Hi, I am trying to start the encryption with MDT, but it's not working properly. The encryption is not started. I can't get it started, not even by hand. I am doing this on non-domain joined clients. I only want to start the TPM encryption. What i've done: - Made sure the TPM is enabled. - Made sure the TPM is active - Made sure the TPM is not owned (it also doesn't work , when it is owned) - Added the MBAMDeploymenKeyTemplate.reg and adjusted the settings for non-domain joined clients - Restarted the MBAMAgent - Restarted the pc Regkeys in HKLM\Software\MBAM DeploymentTime : REG_DWORD, value 1 UseKeyRecoveryService: REG_DWORD, value 0 What am I missing ? Regards, Patrick

Check the MBAM logs in the Even Viewer - Under Applications Logs. Also, try to launch the client manually to see if it gives you a specific error message - Client should be under program files\MBAM or MDOP folder\ MBAMClientUI.exe Regards, Vik Singh

Nothing is logged in the Eventvwr, not in Admin or Operational Log. I've tried running the MBAMCLientUI.exe, but as long as no policies are set in HKLM\Software\Policies\FVE\MDOP MBAM nothing is happening. This policies can not be set, because the machine isn't yet joined to the domain. Regards, Patrick

What is the error message you are seeing when you try to start it? Check for events in eventlog. Sumesh P - Microsoft Online Community Support

Have you reviewed the whitepaper for MBAM and MDT. Using MBAM Data Encryption With MDT : http://go.microsoft.com/fwlink/?LinkId=229053Sumesh P - Microsoft Online Community Support

Hi, Yes, I used this whitepaper as input. I haven't implemented the Task Sequence steps yet, as I wanted to test this manually first. So I checked the status of the TPM Chip and then added the RegKeys and restarted the MBAMAgent service. Nothing is happening, even when I ran the MBAMClientUI.exe manually. I've imported the policies used in the domain for MBAM and then ran the MBAMClientUI.exe. Now the screen pops up. I want the encryption proces to be started (TPM only, no PIN) before joining the machine to the domain. When a user receives the laptop the encryption should allready be done, only a PIN needs to be provides. Regards, Patrick

Hi I Have similar Issues. Installed SQL with TDE, MBAM Created GPOs on OU, joined computer and added to OU and installed MBAM client. But nothing happens, no Alerts in eventlog but when I run Gpresult /R the MBAM Policy is applied. The test notebook is a Dell Latitude D820 so the TPM is the correct version. I verified the URLS For the GPO https://mbam.morne.local//MBAMComplianceStatusService/StatusReportingService.svc https://mbam.morne.local/MBAMRecoveryAndHardwareService/CoreService.svc What am I missing? Is SP1 for Windows 7 a requirement?

Similar Issues? The client not launching automatically? If yes, what happens if you launch it manually? Sp1 is not a requirement.regards, Vik Singh

It Encrypts the Drive when I lauch it Manually. When I go to "Computer Compliance Report" it shows up as non-Compliant (I Disabled Compliance checking just to test) It does not show at all in "Enterprise Compliance Report" My major concern at the moment is that MBAM does not launch Automatically after the GPO is applied? Must the Bitlocker Service be set to Manual?

Do you think it will help if I De-crypt and Reset the TPM maybe?

Hi, Replace the following text in the MBAMDeploymentKeyTemplate.reg and us it in your task-sequence. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "NoStartupDelay"=dword:00000001 "Installed"=dword:00000001 "KeyRecoveryOptions"=dword:00000001 "UseKeyRecoveryService"=dword:00000001 "DeploymentTime"=dword:00000001 "KeyRecoveryServiceEndPoint"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,\ 6d,00,62,00,61,00,6d,00,31,00,3a,00,38,00,31,00,2f,00,4d,00,42,00,41,00,4d,\ 00,52,00,65,00,63,00,6f,00,76,00,65,00,72,00,79,00,41,00,6e,00,64,00,48,00,\ 61,00,72,00,64,00,77,00,61,00,72,00,65,00,53,00,65,00,72,00,76,00,69,00,63,\ 00,65,00,2f,00,43,00,6f,00,72,00,65,00,53,00,65,00,72,00,76,00,69,00,63,00,\ 65,00,2e,00,73,00,76,00,63,00,00,00 "DisableMachineVerification"=dword:00000001 Best regards, Magnus Mourujrvi

Magnus, this won't help as I am not trying to use the ServiceEndpoint. I just want to start the TPM only encryption. I will try the "DisableMachineVerification"=dword:00000001 option to see if this might trigger the encryption to start. Regards, Patrick

Is your issue resolved, or you still want more help?Manoj Sehgal

No, the problem still exists. We decided to use the normal encryption method for the time being. If you know the solution to this problem, please help. Regards, Patrick

Patrick, http://www.microsoft.com/download/en/details.aspx?id=27555 If you read this white paper Using MBAM Data Encryption with MDT, it works as it is written. The purpose of this document is to encrypt the volume with TPM before a user gets the machine. The steps describe works correctly. Once the machine is put in the final OU, then the regular GPOs are applied for MBAM. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "NoStartupDelay"=dword:00000001 "DeploymentTime"=dword:00000001 "Installed"=dword:00000001 "KeyRecoveryOptions"=dword:00000001 "UseKeyRecoveryService"=dword:00000001 "KeyRecoveryServiceEndPoint"= http://<yourserverhere>/MBAMRecoveryAndHardwareService/CoreService.svc net start mbamagent Manoj Sehgal

If you want to just start the encryption manually through MBAM, Do the following steps. It worked for me:- --- first install the MBAM Policy template on the client machine. ---configure the MBAM policies locally on that machine. ---then install the MBAM client on the client machine. --- then visit to the location "C:\Program Files\Microsoft\MDOP MBAM and run the application MBAMClientUI.(for 32 bit machine) It will prompt for you to start the the encryption process. For starting the encryption process manually, you don't have to create the registry entry or to import the reg template. make the confirmation so that it can help others too......Gaurav Ranjan

Gaurav, If a user wants to start the encryption, then easiest method is to: 1. Just install MBAM client on Win7 machine. 2. Make sure MBAM GPOs are configured correctly and applied to Win7 machines. After 90 mins, we will prompt user to start encryption. No additional registry entries required. No need to launch MBAMClientUI.exe manually. MBAMClientUI.exe is only used if you do not get the regular MBAM prompt to start encryption. -Manoj Manoj Sehgal

i have asked few other questions on another posts but you have not replied on that. I need some help on bit-locker scenario with MBAM http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/343bec4a-7b47-498b-a177-643002a59bea?prof=requiredo http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/9ca8b9e0-64fb-407d-8ee7-b46098dc4223/ Please do a reply on that posts too............Gaurav Ranjan

I, too, am having problems with encyption starting. I am testing with Windows 7 64-bit. I have seen a number of posts saying that the MDT whitepaper steps work with 32-bit Windows 7, but encounters problems when running 64-bt. I am attempting to start the scripted solution described here from a command prompt to test: http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx?PageIndex=2&wa=wsignin1.0&CommentPosted=true#comments I can connect to the MBAM service point from the test maching using IE with the URL that is specified in the MBAM registry entries. The script tells me the TPM is enabled, activated and Endorsement Key Pair is present. If I start the Bitlocker applet in control panel, it says the drive is ready for encryption. There are no errors in the application or system event logs. Are the error codes generated by the StartMBAMEncryption.wsf script documented anywhere? Can anyone provide troubleshooting guidance? I will cross-post to SCCM\OSD forum TIA, Tom

I finally got this to work by skipping my testing phase and just using the task sequence as described in the step-by-step located here: http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx?PageIndex=2&wa=wsignin1.0&CommentPosted=true#comments It still fails if I attempt to run the StartMBAMEncryption script from a command prompt. So much for due diligence! But at least it runs in the TS. HTH, Tom