question

OrtacDemirel-7821 avatar image
0 Votes"
OrtacDemirel-7821 asked ChristianEromosele-6897 Suspended commented

MBAM Fixed drive encryption problem

Hello,

I use MBAM server.

client version mbam 2.5 sp1 and os are windows 10 1909 enterprise.

OS drive successfully encrypted automatically . I have problem with fixed drive. Fixed drive encryption can not start automatically.

My fixed drive GPO:

choose how BitLocker-protected fixed drives can be recovered Enabled
Allow data recovery agent Enabled
Omit recovery options from the BitLocker setup wizard Enabled
Save BitLocker recovery information to AD DS for fixed data drives Enabled
Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives Disabled


Configure use of passwords for fixed data drives Disabled

Encryption Policy Enforcement Settings Enabled
Configure the number of noncompliance grace period days for fixed drives. This grace period begins only after the operating system drive compliance is detected: 0

Fixed data drive encryption settings Enabled

Configure Auto-Unlock for fixed data drive: Allow Auto-Unlock



When I check gpo from client , I can see only "choose how BitLocker-protected fixed drives can be recovered" and "Configure Auto-Unlock for fixed data drive:" settings .

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaleKudusi-MSFT avatar image
0 Votes"
DaleKudusi-MSFT answered ChristianEromosele-6897 Suspended commented

Hi,
Might try using the following command in the elevated command prompt to refresh client GPO settings so they can be applied on clients:
gpupdate /force

then reboot.

Best regards.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I checked gpo , it works well. I have still fixed drive problem.

0 Votes 0 ·

You may also want to run gpresult to see what is blocking the policy if everything is correctly configured. Lastly, you may want to see the event log that TPM event-triggered

0 Votes 0 ·
ChristianEromosele-6897 avatar image
0 Votes"
ChristianEromosele-6897 Suspended answered ChristianEromosele-6897 Suspended commented

Hello,

If the policies are correctly configured and linked, it should not take so long to start encrypting. Also, try to compliance the report to determine the encryption status by using any of these commands.
- manage-bde -status or
- Get-BitLockerVolume

Please check to ensure that the PCs are part of the OU and the BitLocker and MBAM policies are configured correctly.

Saw you also configured auto-unlock. Double-check with these links for your needed BitLocker policies
- https://techdirectarchive.com/2021/01/31/bitlocker-pin-bypass-how-to-configure-network-unlock-2/
- https://techdirectarchive.com/2020/12/30/backup-bitlocker-recovery-keys-to-ad-how-to-enable-bitlocker-via-the-local-group-policy-editor-and-the-group-policy-management-console-2/

This last link will also help you in ensuring your policies are correctly configured and aligned.

If these procedures helped you in any way, please click on "It solved my problem" and also mark it as an answer, so you can help other users.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Did you try it for fixed driver? auto ency. can not start for fixed driver

0 Votes 0 ·

Hello,

It is the policy you are using. I have tested this for OS and fixed data drive and it works. It will require you to log on to the device interactively before encryption of the data drive can succeed.

I see you have auto unlock enabled, you must therefore enable "Configure use of passwords for fixed data drives". If you are using auto-unlock, the policy will not be enforced until the operating system drive is compliant. However, if we are not using auto-unlock, encryption of the fixed data drive can begin before the operating system drive is fully encrypted. Here is a link.
- https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v2/planning-for-mba

I hope this helps.



0 Votes 0 ·
ChristianEromosele-6897 avatar image
0 Votes"
ChristianEromosele-6897 Suspended answered

Hi OrtacDemirel-7821,

I had to set up MBAM in order to outline the steps for your deployment. I hope this guide helps.
- https://techdirectarchive.com/2021/03/19/mbam-components-how-to-deploy-microsoft-bitlocker-administration-and-monitoring-part-1/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yannara avatar image
0 Votes"
yannara answered ChristianEromosele-6897 Suspended commented

Remember to check MBAM client logs in Event Viewer / Applications. If your GPO is set right, but there is a some problem, you should understand it from those logs.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Exactly my point, I have also suggested this to him and he could additionally use the gpresult to see if there are GPO denials

0 Votes 0 ·