IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
Hey! Bill Spears here. I'm a Microsoft Premier Field Engineer based in North Carolina and I specialize primarily in Windows Deployment and Client technologies. After completing many MBAM deployments and helping a client or two troubleshoot various MBAM setup issues, I wanted to share some of the most common things that I run into on a regular basis and point out how to troubleshoot and resolve those issues in order to achieve a successful MBAM setup.
Note that everything necessary to achieve a successful MBAM deployment is all documented on MSDN at the link below. If you follow these guidelines to ensure you have met all the prerequisites, created the correct Active Directory groups and users accounts, installed the MBAM components as described in the documents, created the correct group policies, and followed the guidelines described in each document, then your MBAM implementation should go smoothly and be up and running in no time.
Deploying MBAM 2.5
But what if things aren’t working? Now what? Hopefully these tips will help you overcome some of the common pitfalls that many people run into when deploying MBAM. After successfully deploying the server components of MBAM, which will most commonly be distributed among separate servers for SQL/SRSS, IIS and optionally SCCM integration, the most common problem encountered will be ensuring that the MBAM clients are properly communicating with the server in order to adhere to the MBAM group policies given to them, escrow their recovery keys, and report compliance status. In order to accomplish this, all we need to do is install the MBAM client on the machine and apply the MBAM group policy settings to the machine.
A good first step would be to check Gpresult to ensure that your policy is applied. Detailed instructions on which policies are necessary are outlined in the following MSDN document:
Planning for MBAM 2.5 Group Policy Requirements
If the policy successfully applied, you will see the settings in this location in the registry:
In order to verify that MBAM Client software was properly installed, you can check Services to ensure that the following service is running:
Once the MBAM Client is installed, the MBAM Event log will be the place to find all the answers. This will be located here:
Event Viewer – Applications and Services Logs – Microsoft – Windows – MBAM (Admin and Operational)
A common failure would be that we are unable to reach the remote endpoint, such as in the example screenshot below:
“An error occurred while sending encryption status data” errors may specify “The remote endpoint was not reachable” Or “Access was denied by the remote endpoint”.
There are several reasons that the MBAM client may be having trouble reaching the endpoint. My first step would be to visit the registry key mentioned earlier (HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement) and copy the value from KeyRecoveryServiceEndPoint (this is what you configured in your group policy) and paste this URL into an Internet Explorer window. If you get a page not displayed error, then let’s verify that you have correctly set the URL.
http(s)://<MBAM Server Name>:<the port the web service is bound to>/MBAMRecoveryAndHardwareService/CoreService.svc.
So things to ask yourself are:
1 – Should it be http or https? (Did you supply a certificate when you installed MBAM)
2 – Did you specify FQDN or Hostname when you installed MBAM?
3 – Are you using the default port (80 or 443) or did you change this during MBAM setup wizard?
4 – Any other typos in the URL?
If you are getting prompted for credentials when you paste the URL into Internet Explorer or if you are seeing Access Denied by remote endpoint in your event log, then we would want to check the following:
1 – Is your SPN properly set? The following TechNet document explains how to use the setspn command. Also be sure to take into account if you are using hostname or FQDN.
MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies
2 – Have you set delegation on your Web Service Pool Application account?
Go to Active Directory Users and Computers – Find your MBAM Web Application Pool Account – Right Click – Properties – Delegation Tab – Select “Trust the user for delegation to specified services only” – “Use Kerberos only” – Add – Browse to your Application Pool Credentials – Select your http SPN. See screenshot below:
3 – Does your URL fall under your Intranet Zone? For example, if your URL uses servername.contoso.com and you do not have an entry for *.contoso.com in Internet Explorer (Internet Options – Security – Local Intranet – Sites – Advanced), Windows will think this URL is on the internet, which would break Kerberos.
4 – Is your Web Service Pool Application account a member of your MBAM Database Read/Write group? Complete explanation of required Active Directory group and user accounts needed for MBAM are described in the following TechNet document:
Planning for MBAM 2.5 Groups and Accounts
Hopefully, this blog will save you some time if you find yourself trying to figure out how to troubleshoot your MBAM 2.5 deployment. Remember, to always check the MBAM Event Log as your first point of troubleshooting as this will lead you to the correct troubleshooting path.