Release Notes for MBAM 2.0

To search these release notes, press Ctrl+F.

Read these release notes thoroughly before you install Microsoft BitLocker Administration and Monitoring (MBAM) 2.0. These release notes contain information that is required to successfully install BitLocker Administration and Monitoring 2.0 and contain information that is not available in the product documentation. If there is a difference between these release notes and other MBAM 2.0 documentation, the latest change should be considered authoritative. These release notes supersede the content that is included with this product.

MBAM 2.0 Known Issues

This section contains release notes for MBAM 2.0.

Computer Name field may not appear in the BitLocker Computer Compliance and BitLocker Enterprise Compliance Details reports when you run MBAM with Microsoft System Center Configuration Manager 2007

The Computer Name field may be blank in the BitLocker Computer Compliance and BitLocker Enterprise Compliance Details reports when you use MBAM with Configuration Manager 2007.

WORKAROUND: None.

Enterprise Compliance Report fails to update after you upgrade the Stand-alone MBAM server infrastructure

If you are using the MBAM Stand-alone topology, and you upgrade the server infrastructure from version 1.0 to 2.0, the Enterprise Compliance Report fails to update.

WORKAROUND: After the upgrade, run the following script on the Compliance and Audit Database:

-- =============================================
-- Script Template
-- =============================================

DECLARE @DatabaseName nvarchar(255);
SET @DatabaseName = DB_NAME()

USE msdb;

DECLARE @JobID BINARY(16)
SELECT @JobID = job_id
FROM msdb.dbo.sysjobs
WHERE (name = N'CreateCache')

if (@JobID IS NOT NULL)
BEGIN
    EXEC dbo.sp_delete_job
         @job_name = N'CreateCache';
END

EXEC dbo.sp_add_job
    @job_name = N'CreateCache',
    @enabled = 1;

EXEC dbo.sp_add_jobstep
     @job_name = N'CreateCache',
     @step_name = N'Copy Data',
     @subsystem = N'TSQL',
     @command = N'EXEC [ComplianceCore].UpdateCache',
     @database_name = @DatabaseName,
     @retry_attempts = 5,
     @retry_interval = 5;


EXEC dbo.sp_add_jobschedule
     @job_name = N'CreateCache',
     @name = N'ReportCacheSchedule1am',
     @freq_type = 4,
     @freq_interval = 1,
     @active_start_time = 010000,
     @active_end_time = 020000;

EXEC dbo.sp_attach_schedule
     @job_name = N'CreateCache',
     @schedule_name = N'ReportCacheSchedule1am';

EXEC dbo.sp_add_jobschedule
     @job_name = N'CreateCache',
     @name = N'ReportCacheSchedule7am',
     @freq_type = 4,
     @freq_interval = 1,
     @active_start_time = 070000,
     @active_end_time = 080000;

EXEC dbo.sp_attach_schedule
     @job_name = N'CreateCache',
     @schedule_name = N'ReportCacheSchedule7am';

EXEC dbo.sp_add_jobschedule
     @job_name = N'CreateCache',
     @name = N'ReportCacheSchedule1pm',
     @freq_type = 4,
     @freq_interval = 1,
     @active_start_time = 130000,
     @active_end_time = 140000;

EXEC dbo.sp_attach_schedule
     @job_name = N'CreateCache',
     @schedule_name = N'ReportCacheSchedule1pm';

EXEC dbo.sp_add_jobschedule
     @job_name = N'CreateCache',
     @name = N'ReportCacheSchedule7pm',
     @freq_type = 4,
     @freq_interval = 1,
     @active_start_time = 190000,
     @active_end_time = 200000;

EXEC dbo.sp_attach_schedule
     @job_name = N'CreateCache',
     @schedule_name = N'ReportCacheSchedule7pm';

EXEC dbo.sp_add_jobserver
     @job_name = N'CreateCache';

Reports in the Help Desk Portal display a warning if SSL is not configured in SSRS

If SQL Server Reporting Services (SSRS) was not configured to use Secure Socket Layer (SSL), the URL for the reports will be set to HTTP instead of HTTPS when you install the MBAM Server. If you then browse to the Help Desk Portal and select a report, the following message displays: “Only Secure Content is Displayed.”

WORKAROUND: To show the report, click Show All Content. To address this issue, go to the MBAM computer where SQL Server Reporting Services is installed, run Reporting Services Configuration Manager, and then click Web Service URL. Select the appropriate SSL certificate for the server, enter the appropriate SSL port (the default port is 443), and then click Apply.

Non-default instances of the Configuration Manager database are not supported

MBAM looks only for the default instance of the Configuration Manager database in Configuration Manager 2007 and System Center 2012 Configuration Manager. If you use a non-default instance, you cannot install MBAM.

WORKAROUND: None.

Clicking “Back” in the Compliance Summary report might throw an error

If you drill down into a Compliance Summary report, and then click the Back link in the SSRS report, an error might be thrown.

WORKAROUND: None.

Used Space Only Encryption does not work correctly

If you encrypt a computer for the first time after you install the MBAM Client, and you have set a Group Policy Object to implement Used Space Only encryption, MBAM erroneously encrypts the entire disk instead of encrypting only the disk’s used space. If a computer is already encrypted when you install the MBAM Client, and you have set the same Group Policy Object, the encryption works correctly and encrypts only the used disk space on your computer.

WORKAROUND: None.

Cipher strength displays incorrectly on the Computer Compliance report

If you do not set a specific cipher strength in the Choose drive encryption method and cipher strength Group Policy Object, the Computer Compliance report in the Configuration Manager Integration topology always displays “unknown” for the cipher strength, even when the cipher strength uses the default of 128-bit encryption. The report displays the correct cipher strength if you set a specific cipher strength in the Group Policy Object.

WORKAROUND: Always set a specific cipher strength in the Choose drive encryption method and cipher strength Group Policy Object.

Compliance Status Distribution By Drive Type displays old data after you update configuration items

After you update MBAM configuration items in System Center 2012 Configuration Manager, the Compliance Status Distribution By Drive Type bar chart on the BitLocker Enterprise Compliance Dashboard shows data that is based on information from old versions of the configuration items.

WORKAROUND: None. Modification of the MBAM configuration items is not supported, and the report might not appear as expected.

Enhanced Security Configuration may cause reports to display incorrectly

If Internet Explorer Enhanced Security Configuration (ESC) is turned on, an “Access Denied” message might appear when you try to view reports on the MBAM Server. By default, ESC is turned on to protect the server by decreasing the server’s exposure to potential attacks that can occur through web content and application scripts.

WORKAROUND: If the “Access Denied” message appears when you try to view reports on the MBAM Server, you can set a Group Policy Object or change the default manually in your image to disable Enhanced Security Configuration. You can also alternatively view the reports from another computer on which ESC is not enabled.

MBAM Server installation fails when you upgrade from SQL Server 2008 to SQL Server 2012

If you upgrade from SQL Server 2008 to SQL Server 2012, and then try to install the Compliance and Audit Database or the Recovery Database, the installation fails and rolls back. The failure occurs because the required SQLCMD.exe file was removed during the SQL upgrade and cannot be found by the MBAM installer. The MSI log file lines may look similar to the following:

RunDbInstallScript Recovery Db CA: BinDir - E:\MSSQL\100\Tools\Binn\SqlCmd.exeRunDbInstallScript Recovery Db CA: dbInstance - xxxxxx\I01RunDbInstallScript Recovery Db CA: sqlScript- C:\Program Files\Microsoft\Microsoft BitLocker Administration and Monitoring\Setup\KeyRecovery.sqlRunDbInstallScript Recovery Db CA: dbName- MBAM_Recovery_and_HardwareRunDbInstallScript Recovery Db CA: defaultFileName- MBAM_Recovery_and_HardwareRunDbInstallScript Recovery Db CA: defaultDataPath- F:\MSSQL\MSSQL10.I01\MSSQL\DATA\RunDbInstallScript Recovery Db CA: defaultLogPath- K:\MSSQL\MSSQL10.I01\MSSQL\Data\RunDbInstallScript Recovery Db CA: scriptLogPath - C:\Users\xxxxxx\AppData\Local\Temp\InstallKeyComplianceDatabase.log-e -E -S xxxxxxx\I01 -i "C:\Program Files\Microsoft\Microsoft BitLocker Administration and Monitoring\Setup\KeyRecovery.sql" -v DatabaseName="MBAM_Recovery_and_Hardware" DefaultFileName="MBAM_Recovery_and_Hardware" DefaultDataPath="F:\MSSQL\MSSQL10.I01\MSSQL\DATA\" DefaultLogPath="K:\MSSQL\MSSQL10.I01\MSSQL\Data\" -o "C:\Users\xxxxxx\AppData\Local\Temp\InstallKeyComplianceDatabase.log"RunDbInstallScript Recovery Db CA:Starting to run the Recovery database install scriptRunDbInstallScript Recovery Db CA: Sqlcmd log file is located in C:\Users\xxxxxx\AppData\Local\Temp\\InstallKeyRecoveryDatabase.logRunDbInstallScript Recovery Db CA Exception: Install Recovery database Custom Action command line output Exception: The system cannot find the file specified

The MBAM Server Windows Installer is hardcoded to find the SQLCMD.exe path by looking in the Path string value in the registry under HKLM\Software\Microsoft\Microsoft SQL Server\100\Tools\ClientSetup. The key is still present during the migration from SQL Server 2008 to SQL Server 2012, but the path that is referenced by the data value does not contain the SQLCMD.exe file, because the SQL upgrade process removed the file.

WORKAROUND: Temporarily rename the HKLM\Software\Microsoft\Microsoft SQL Server\100\Tools\ClientSetup Path string value to Path_old, and then re-run the MBAM Server Windows Installer. When the installation completes successfully and creates the databases in SQL Server 2012, rename the Path_old value to Path.

Hotfixes and Knowledge Base articles for MBAM 2.0

This section contains hotfixes and KB articles for MBAM 2.0.

KB Article Title Link

2831166

Installing Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 fails with "System Center CM Objects Already Installed"

2870849

Users cannot retrieve BitLocker Recovery key using MBAM 2.0 Self Service Portal

support.microsoft.com/kb/2870849/EN-US

2756402

MBAM client would fail with Event ID 4 and error code 0x8004100E in the Event description

support.microsoft.com/kb/2756402/EN-US

2620287

Error Message “Server Error in ‘/Reports’ Application” When You Click Reports Tab in MBAM

support.microsoft.com/kb/2620287/EN-US

2639518

Error opening Enterprise or Computer Compliance Reports in MBAM

support.microsoft.com/kb/2639518/EN-US

2620269

MBAM Enterprise Reporting Not Getting Updated

support.microsoft.com/kb/2620269/EN-US

2712461

Installing MBAM on a Domain Controller is not supported

2876732

You receive error code 0x80071a90 during Standalone or Configuration Manager Integration setup of MBAM 2.0

2754259

MBAM and Secure Network Communication

support.microsoft.com/kb/2754259/EN-US

2870842

MBAM 2.0 Setup fails during Configuration Manager Integration Scenario with SQL Server 2008

2668533

MBAM Setup fails if SQL SSRS is not configured properly

support.microsoft.com/kb/2668533/EN-US

2870847

MBAM 2.0 Setup fails with "Error retrieving Configuration Manager Server role settings for 'Reporting Services Point' role"

support.microsoft.com/kb/2870847/EN-US

2870839

MBAM 2.0 Enterprise Reports are not refreshed in MBAM 2.0 Standalone topology due to SQL job CreateCache failure

2620269

MBAM Enterprise Reporting Not Getting Updated

support.microsoft.com/kb/2620269/EN-US

2935997

MBAM Supported Computers compliance reporting incorrectly includes unsupported products

2612822

Computer Record is Rejected in MBAM

support.microsoft.com/kb/2612822/EN-US

About MBAM 2.0