Group policy for MBAM/Bitlocker for Windows 7 and Windows 10 machines

Our environment is mainly Windows 7 Ent with a few Windows 10 Ent starting to trickle in.  We have MDOP MBAM 2.5 SP1 integrated with SCCM 1610.  Yesterday we installed the Dec Servicing Hotfix KB3198158 which appears to have installed fine.  We are now trying to change the appropriate GPO settings.  From what I have read online, I believe we supposed to leave the current MBAM settings in the GPO at AES-256 for Windows 7 machines.  We should enable the setting in the Bitlocker Encryption section to  "Choose Drive encryption method and cipher strength (windows 1511 or later) and choose XTS-AES 256 for WIndows 10 machines that are 1511 or 1607.  For some reason we are not seeing this setting under the Bitlocker Encryption section.   How do we get this setting to appear?  Can you please help me out?  

Please let me know if you need additional information.

Thanks.
MLStev01
DCratsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mcsweenSr. Network AdministratorCommented:
You need the latest ADMX templates for Windows 10 and Server 2016.

https://www.microsoft.com/en-us/download/details.aspx?id=53430
0
DCratsAuthor Commented:
Ok we found the correct template to import for the W10 bitlocker settings.   We enabled the XTS-ASE 256 drive encryption setting under Bitlocker which also applied it under MBAM.  

I am trying to bitlock a Surface Pro 4 with W10 1607 Ent. I upgraded the MBAM client to 2.5.1126.0  
I try running the MBAM client and nothing it happening.
When I look in EventViewer I am seeing two different messages.

EventID 18.  Unable to connect to the MBAM recovery and Hardware Service.    Error Code -2143485952.  Details "The input data was not in the expected format or did not have the expected value"

EventID 2.  An error occurred while applying MBAM policies.  Error code -2147023266.  Details "Datea of this type is not supported"

Is there something in the GPO or a setting on the MBAM server that needs to be changed or configured?

MLStev01
0
mcsweenSr. Network AdministratorCommented:
I wish I could help you out here; we are utilizing Bitlocker in our environment on Laptops but we did not implement MBAM.  We deploy with SCCM and store the Bitlocker information in AD, but we just encrypt them as the last step in the imaging task sequence.  If we need a recovery key we just look it up on the computer object in ADUC.
0
mcsweenSr. Network AdministratorCommented:
I have attached our Bitlocker GPO settings.  Our Surface Pro 4 systems encrypt without issue utilizing these settings, however, I'm not exactly sure how MBAM fits into this equation.
Bitlocker.pdf
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DCratsAuthor Commented:
We are having issues trying to get a Surface Pro 4 and and a Yoga 20FRS2J00 to bitlock using MBAM.  The devices have Windows 10 1511 Ent on them.   We are seeing the message below in the EventViewer for both devices.  We have imaged a Dell OptiPlex 7010 in legacy bios mode and it encrypts fine with Mbam with XTS-AES 256 encryption method which is what we want.  We also have imaged 2 Dell GX5040's with same image, one with TPM 1.2 and the other with TPM 2.0 UEFI mode and they encrypted with XTS-AES 256 fine using Mbam.   We recently upgraded our MBAM server to 2.5 SP1 with December 2016 servicing release. These machines have Mbam client 2.5.1126.0.  We are using the currently ADMX templates for bitlocker.  

Does anyone have any ideas for us?    Thanks.

MLstev01

=================Event ID 2===============================

An error occurred while applying MBAM policies.

Volume ID:\\?\Volume{6ab6a008-6623-11e5-aa03-90b11c7b8807}\

Error code:

-2143485952

Details:

The input data was not in the expected format or did not have the expected value.

Task Category:

VolumeEnactmentFailed
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.