Group policy for MBAM/Bitlocker for Windows 7 and Windows 10 machines

DCrats
DCrats used Ask the Experts™
on
Our environment is mainly Windows 7 Ent with a few Windows 10 Ent starting to trickle in.  We have MDOP MBAM 2.5 SP1 integrated with SCCM 1610.  Yesterday we installed the Dec Servicing Hotfix KB3198158 which appears to have installed fine.  We are now trying to change the appropriate GPO settings.  From what I have read online, I believe we supposed to leave the current MBAM settings in the GPO at AES-256 for Windows 7 machines.  We should enable the setting in the Bitlocker Encryption section to  "Choose Drive encryption method and cipher strength (windows 1511 or later) and choose XTS-AES 256 for WIndows 10 machines that are 1511 or 1607.  For some reason we are not seeing this setting under the Bitlocker Encryption section.   How do we get this setting to appear?  Can you please help me out?  

Please let me know if you need additional information.

Thanks.
MLStev01
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Bradley FoxLAN/WAN Systems Administrator

Commented:
You need the latest ADMX templates for Windows 10 and Server 2016.

https://www.microsoft.com/en-us/download/details.aspx?id=53430

Author

Commented:
Ok we found the correct template to import for the W10 bitlocker settings.   We enabled the XTS-ASE 256 drive encryption setting under Bitlocker which also applied it under MBAM.  

I am trying to bitlock a Surface Pro 4 with W10 1607 Ent. I upgraded the MBAM client to 2.5.1126.0  
I try running the MBAM client and nothing it happening.
When I look in EventViewer I am seeing two different messages.

EventID 18.  Unable to connect to the MBAM recovery and Hardware Service.    Error Code -2143485952.  Details "The input data was not in the expected format or did not have the expected value"

EventID 2.  An error occurred while applying MBAM policies.  Error code -2147023266.  Details "Datea of this type is not supported"

Is there something in the GPO or a setting on the MBAM server that needs to be changed or configured?

MLStev01
Bradley FoxLAN/WAN Systems Administrator

Commented:
I wish I could help you out here; we are utilizing Bitlocker in our environment on Laptops but we did not implement MBAM.  We deploy with SCCM and store the Bitlocker information in AD, but we just encrypt them as the last step in the imaging task sequence.  If we need a recovery key we just look it up on the computer object in ADUC.
LAN/WAN Systems Administrator
Commented:
I have attached our Bitlocker GPO settings.  Our Surface Pro 4 systems encrypt without issue utilizing these settings, however, I'm not exactly sure how MBAM fits into this equation.
Bitlocker.pdf

Author

Commented:
We are having issues trying to get a Surface Pro 4 and and a Yoga 20FRS2J00 to bitlock using MBAM.  The devices have Windows 10 1511 Ent on them.   We are seeing the message below in the EventViewer for both devices.  We have imaged a Dell OptiPlex 7010 in legacy bios mode and it encrypts fine with Mbam with XTS-AES 256 encryption method which is what we want.  We also have imaged 2 Dell GX5040's with same image, one with TPM 1.2 and the other with TPM 2.0 UEFI mode and they encrypted with XTS-AES 256 fine using Mbam.   We recently upgraded our MBAM server to 2.5 SP1 with December 2016 servicing release. These machines have Mbam client 2.5.1126.0.  We are using the currently ADMX templates for bitlocker.  

Does anyone have any ideas for us?    Thanks.

MLstev01

=================Event ID 2===============================

An error occurred while applying MBAM policies.

Volume ID:\\?\Volume{6ab6a008-6623-11e5-aa03-90b11c7b8807}\

Error code:

-2143485952

Details:

The input data was not in the expected format or did not have the expected value.

Task Category:

VolumeEnactmentFailed

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial