Common Troubleshooting Issues Encountered When Configuring MBAM 2.5

Hey! Bill Spears here. I'm a Microsoft Premier Field Engineer based in North Carolina and I specialize primarily in Windows Deployment and Client technologies. After completing many MBAM deployments and helping a client or two troubleshoot various MBAM setup issues, I wanted to share some of the most common things that I run into on a regular basis and point out how to troubleshoot and resolve those issues in order to achieve a successful MBAM setup.

Note that everything necessary to achieve a successful MBAM deployment is all documented on MSDN at the link below. If you follow these guidelines to ensure you have met all the prerequisites, created the correct Active Directory groups and users accounts, installed the MBAM components as described in the documents, created the correct group policies, and followed the guidelines described in each document, then your MBAM implementation should go smoothly and be up and running in no time.

Deploying MBAM 2.5

http://msdn.microsoft.com/en-us/library/dn645316.aspx

But what if things aren’t working? Now what? Hopefully these tips will help you overcome some of the common pitfalls that many people run into when deploying MBAM. After successfully deploying the server components of MBAM, which will most commonly be distributed among separate servers for SQL/SRSS, IIS and optionally SCCM integration, the most common problem encountered will be ensuring that the MBAM clients are properly communicating with the server in order to adhere to the MBAM group policies given to them, escrow their recovery keys, and report compliance status. In order to accomplish this, all we need to do is install the MBAM client on the machine and apply the MBAM group policy settings to the machine.

A good first step would be to check Gpresult to ensure that your policy is applied. Detailed instructions on which policies are necessary are outlined in the following MSDN document:

Planning for MBAM 2.5 Group Policy Requirements

http://msdn.microsoft.com/en-us/library/dn645338.aspx

If the policy successfully applied, you will see the settings in this location in the registry:

HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement

In order to verify that MBAM Client software was properly installed, you can check Services to ensure that the following service is running:

image

Once the MBAM Client is installed, the MBAM Event log will be the place to find all the answers. This will be located here:

Event Viewer – Applications and Services Logs – Microsoft – Windows – MBAM (Admin and Operational)

A common failure would be that we are unable to reach the remote endpoint, such as in the example screenshot below:

image

“An error occurred while sending encryption status data” errors may specify “The remote endpoint was not reachable” Or “Access was denied by the remote endpoint”.

There are several reasons that the MBAM client may be having trouble reaching the endpoint. My first step would be to visit the registry key mentioned earlier (HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement) and copy the value from KeyRecoveryServiceEndPoint (this is what you configured in your group policy) and paste this URL into an Internet Explorer window. If you get a page not displayed error, then let’s verify that you have correctly set the URL.

http(s)://<MBAM Server Name>:<the port the web service is bound to>/MBAMRecoveryAndHardwareService/CoreService.svc.

Example: http://mbamserver.contoso.com:80/MBAMRecoveryAndHardwareService/CoreService.svc.

So things to ask yourself are:

1 – Should it be http or https? (Did you supply a certificate when you installed MBAM)

2 – Did you specify FQDN or Hostname when you installed MBAM?

3 – Are you using the default port (80 or 443) or did you change this during MBAM setup wizard?

4 – Any other typos in the URL?

If you are getting prompted for credentials when you paste the URL into Internet Explorer or if you are seeing Access Denied by remote endpoint in your event log, then we would want to check the following:

1 – Is your SPN properly set? The following TechNet document explains how to use the setspn command. Also be sure to take into account if you are using hostname or FQDN.

MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies
https://technet.microsoft.com/en-us/library/dn645331.aspx

2 – Have you set delegation on your Web Service Pool Application account?

Go to Active Directory Users and Computers – Find your MBAM Web Application Pool Account – Right Click – Properties – Delegation Tab – Select “Trust the user for delegation to specified services only” – “Use Kerberos only” – Add – Browse to your Application Pool Credentials – Select your http SPN. See screenshot below:

image

3 – Does your URL fall under your Intranet Zone? For example, if your URL uses servername.contoso.com and you do not have an entry for *.contoso.com in Internet Explorer (Internet Options – Security – Local Intranet – Sites – Advanced), Windows will think this URL is on the internet, which would break Kerberos.

4 – Is your Web Service Pool Application account a member of your MBAM Database Read/Write group? Complete explanation of required Active Directory group and user accounts needed for MBAM are described in the following TechNet document:

Planning for MBAM 2.5 Groups and Accounts
http://msdn.microsoft.com/en-us/library/dn645328.aspx

Hopefully, this blog will save you some time if you find yourself trying to figure out how to troubleshoot your MBAM 2.5 deployment. Remember, to always check the MBAM Event Log as your first point of troubleshooting as this will lead you to the correct troubleshooting path.

Happy Encrypting.

-Bill Spears