked on

Group policy for MBAM/Bitlocker for Windows 7 and Windows 10 machines

Our environment is mainly Windows 7 Ent with a few Windows 10 Ent starting to trickle in.  We have MDOP MBAM 2.5 SP1 integrated with SCCM 1610.  Yesterday we installed the Dec Servicing Hotfix KB3198158 which appears to have installed fine.  We are now trying to change the appropriate GPO settings.  From what I have read online, I believe we supposed to leave the current MBAM settings in the GPO at AES-256 for Windows 7 machines.  We should enable the setting in the Bitlocker Encryption section to  "Choose Drive encryption method and cipher strength (windows 1511 or later) and choose XTS-AES 256 for WIndows 10 machines that are 1511 or 1607.  For some reason we are not seeing this setting under the Bitlocker Encryption section.   How do we get this setting to appear?  Can you please help me out?  

Please let me know if you need additional information.

Thanks.
MLStev01
Avatar of Bradley Fox
Bradley Fox
Flag of United States of America image

You need the latest ADMX templates for Windows 10 and Server 2016.

https://www.microsoft.com/en-us/download/details.aspx?id=53430
Avatar of DCrats
DCrats

ASKER

Ok we found the correct template to import for the W10 bitlocker settings.   We enabled the XTS-ASE 256 drive encryption setting under Bitlocker which also applied it under MBAM.  

I am trying to bitlock a Surface Pro 4 with W10 1607 Ent. I upgraded the MBAM client to 2.5.1126.0  
I try running the MBAM client and nothing it happening.
When I look in EventViewer I am seeing two different messages.

EventID 18.  Unable to connect to the MBAM recovery and Hardware Service.    Error Code -2143485952.  Details "The input data was not in the expected format or did not have the expected value"

EventID 2.  An error occurred while applying MBAM policies.  Error code -2147023266.  Details "Datea of this type is not supported"

Is there something in the GPO or a setting on the MBAM server that needs to be changed or configured?

MLStev01
I wish I could help you out here; we are utilizing Bitlocker in our environment on Laptops but we did not implement MBAM.  We deploy with SCCM and store the Bitlocker information in AD, but we just encrypt them as the last step in the imaging task sequence.  If we need a recovery key we just look it up on the computer object in ADUC.
ASKER CERTIFIED SOLUTION
Avatar of Bradley Fox
Bradley Fox
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of DCrats

ASKER

We are having issues trying to get a Surface Pro 4 and and a Yoga 20FRS2J00 to bitlock using MBAM.  The devices have Windows 10 1511 Ent on them.   We are seeing the message below in the EventViewer for both devices.  We have imaged a Dell OptiPlex 7010 in legacy bios mode and it encrypts fine with Mbam with XTS-AES 256 encryption method which is what we want.  We also have imaged 2 Dell GX5040's with same image, one with TPM 1.2 and the other with TPM 2.0 UEFI mode and they encrypted with XTS-AES 256 fine using Mbam.   We recently upgraded our MBAM server to 2.5 SP1 with December 2016 servicing release. These machines have Mbam client 2.5.1126.0.  We are using the currently ADMX templates for bitlocker.  

Does anyone have any ideas for us?    Thanks.

MLstev01

=================Event ID 2===============================

An error occurred while applying MBAM policies.

Volume ID:\\?\Volume{6ab6a008-6623-11e5-aa03-90b11c7b8807}\

Error code:

-2143485952

Details:

The input data was not in the expected format or did not have the expected value.

Task Category:

VolumeEnactmentFailed