Prompt user to encrypt with BitLocker (MBAM)
Hi,
we deployed Microsoft BitLocker Administration and Monitoring for testing. MBAM client is installed on a test system and MBAM GPOs are applied to a test system.
How can I prompt the user to encrypt the drives with BitLocker? Thanks!
Windows Server 2008 R2
Windows SQL Server 2008 R2
Windows 7 Ultimate
October 27th, 2011 7:07am
1st option:
1. Policies for MBAM on client:
On Windows 7 client open registry
HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1
2. There is a random delay of up to 90 minutes when MBAM service starts on windows 7 client.
If you don’t want random delay, then create a dword value “NoStartupDelay” under HKLM\Software\Microsoft\MBAM and set its value to 1.
Restart the MBAM Client Service and then client will talk to server in 1 minute.
If you hit this error on client, then follow the work around on this KB which I wrote
2612822 Computer Record is Rejected in MBAM
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2612822
MBAM Logs on client:
Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> MBAM
If you have enabled Allow Hardware Compatability Check Policy then,
To remove Hardware capability check delay do this:
To do remove the timer:
1. HKLM\software\microsoft\MBAM\HWExemptionTimer
2. HKLM\software\microsoft\MBAM\HWExemptionType
3. Restart the MBAM agent: (BitLocker management client service)
Or
Change HKLM\software\microsoft\MBAM\HWExemptionType = 2
2nd Option:
To pop-up MBAM client manually do this:
On Windows 7 client machine, browse to c:\programfiles\microsoft\mdopmbam\
Double click on MBAMClientUI.exe and it will prompt a user to start the encryption.Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2011 9:27am
Hi,
Did your issue solved?
Please feel free to give me any update.
Thanks.
Regards,
Leo Huang
TechNet
Subscriber Support in forum. If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
November 1st, 2011 5:41am
to pop-up MBAM client manually works.
but automatic pop-up doesn't work with any of the solution options after restarting the MBAM service.
Free Windows Admin Tool Kit Click here and download it now
November 2nd, 2011 11:26am
Things to check:
1. The MBAM prompt will not be seen if you have taken a RDP session to the Win7 client machine.
You will have to be on the console of the machine to see the prompt automatically.
2. Check MBAM logs on win7 client
Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> MBAM --> Admin
If you see some errors let me know.Manoj Sehgal
November 2nd, 2011 2:10pm
Hi Korbinian,
How’s everything going on? Did your problem solved by the suggestion of Manoj Sehgal? Please feel free to give any update here.
Thank you for your understanding and cooperation.
Regards,
Leo
Huang
TechNet
Subscriber Support in forum. If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
November 7th, 2011 4:51am
Hi,
As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will
mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the
answer as you wish.
BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help
other community members facing similar problems. Thanks for your understanding and efforts.
Regards,
Leo Huang
TechNet
Subscriber Support in forum. If you have any feedback on our support, please contact
tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
November 10th, 2011 2:14am
Hi there,
I have the same problem - all MBAM and GPO settings in place and all working correctly, but no auto start. Manual kick-off of encyption by running the suggested .exe works fine.
I checked the logs like you say under: Event Viewer -> Application and Services Logs -> Microsoft -> Windows -> MBAM --> Admin and I have the following errors;
Event ID: 11 The computer is exempted from encryption.
Machine's hardware status: Unknown
Could this be the cause?
Regards,
Mark
Free Windows Admin Tool Kit Click here and download it now
January 11th, 2012 9:44am
Computer is exempted from encryption
Check HKCU\Software\Microsoft\MBAM
and delete MBAM and then try again.
Manoj Sehgal
January 11th, 2012 3:24pm
Manoj,
We've implemented MBAM and everything is working correctly. The pop up to notify the user to bitlock is also working but I would like to make the pop up appear more often as some of the users just continue to click POSTPONE. Is there a way to increase the
pop up?
Thanks,
RayRay
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2012 11:35am
Im also having trouble with the prompting.
I install the wim image with WinPE.
Then in runonce:
I import registry settings (hklm/software/microsoft/mbam) and I overwrite the policies\microsoft\fde\ so I need TPMonly to start encryption.
Then I install the client.msi and encryption starts.
After reboot group policy sets TPMandPIN, but when log on with a user I dont get prompted to set pin.
If I start clientui.exe then I get message "Your company have changed the bitlocker policy" then I can press next, type pin twice, and it succesfully finishes. If I press postpone and restarts I dont get the prompt again.
Ive set all client delays to 1 minute. I dont get any error in eventvwr.
If a user press postpone, what happens? does it make a runonce key or what?
January 31st, 2012 2:47pm
Hi in the Event Viewer i can see the following:
this computer is exempted from encryption
computers won start the encryption automaticlly :(
please HELP! , , . Best Regards, Ori Husyt -
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2012 1:53pm
Hi Booray,
Try with the changes to the registry entries as proposed by Manoj.
HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
Change the ClientWakeUpFrequency = 1 and StatusReportingFrequency=1
I think this will reduce the frequency for the pop-up to come up more often. Please do reply if it worked.Gaurav Ranjan
February 22nd, 2012 1:19am
Hi Ori,
If you have enabled Allow Hardware Compatability Check Policy then
Change HKLM\software\microsoft\MBAM\HWExemptionType = 2
So that MBAM agent can know the machine is non-exempted and can start the encryption. This has worked for me. I hope it will work for you as well. If it, then do a reply so that it will be helpful to other with the same issue.
Gaurav Ranjan
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2012 1:24am