Thursday 24 April 2014

MBAM 2.0 SP1 - Things Learned + MBAM Supported Computer Query

Has been a while since I last posted here, but it just seems like all the things that I come across are usually SCCM related or desktop related, even though I am a server guy, but here it is.

We have been using Microsoft Bitlocker Administration and Monitoring (MBAM) 2.0  for a while now and it has been working just fine, however the new SP1 came out not too long ago, and it was time for the update. If you have worked with MBAM before, you will know that it isn't a simple upgrade process, and is actually a full uninstall and reinstall, but you can keep your database, which is a good thing obviously as it contains all of your recovery information. I struggled for 2 days with the upgrade, and I figure I best post here all the places where I went wrong, and all the things learned.

First, I will explain our environment. Our initial MBAM 2.0 configuration was split over two servers, server1 was the web interface for all of the MBAM functions, and server2 was actually out SCCM 2012 SP1 CU3 server, where we installed all of the other features, including the reports which used the same SSRS instance as SCCM did. During the upgrade we wanted to consolidate MBAM onto the same server as SCCM only, so that made things a little bit more interesting. In our small environment we have a single SCCM server and a few distribution points, and we DO NOT use SSL communication for our SCCM clients.

So first things first, installing MBAM 2.0 SP1 on the same server is very much possible, and you can even use the same port number as you had used for other functions, as long as you add a hostname during the installation that is different than what you have previously used, and ofcourse create a DNS alias for the hostname. I used the default port 443 for our configuration as we were using SSL for MBAM Client to MBAM server communication, and a hostname of mbam.domain.com

During the installation, one of the items that is installed is the Audit Reports, which allow you to track who has retrieved which key for which machine for auditing purposes. I have a service account that I use for all things SCCM, which is a domain admin to make things easier, so during the prompt for a username and password for Audit Reports section of the install, I used the same account just mentioned; however, the install always failed, with this line being found in the logs:

CustomAction InstallReportsDeferred returned actual error code 1603


If I chose not to install the reports, the installed always went through the process without any errors. I battled with this for almost two days, trying to figure out what is going on. I remembered that we had this issue before when upgrading from MBAM 1.0 to 2.0, and I remembered that it had something to do with permissions, so I tried all kinds of things to get this service account greater permissions then what it already had, with multiple changes in ADSI edit, changes to the computer account of SCCM, you name it, all to no avail. I tried to research as much as I could, and at one point, I found a thread where someone mentioned that the account used here should be an account dedicated just for MBAM reports. I created a new run of the mill account, entered that information during the prompt, and whola, the installed went without any issues! I think this problem may be specific to our environment as SSRS is already aware of our SCCM service account I was always trying to use, and since I am using the same SSRS server for MBAM, perhaps it tried to modify permissions for that account and SCCM wouldn't let it, I will never know, or care, as I got it working.

During the install I picked the default port 443 for communication and instead of server2.domain.com I entered mbam.domain.com for the hostname as that's the alias I wanted to use to access my MBAM webpages. When I tried to first login to MBAM helpdesk webpage, it would give me this error on the right frame of the page:
I did a quick search online which lead me to this KB from Microsoft. I commented out the DNS entry as explained in the example and restarted IIS and the error went away. I think this error has something to do with using hostname that doesn't match the actual server name, but regardless, this was the fix.
 
The final hurdle I had to face was to do with the MBAM Supported Computers Query. In MBAM 2.0 the query worked very well and only had the physical boxes which supported TMP listed in there, however, with SP1, it started showing all kinds of strange things, like our thin clients and virtual machines, despite the query saying to exclude those things. I compared the query from 2.0 to 2.0 SP1 and noticed that the placement of the TPM check was in a different location in the query, so I moved it to the same location as it used to be on the older version of MBAM and it fixed the problem, so I think it's a bug. This query also takes into account windows 8.1 for those who are using it.
 
This is the fixed query that worked for me:
 
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System        inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId        inner join SMS_G_System_OPERATING_SYSTEM_EXT on SMS_G_System_OPERATING_SYSTEM_EXT.ResourceID = SMS_R_System.ResourceId        inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId        left outer join SMS_G_System_TPM on SMS_G_System_TPM.ResourceID = SMS_R_System.ResourceId  where ((SMS_G_System_OPERATING_SYSTEM.Version like "6.1.%"        and SMS_G_System_OPERATING_SYSTEM_EXT.SKU in (1,4,27,28,70,71))        or NOT (SMS_G_System_OPERATING_SYSTEM.Version like "6.0.%"        or SMS_G_System_OPERATING_SYSTEM.Version like "5.%"))        and SMS_G_System_COMPUTER_SYSTEM.DomainRole = 1        and SMS_G_System_COMPUTER_SYSTEM.Model not in ("Virtual Machine")        and SMS_G_System_TPM.SpecVersion >= "1.2"
Hope this helps someone if they are experiencing any of these issues, as the information out there is pretty slim.

 

24 comments:

  1. Hello, Dmitri.
    How can I find this query in the MBAM database? Is it behind a view?
    Thanks, Jack

    ReplyDelete
    Replies
    1. This query is within SCCM actually, if you choose MBAM SCCM integrated install, it will add the query right into your SCCM instance.

      Delete
  2. Just type "Write My Essay Cheap" in any search engine and enjoy thousands of results. At your disposal only experienced writers with diplomas and degrees. Get your paper done as fast as you need it! No more need to scroll through infinite pages with tips and recommendations, no more reading and triple check of the same text.

    ReplyDelete
  3. I have been facing a lot issues like these and cannot find a proper solution also understanding the technicalities is a bit hard for me. As I have a pending thesis for which I am looking for thesis writing services UK based that can complete my thesis with perfection as my PC is crashed. And after that I will contact you get myself out from this kind of trouble.

    ReplyDelete
  4. Hey, I am a new recruit in the department of IT in a company where you Buy Essay Service in San Francisco online. I have lately been facing problems with my MBAM software for adjusting the Windows system for the other employees. I have tried uninstalling it and installing it again, but it didn’t work. Do you think you can help me out with it?

    ReplyDelete
  5. Hi you have share new version which is used for computer learning because every student is eager to get online writing help from the expert writers of dissertation writing service

    ReplyDelete
  6. Fortune Jackets Care for your Fashion Requirements. We Uphold the Premium Quality Custom Deigns Leather jackets. Visit My site Suede Hooded Moto Brown Leather Jacket Thanks.

    ReplyDelete
  7. I've had a lot of problems like this and haven't been able to find a good answer. Also, comprehending the subtleties is difficult for me. As I have a pending thesis, I'm looking for Hire Dissertation Chapter Writers in the United Kingdom that can complete my thesis flawlessly, as my computer has crashed. After that, I'll contact you to help me get out of this situation.

    ReplyDelete
  8. 888sport Casino Review & Promo Code - JTM Hub
    Read our 888sport Casino review for all 구미 출장마사지 the details, including 경기도 출장샵 the 고양 출장샵 latest 서산 출장샵 promo code, 구미 출장안마 promotions, games, and banking details. Rating: 4.3 · ‎Review by PJ Paramchuk

    ReplyDelete
  9. I like to read this type of forum.This is really helpful and informative for me.If you are looking to buy an online high school gpa calculator uk servic.You can easily contact with me.

    ReplyDelete
  10. Your blog is amazing. I visit here first time and happy to get knowledge from here looking for Native app development services to full fill my business need.

    ReplyDelete
  11. Have got to have the best dissertation services from the aviation management thesis topics and they have catered to the best of my needs.

    ReplyDelete
  12. You simply cannot fathom how much information I gathered from reading this blog.
    Kraft Die Cut Boxes

    ReplyDelete
  13. Really nice Article. You can read more at No1AssignmentHelp.Com about Assignment Help, essay, dissertation, and homework writing.

    ReplyDelete
  14. I am truly impressed by the game app development company expertise in crafting engaging and immersive gaming experiences. Their attention to detail, innovative ideas, and skilled development team have resulted in some truly exceptional games. I can't wait to see what they come up with next! Keep up the fantastic work!

    ReplyDelete
  15. I am thoroughly impressed by the iPhone app development services provided by this company. Their expertise in creating seamless and intuitive apps for the iOS platform is remarkable. The attention to detail and user experience truly sets their apps apart. Highly recommended for anyone looking to create an exceptional iPhone app!

    ReplyDelete
  16. USA Digitizer said...
    Thanks for this computer quary this is very nice and this is very helpful for me and other people and once again thanks for posting this.

    ReplyDelete
  17. This comment has been removed by the author.

    ReplyDelete
  18. I am not aware of anything like MBM, always getting through, always getting the things right and majoring the face and mouth surgery purposes. Likewise I am worry about the Best Cosmetic Clinic In Dubai which I have done last month.

    ReplyDelete
  19. With Thomas's expertise, students can enhance the overall structure and flow of their Dissertation Proposal Services, creating a cohesive and engaging reading experience.

    ReplyDelete
  20. Hey, I'm Thomas, a professional writer offering assignment writing services. Through Do My Online Class, I aim to assist students in achieving academic success with meticulously crafted class taker.

    ReplyDelete
  21. In the academic world, students often seek external help for their essay assignments. While there are numerous options available, two popular choices are essay writing services and freelancers. The collective efforts of their specialized teams, along with streamlined processes, enable them to provide quality Law Assignment Writing Help at competitive prices.

    ReplyDelete