Release Notes for MBAM 2.0 SP1

To search these release notes, press Ctrl+F.

Read these release notes thoroughly before you install Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 Service Pack 1 (SP1). These release notes contain information that is required to successfully install BitLocker Administration and Monitoring 2.0 SP1, and they contain information that is not available in the product documentation. If there is a difference between these release notes and other MBAM 2.0 SP1 documentation, the latest change should be considered authoritative. These release notes supersede the content that is included with this product.

MBAM 2.0 SP1 known issues

This section contains known issues for MBAM 2.0 SP1.

Upgrade of MBAM with Configuration Manager Integrated topology to MBAM 2.0 SP1 requires manual removal of Configuration Manager objects

If you are using MBAM with Configuration Manager, and you want to upgrade to MBAM 2.0 SP1, you must manually remove all of the Configuration Manager objects that were installed into Configuration Manager as a part of the MBAM installation. The objects that you must manually remove are the MBAM reports, MBAM Supported Computers collection, and the BitLocker Protection Configuration Baseline and its associated configuration items.

Workaround: Upgrade the Configuration Manager objects by completing the following steps:

  1. Back up existing compliance data to an external file, as described in the following steps.

    Note   All existing BitLocker compliance data will be deleted when you delete the existing baseline in Configuration Manager. The data will be regenerated over time, but it is recommended that you save a copy of the data in case you need the compliance data for a particular computer before the compliance data has been regenerated.

    1. To save historical BitLocker compliance data, open the BitLocker Enterprise Compliance Details Report.

    2. Click the Save icon in the report and select Excel.

      The saved report will contain data such as the computer name, domain name, compliance status, exemption, device users, compliance status details, and last contact date/time. Some information, such as detailed volume information and encryption strength, are not saved.

  2. Uninstall MBAM from the server by using the MBAM installer.

  3. Manually delete the following objects from Configuration Manager:

    • MBAM Supported Computers collection

    • BitLocker Protection baseline

    • BitLocker Operating System Drive Protection configuration item

    • BitLocker Fixed Data Drives Protection configuration item

  4. Manually delete the MBAM Reports folder in the Configuration Manager SQL Server Reporting Services site. To do this:

    1. Use Internet Explorer to browse to the reporting services point, for example, http://<yourcmserver>/reports.

    2. Click the appropriate Configuration Manager site code link.

    3. Delete the MBAM folder.

  5. Use the MBAM Server installer to reinstall the Configuration Manager Integration objects. The client computers will begin to upload BitLocker compliance data again over time.

Submit button on Self-Service Portal does not work in Internet Explorer 10

When you use Internet Explorer 10 to access the Administration and Monitoring Website, the Submit button on the website does not work.

Workaround: On the server where you installed the Administration and Monitoring Website, install Hotfix for ASP.NET browser definition files.

International domain names are not supported

MBAM 2.0 SP1 does not support international domain names.

Workaround: None.

Reports in the Administration and Monitoring website display a warning if SSL is not configured in SSRS

If SQL Server Reporting Services (SSRS) was not configured to use Secure Socket Layer (SSL), the URL for the reports will be set to HTTP instead of HTTPS when you install the MBAM Server. If you then browse to the Administration and Monitoring website and select a report, the following message displays: “Only Secure Content is Displayed.”

Workaround: To correct this issue, configure SSL in Reporting Services Configuration Manager on the MBAM server where SQL Server Reporting Services is installed. Uninstall and then reinstall the Administration and Monitoring Server website.

Clicking Back in the Compliance Summary report might create an error

If you drill down into a Compliance Summary report, and then click the Back link in the SSRS report, an error might occur.

Workaround: None.

Used Space Only Encryption does not work correctly

If you encrypt a computer for the first time after you install the MBAM Client, and you have set a Group Policy Object to implement Used Space Only Encryption, MBAM erroneously encrypts the entire disk instead of encrypting only the disk’s used space. If a computer is already encrypted with Used Space Only Encryption before you install the MBAM Client, and you have set the same Used Space Only Encryption Group Policy Object, MBAM recognizes the setting and reports the encryption correctly in the compliance reports.

Workaround: None.

Cipher strength displays incorrectly in the Computer Compliance report

If you do not set a specific cipher strength in the Choose drive encryption method and cipher strength Group Policy Object, the Computer Compliance report in the Configuration Manager integrated topology always displays Unknown for the cipher strength, even when the cipher strength uses the default of 128-bit encryption. The report displays the correct cipher strength if you set a specific cipher strength in the Group Policy Object.

Workaround: Always set a specific cipher strength in the Choose drive encryption method and cipher strength Group Policy Object.

Compliance Status Distribution By Drive Type displays old data after you update configuration items

After you update MBAM configuration items in System Center 2012 Configuration Manager, the Compliance Status Distribution By Drive Type bar chart on the BitLocker Enterprise Compliance Dashboard shows data that is based on information from old versions of the configuration items.

Workaround: None. Modification of the MBAM configuration items is not supported, and the report might not appear as expected.

Enhanced Security Configuration may cause reports to display incorrectly

If Internet Explorer Enhanced Security Configuration (ESC) is turned on, an Access Denied message might appear when you try to view reports on the MBAM Server. By default, Enhanced Security Configuration is turned on to protect the server by decreasing the server’s exposure to potential attacks that can occur through web content and application scripts.

Workaround: If the Access Denied message appears when you try to view reports on the MBAM Server, you can set a Group Policy Object or change the default manually in your image to disable Enhanced Security Configuration. You can also alternatively view the reports from another computer on which Enhanced Security Configuration is not enabled.

MBAM Server installation fails when you upgrade from SQL Server 2008 to SQL Server 2012

If you upgrade from SQL Server 2008 to SQL Server 2012, and then try to install the Compliance and Audit Database or the Recovery Database, the installation fails and rolls back. The failure occurs because the required SQLCMD.exe file was removed during the SQL Server upgrade, and it cannot be found by the MBAM installer. The MSI log file lines may look similar to the following:

RunDbInstallScript Recovery Db CA: BinDir - E:\MSSQL\100\Tools\Binn\SqlCmd.exeRunDbInstallScript Recovery Db CA: dbInstance - xxxxxx\I01RunDbInstallScript Recovery Db CA: sqlScript- C:\Program Files\Microsoft\Microsoft BitLocker Administration and Monitoring\Setup\KeyRecovery.sqlRunDbInstallScript Recovery Db CA: dbName- MBAM_Recovery_and_HardwareRunDbInstallScript Recovery Db CA: defaultFileName- MBAM_Recovery_and_HardwareRunDbInstallScript Recovery Db CA: defaultDataPath- F:\MSSQL\MSSQL10.I01\MSSQL\DATA\RunDbInstallScript Recovery Db CA: defaultLogPath- K:\MSSQL\MSSQL10.I01\MSSQL\Data\RunDbInstallScript Recovery Db CA: scriptLogPath - C:\Users\xxxxxx\AppData\Local\Temp\InstallKeyComplianceDatabase.log-e -E -S xxxxxxx\I01 -i "C:\Program Files\Microsoft\Microsoft BitLocker Administration and Monitoring\Setup\KeyRecovery.sql" -v DatabaseName="MBAM_Recovery_and_Hardware" DefaultFileName="MBAM_Recovery_and_Hardware" DefaultDataPath="F:\MSSQL\MSSQL10.I01\MSSQL\DATA\" DefaultLogPath="K:\MSSQL\MSSQL10.I01\MSSQL\Data\" -o "C:\Users\xxxxxx\AppData\Local\Temp\InstallKeyComplianceDatabase.log"RunDbInstallScript Recovery Db CA:Starting to run the Recovery database install scriptRunDbInstallScript Recovery Db CA: Sqlcmd log file is located in C:\Users\xxxxxx\AppData\Local\Temp\\InstallKeyRecoveryDatabase.logRunDbInstallScript Recovery Db CA Exception: Install Recovery database Custom Action command line output Exception: The system cannot find the file specified

The MBAM Server Windows Installer is hardcoded to find the SQLCMD.exe path by looking in the Path string value in the registry under HKLM\Software\Microsoft\Microsoft SQL Server\100\Tools\ClientSetup. The key is still present during the migration from SQL Server 2008 to SQL Server 2012, but the path that is referenced by the data value does not contain the SQLCMD.exe file, because the SQL upgrade process removed the file.

Workaround: Temporarily rename the HKLM\Software\Microsoft\Microsoft SQL Server\100\Tools\ClientSetup path string value to Path_old, and then run Windows Installer on the MBAM Server again. When the installation completes successfully and creates the databases in SQL Server 2012, rename Path_old to Path.

Hotfixes and Knowledge Base articles for MBAM 2.0 SP1

This section contains hotfixes and KB articles for MBAM 2.0 SP1.

KB Article Title Link

2831166

Installing Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 fails with "System Center CM Objects Already Installed"

2870849

Users cannot retrieve BitLocker Recovery key using MBAM 2.0 Self Service Portal

support.microsoft.com/kb/2870849/EN-US

2756402

MBAM client would fail with Event ID 4 and error code 0x8004100E in the Event description

support.microsoft.com/kb/2756402/EN-US

2620287

Error Message “Server Error in ‘/Reports’ Application” When You Click Reports Tab in MBAM

support.microsoft.com/kb/2620287/EN-US

2639518

Error opening Enterprise or Computer Compliance Reports in MBAM

support.microsoft.com/kb/2639518/EN-US

2620269

MBAM Enterprise Reporting Not Getting Updated

support.microsoft.com/kb/2620269/EN-US

2712461

Installing MBAM on a Domain Controller is not supported

2876732

You receive error code 0x80071a90 during Standalone or Configuration Manager Integration setup of MBAM 2.0

2754259

MBAM and Secure Network Communication

support.microsoft.com/kb/2754259/EN-US

2870842

MBAM 2.0 Setup fails during Configuration Manager Integration Scenario with SQL Server 2008

2668533

MBAM Setup fails if SQL SSRS is not configured properly

support.microsoft.com/kb/2668533/EN-US

2870847

MBAM 2.0 Setup fails with "Error retrieving Configuration Manager Server role settings for 'Reporting Services Point' role"

support.microsoft.com/kb/2870847/EN-US

2870839

MBAM 2.0 Enterprise Reports are not refreshed in MBAM 2.0 Standalone topology due to SQL job CreateCache failure

2620269

MBAM Enterprise Reporting Not Getting Updated

support.microsoft.com/kb/2620269/EN-US

2935997

MBAM Supported Computers compliance reporting incorrectly includes unsupported products

2612822

Computer Record is Rejected in MBAM

support.microsoft.com/kb/2612822/EN-US

About MBAM 2.0 SP1