The goal of this blog is to share some information learned (the hard way) from recent customer engagement. Hopefully these tips will save you time and accelerate future MBAM deployments. MBAM has dependencies on SQL Server, IIS web services and Active Directory. As a result, it's important to set expectations up front regarding collaboration needs with other teams as this may be required. Like most, I always evaluate products in my lab first as to accelerate overall learning process and better forecast production requirements.
Insights into My Lab
I'm using Windows Server 2016 as a Hyper-V host which supports UEFI and virtual Trusted Platform Module (TPM). Important to note, this is only available in generation 2 virtual machines. Additionally, I have a Domain Controller, MBAM Server and Windows 10 Client (vTPM). As a result, I can evaluate and deploy MBAM without any hardware requirements (which is awesome). Please ensure on Windows 10 client to check "Enable Secure Boot" and "Enable Trusted Platform Module." (*MBAM and encryption within VMs is for evaluation only)
On a fresh deployment, install MBAM immediately followed by latest rollup, before configuring MBAM. The reason is rollups for MBAM only take effect when the add feature wizard is run (This will ensure you're up-to-date from the start). Similarly, existing MBAM deployments require rollup to be installed followed by removal and then re-addition of features via MBAM wizard. Failure to follow this approach will likely lead to inconsistent and unexpected behavior as version mismatch may occur. Please ensure the MBAM client is also up-to-date.
[Existing MBAM deployment patching procedure]
1st Remove feature (do this by opening the MBAM Server Configuration Tool, then select Remove Features)
2nd Remove MDOP MBAM from Control Panel | Programs and Features
3rd Install MBAM 2.5 SP1 RTM
4th Install June 2017 (or latest rollup) Server Update
5th Configure MBAM features using Server Configurator
6th Deploy the Client Update rollup
You can verify MBAM Server patch level and all features match by comparing version numbers in following locations:
HKLM\SOFTWARE\Microsoft\MBAM Server\Installed and HKLM\SOFTWARE\Microsoft\MBAM Server\Version
* If you plan on using SQL 2016 you must ensure MBAM at least June 2017 servicing release (KB4018510).
Notice final screen on the MBAM configuration wizard offers an export to PowerShell feature. This can greatly ease the burden of administration during product maintenance periods instead of manually inputting all the fields. (tedious and error prone)
Any IIS install from Server Manager created default website which is configured on port 80. Remove this website or change port to something else. Failure to do so will lead to error during web site creation.
Deploying MBAM 2.5 in a stand-alone configuration states "SQL Server Reporting Services must be installed and configured in "native" mode and not in unconfigured or "SharePoint". You'll need to record URL for SQL Reporting Services prior to MBAM configuration, make sure you can hit it via web page. If you installed SQL in unconfigured mode, you will need to setup SQL Server Reporting Services yourself before starting.
At the time of this writing, the MDOP Group Policy to enforce encryption immediately on Operating System volume does not work in virtual environment. If you find yourself thinking everything is in order but BitLocker encryption is not starting, that's the reason. (This is one scenario where physical is required) I recommend link above How to Deploy the MBAM Client as Part of a Windows Deployment and use MDT to kick off encryption in the start restore phase of the deployment itself. I also make sure the MBAM client is patched and have added application as a step in my task sequence. The script also provides easy method to alter BitLocker cipher strength to align with your security team requirements.
So, you took our advice and followed every tip and step from guide above and you've got MBAM installed! As a part of your certification process you find compliance information is not populated in MBAM among other issues. Please see Common Troubleshooting Issues Encountered When Configuring MBAM 2.5 and ensure items outlined are checked and double checked. The following log locations should be clean.
Event Viewer – Applications and Services Logs – Microsoft – Windows – MBAM (Admin and Operational)
Advanced troubleshooting example when things don't go as planned
Remember when I said, learned the hard way… I installed the latest rollup for MBAM Server after (should have been before) all features were configured which meant my MBAM installation was really 2.5 SP1 RTM not patched with latest rollup. I didn't know this at the time of course and observed the following errors in event log channel.
[Admin Log on Client]
Error 8/2/2017 11:52 Microsoft-Windows-MBAM 4 TransferStatusDataFailed "An error occurred while sending encryption status data." -2143485933 or WS_E_ENDPOINT_FAULT_RECEIVED
This appears to be an error from MBAM web service and doesn't provide enough insight into root cause. On the server, you'll find a directory structure where MBAM website resides such as:
Each folder contains files with extension SVCLOG. You'll need a tool such as SvcTraceViewer.exe to read them. The rule of thumb is SVCLOGs which are 0 bytes are error free. In my case, logs were under the Compliance Status Service and looked like:
SvcTraceViewer generated message "PostKeyRecoveryInfo: Status info message deserialization failed for DEV\MBAMCLIENT$"
The domain is "DEV" and client NetBIOS name is MBAMClient so while the record is from our troubled machine, it's not enough information to clearly understand RCA. Next step is collecting a simple network trace from our client. Since we have MBAM agent configured to check in every minute, we should be able to collect information very quickly. Typically, my approach is to use inbox ETW provider to collect network trace. (no need to install any tools etc.) I used the following commands from elevated command prompt.
netsh trace start capture = yes
<repro issue or wait 2 minutes and wait for error event creation in MBAM event log>
netsh trace stop
This will create a .ETL trace file in temp directory. You can use Microsoft Message Analyzer to read trace or export into format readable by Wireshark.
Looking at the time in the trace, we can see event every 60 seconds which aligns with our MBAM client lab configuration. We can also see 500 Internal Server Error. Inspecting error details within Wireshark, we find breakthrough in the case 'XTS-AES 256' is not a valid value for CipherStrengthType message.
MBAM 2.5 SP1 RTM doesn't support 'XTS-AES 256' because it was released at a later point in time with Windows 10 1607. I then found my MBAM Server didn't have latest binaries because at the time I wasn't aware of correct patching procedures outlined above. I was finally able to resolve errors by using MBAM configuration wizard to remove and then re-add features, verifying MBAM Server had latest rollup per links above.
Thanks for reading!
Dave Guenthner and Bill Spears
SEO Key words:
MBAM, MBAM 2.5, Microsoft BitLocker Administration and Monitoring ,servicing, XTS-AES 256, SvcTraceViewer.exe, troubleshooting tips