What's new
Forums on Intune, SCCM, and Windows 11

Welcome to the forums. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your topics and posts, as well as connect with other members through your own private inbox!

NEW SCCM : Bitlocker policies will not connect to the MBAM recovery services

  • Thread starter Thread starter Nscott
  • Start date Start date
  • Replies Replies 0
  • Views Views 2K
N

Nscott

Member
Messages
9
Reaction score
1
Points
3
CM : 2403
We have bitlocker enabled via GPO's, but i'm trying to move away from this as management is asking for some reports that i cannot get, plus i'd like to move everything to SCCM if i can...
Have been trying for awhile to get SCCM to push out bitlocker settings instead of GPO's and am running into a wall.

  • Fresh image of windows 11 23H2 (although this was happening on a W10 machine as well)
  • RDP'd in to get screenshots, other than that, it's been on the domain.
here is the full troubleshooting that i've done
  • MP is EHTTP
  • IIS Site on MP is HTTPS
  • Client is in an OU with no GPO's for BL
  • Client is completely decrypted
  1. Created Policy
  2. Deployed it to my test collection
  3. MP created folder G:\SMS_CCM\Microsoft Bitlocker Management Solution
  4. MP created IIS site SMS_MP_MBAM
    1. SSL settings defaulted to "Require SSL" and "client certificates > ignore" (keeping this setup for now)
  5. Client received and installed the MDOP MBAM software
  6. Client - Manage-bde -status shows fully decrypted, protection off, bitlocker version 2.0
  7. Client - Bitlockermanagement_grouppolicyhandler.log shows the same "could not check enrollment URL" error
  8. Client - Policyagentprovider.log does show settings changes right after i created the change
  9. Client - Regedit under the FVE group doesn't show "KeyRecoveryServiceEndPoint"
    1. Screenshots below
    2. shows all settings HAVE gone down
  10. Event viewer still showing the error "unable to connect to the MBAM recovery and hardware service"
  11. Client - can get to the HTTPS site of the MP via the following
  12. https://<FQDN>/
  13. https://<FQDN>/sms_mp_mbam/ (asks for ID and PW)
  14. https://<FQDN>/sms_mp_mbam/coreservice.svc
    1. Screenshot below
  15. changed SSL settings on SMS_MP_MBAM to accept client certs - same issue
  16. changed SSL settings on the default MP site to accept client certs - same issue
it's somehow unable to communicate but i'm really unsure how if it's able to get to the HTTPS sites without any issue


Picture1.pngPicture2.pngPicture3.pngPicture4.pngPicture5.pngPicture6.pngPicture7.pngPicture8.pngPicture9.png
 
You must log in or register to reply here.

Similar threads

  • PENDING How to Activate Windows 11 with Intune, Local Active Directory, and SCCM
  • PENDING SCCM Capture media error 0x80070091
  • PENDING Fresh SCCM Server 2022 Install – Reuse Same Site Code Without Reinstalling All Clients?
  • SOLVED Trigger Intune Management Extension (IME) Sync
  • PENDING Problems after Upgrading to ConfigMgr 2503

    • Forum statistics

    Threads
    7,142
    Messages
    27,882
    Members
    18,171
    Latest member
    giannib

    Latest posts

    Trending content
    Back
    Top