What's commands are you running and in what order? John
Sent from my BlackBerry 10 smartphone on the Rogers network. From: Denzik, Josh Sent: Wednesday, January 21, 2015 09:32 To: [email protected] Reply To: [email protected] Subject: RE: [MDT-OSD] RE: Error Installing MBAM in TS I am trying to use the cctk 3.0.0.1 commands to turn on the tpm and set the bios password. The commands work just fine; then after running the cctk commands a few times for testing commands I get this error: “The Required BIOS interfaces cannot be found on this system” This error has happened on a different models. Has anyone seen this before? Please Help! Joshua Denzik Senior Systems Engineer | Managed Desktop Team | OCIO-IS phone: 843-792-0306 | email: [email protected] From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Monday, December 8, 2014 5:30 PM To: [email protected] Subject: Re: [MDT-OSD] RE: Error Installing MBAM in TS CAUTION: This email was sent from outside MUSC. 2.5 does not solve the TPM owner password not being saved, when using pre-provisioning. There really isnt a way to do that, unless you set the same owner password for every device (I do not recommend that.) If the TPM gets into a state that locks out, just follow the below steps 1. Boot into windows 1. Suspend Bitlocker 1. Clear the TPM (don't need password) 1. reboot (pressing the key if physical presence is required) 1. resume BitLocker. When you resume, it will apply the protectors back to the now cleared TPM, and MBAM will see the change and rewrite the recovery key. Sent from Windows Mail From: Roger Truss<mailto:[email protected]> Sent: Monday, December 8, 2014 12:54 PM To: [email protected]<mailto:[email protected]> As to the name, no it does not change later and techs along with users have voiced concern over the difference. Essentially I think that the name should not even show up on that screen as it is essentially useless as you need to guid to do anything with mbam/bitlocker anyway, as John mentioned. While yes the encryption keys are getting to the mbam database (using pre-provisioning) the tpm backup info was not. There are times when tpm gets out of whack and restoring the system requires a key. We have other ways to obtain the keys I know, but the fact that it should be stored in the mbam DB but does not unless MBAM is the true encryption owner is a showstopper with pre-provisioning. Maybe 2.5 resolves this but we are not there yet. We are only on the 2.0 server. Thank You, Roger Truss [email protected]<mailto:[email protected]> h (920) 456-8302 c (920) 203-0625 On Mon, Dec 8, 2014 at 11:29 AM, Krueger, Jeff <[email protected]<mailto:[email protected]>> wrote: We pre-provision here and MBAM is getting all the data correctly. In the recovery database I can directly query and see the correct computer name associated to the volume ID and the recovery key. We wait till MBAM has been installed before enabling bitlocker, the disk has been pre-provisioned and encrypted but it only has a TPM protector until BitLocker is enabled at which point a recovery key is set which gets saved by MBAM. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Marcum, John Sent: Monday, December 8, 2014 11:06 AM To: [email protected]<mailto:[email protected]> Subject: RE: [MDT-OSD] RE: Error Installing MBAM in TS I'm seeing the same issue where MININT is the disk label. Not sure if that corrects itself later or not. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Roger Truss Sent: Monday, December 08, 2014 9:57 AM To: [email protected]<mailto:[email protected]> Subject: Re: [MDT-OSD] RE: Error Installing MBAM in TS We stopped using the pre-provisioning step as data would not get reported to the MBAM server properly once the MBAM client and policies were applied post OSD. It did work to encrypt the drive but we noticed that there were things that did not jive. The computer name it was using was MININT based not the one we designated when prompted for the boot passphrase and recovery data was not getting to the mbam server completely. I do not think that pre-provisioning was designed with mbam in mind. If anyone can tell me if I missed something in the TS that would allow us to have proper data transfer I may reconsider putting the MBAM based encryption back in the process. But for now all we do is enable TPM and then install MBAM and let GPO take over later. Thank You, Roger Truss [email protected]<mailto:[email protected]> h (920) 456-8302<tel:%28920%29%20456-8302> c (920) 203-0625<tel:%28920%29%20203-0625> On Tue, Nov 25, 2014 at 12:07 AM, <[email protected]<mailto:[email protected]>> wrote: As of MBAM v2.5 there are two roles that matter: Helpdesk: Need domain + username to be valid against a volume id, then are able to access the recovery password Administrator: only needs volume id, then can access the recovery password. Drop your “helpdesk” users into the Administrator group that was specified when you installed MBAM. FYI, if you are in the admin group and do specify a domain\user that is not valid for the key, it will not allow you to access it. You will have to specify only the volume key, to gain access. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Krueger, Jeff Sent: Thursday, November 20, 2014 16:59 To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] RE: Error Installing MBAM in TS Ah that’s due to the helpdesk role requirements, I don’t know off hand the different roles and settings, but here our techs have to have a user ID to lookup the key, but admins have a higher level role which can lookup the password based on the Key ID alone. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Townsend, Robbie Sent: Thursday, November 20, 2014 4:43 PM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] RE: Error Installing MBAM in TS I’ve tried that. I think the root issue with the recovery server is the key is retrieved by a user or the help desk and they have to enter a domain and user name of a user who logged into the machine, and since with NDJ machines a user have never logged in with domain credentials. I was hoping someone might know of a way around the domain user requirement From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Krueger, Jeff Sent: Thursday, November 20, 2014 4:36 PM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] RE: Error Installing MBAM in TS CAUTION: This email was sent from outside MUSC. Well the GPOs are really just setting reg keys to tell the MBAM client what server to get policy from and upload compliance info. So you should be able to do a reg import during your TS From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Townsend, Robbie Sent: Thursday, November 20, 2014 4:32 PM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] RE: Error Installing MBAM in TS A little off topic from OSD, but was wondering if anyone knows of a way to use a Bitlocker key recovery server for non-domain joined machines? I’ve seen someone’s idea of joining it to the domain, do the encryption, let it get the GPO’s and upload the key, then disjoin it, but that’s not really feasible so wanted to see if anyone knew some tricks. Thanks From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Krueger, Jeff Sent: Thursday, November 20, 2014 4:25 PM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] RE: Error Installing MBAM in TS CAUTION: This email was sent from outside MUSC. Because we’re using cctk in WinPE, that step is just installing the driver it needs to communicate with the bios. Sometime I’d like to get it integrated in the boot image itself. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Marcum, John Sent: Thursday, November 20, 2014 4:20 PM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] RE: Error Installing MBAM in TS What is the enable HAPI step doing? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Krueger, Jeff Sent: Thursday, November 20, 2014 3:14 PM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] RE: Error Installing MBAM in TS The pre-provisioning step will start encrypting the hard drive during WinPE, encrypts with used space only, so that as it lays the image down on the device it’s encrpypted as it goes. The pre-provisioning step takes less than 10 secs on average. We then install MBAM later in the TS and don’t enable bitlocker until the end, which just turns the protectors on. MBAM will set a recovery key and save to the db after the fact. This shaved over an hour off the time it takes to image and fully encrypt [cid:[email protected]] [cid:[email protected]][cid:[email protected]] From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Marcum, John Sent: Thursday, November 20, 2014 3:40 PM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] RE: Error Installing MBAM in TS I am using CCTK to do deal with the TPM before MBAM installs. What does the bitlocker pre-provisioning step do? Where do you put it in the TS? Here's what I am doing. As you can see I've tried a couple of differnet ways to handle this and none work. The "Encrypt Hard Drive" steps are the script from TechNet (StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg /WaitForEncryption:false) now I am trying with the built-in Enable Bitlocker step. I'll know soon if that one works. [cid:[email protected]] From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Krueger, Jeff Sent: Thursday, November 20, 2014 1:06 PM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] RE: Error Installing MBAM in TS If the TPM is not already turned on MBAM will turn it on then force a restart, this breaks the TS cause it can’t recover the TS from an unexpected shutdown. We’ve found no way to block the reboot that MBAM causes, so we use the Dell and HP bios config utilities to ensure the TPM is on and activated at the beginning of the TS process. Also look into pre-provisioning bitlocker, saves a huge amount of time. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Marcum, John Sent: Thursday, November 20, 2014 1:17 PM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] Error Installing MBAM in TS Has anyone ever had problems installing the MBAM client in a task sequence? It seems like it's completing the install then rebooting and that's breaking it. Next I kick off a script to start encryption (script from TechNet blog) and that has been for a very long time even though I added the switch /waitforencryption:false Running "C:\WINDOWS\System32\msiexec.exe" /i "C:\_SMSTaskSequence\Packages\PS100156\x64\MBAMClient.msi" /quiet /norestart /l* "C:\WINDOWS\logs\MBAM x64 2.0 install.log" with 32bitLauncher execmgr 11/20/2014 11:31:40 AM 1172 (0x0494) Created Process for the passed command line execmgr 11/20/2014 11:31:41 AM 1172 (0x0494) Raising event: [SMS_CodePage(437), SMS_LocaleID(1033)] instance of SoftDistProgramStartedEvent { AdvertisementId = "PS1201B9"; ClientID = "GUID:F63A2391-347D-484D-BEED-2A00EDDA1429"; CommandLine = "\"C:\\WINDOWS\\System32\\msiexec.exe\" /i \"C:\\_SMSTaskSequence\\Packages\\PS100156\\x64\\MBAMClient.msi\" /quiet /norestart /l* \"C:\\WINDOWS\\logs\\MBAM x64 2.0 install.log\""; DateTime = "20141120173141.014000+000"; MachineName = "BHM-L-919JD12"; PackageName = "PS100156"; ProcessID = 1584; ProgramName = "MBAM x64 Client Install"; SiteCode = "PS1"; ThreadID = 1172; UserContext = "NT AUTHORITY\\SYSTEM"; WorkingDirectory = "C:\\_SMSTaskSequence\\Packages\\PS100156\\"; }; execmgr 11/20/2014 11:31:41 AM 1172 (0x0494) Raised Program Started Event for Ad:PS1201B9, Package:PS100156, Program: MBAM x64 Client Install execmgr 11/20/2014 11:31:41 AM 1172 (0x0494) Service startup. execmgr 11/20/2014 11:31:49 AM 2564 (0x0A04) Request in running or report status found for program MBAM x64 Client Install package PS100156 execmgr 11/20/2014 11:31:51 AM 2564 (0x0A04) Service stopped while program MBAM x64 Client Install is running execmgr 11/20/2014 11:31:51 AM 2564 (0x0A04) OpenProcess failed for process 2828, error 80070057 execmgr 11/20/2014 11:31:51 AM 2564 (0x0A04) Can not continue monitoring the program after service restart because the process exited. Assume failed execmgr 11/20/2014 11:31:51 AM 2564 (0x0A04) Looking for MIF file to get program status execmgr 11/20/2014 11:31:51 AM 2564 (0x0A04) Raising event: [SMS_CodePage(437), SMS_LocaleID(1033)] instance of SoftDistProgramUnexpectedRebootEvent { AdvertisementId = "PS1201B9"; ClientID = "GUID:F63A2391-347D-484D-BEED-2A00EDDA1429"; DateTime = "20141120173151.477000+000"; MachineName = "BHM-L-919JD12"; PackageName = "PS100156"; ProcessID = 1512; ProgramName = "MBAM x64 Client Install"; SiteCode = "PS1"; ThreadID = 2564; }; execmgr 11/20/2014 11:31:51 AM 2564 (0x0A04) Raised Program Unexpected Reboot Event for Ad:PS1201B9, Package:PS100156, Program: MBAM x64 Client Install execmgr 11/20/2014 11:31:51 AM 2564 (0x0A04) Execution Request for advert PS1201B9 package PS100156 program MBAM x64 Client Install state change from Running to Completed execmgr 11/20/2014 11:31:51 AM 2564 (0x0A04) Service startup. execmgr 11/20/2014 11:32:40 AM 2548 (0x09F4) ________________________________ John Marcum MCITP, MCTS, MCSA Desktop Architect Bradley Arant Boult Cummings LLP ________________________________ [cid:[email protected]] ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies. Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy & Security page on www.henryford.com<http://www.henryford.com> for more detailed information as well as information concerning MyChart, our new patient portal. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer.
