Release Notes for MBAM 2.0 SP1
Updated: December 2, 2013
Applies To: Microsoft BitLocker Administration and Monitoring 2.0 SP1
To search these release notes, press Ctrl+F.
Read these release notes thoroughly before you install Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 Service Pack 1 (SP1). These release notes contain information that is required to successfully install BitLocker Administration and Monitoring 2.0 SP1, and they contain information that is not available in the product documentation. If there is a difference between these release notes and other MBAM 2.0 SP1 documentation, the latest change should be considered authoritative. These release notes supersede the content that is included with this product.
MBAM 2.0 SP1 known issues
This section contains known issues for MBAM 2.0 SP1.
Upgrade of MBAM with Configuration Manager Integrated topology to MBAM 2.0 SP1 requires manual removal of Configuration Manager objects
If you are using MBAM with Configuration Manager, and you want to upgrade to MBAM 2.0 SP1, you must manually remove all of the Configuration Manager objects that were installed into Configuration Manager as a part of the MBAM installation. The objects that you must manually remove are the MBAM reports, MBAM Supported Computers collection, and the BitLocker Protection Configuration Baseline and its associated configuration items.
Workaround: Upgrade the Configuration Manager objects by completing the following steps:
Back up existing compliance data to an external file, as described in the following steps.
Note All existing BitLocker compliance data will be deleted when you delete the existing baseline in Configuration Manager. The data will be regenerated over time, but it is recommended that you save a copy of the data in case you need the compliance data for a particular computer before the compliance data has been regenerated.
To save historical BitLocker compliance data, open the BitLocker Enterprise Compliance Details Report.
Click the Save icon in the report and select Excel.
The saved report will contain data such as the computer name, domain name, compliance status, exemption, device users, compliance status details, and last contact date/time. Some information, such as detailed volume information and encryption strength, are not saved.
- To save historical BitLocker compliance data, open the BitLocker Enterprise Compliance Details Report.
Uninstall MBAM from the server by using the MBAM installer.
Manually delete the following objects from Configuration Manager:
MBAM Supported Computers collection
BitLocker Protection baseline
BitLocker Operating System Drive Protection configuration item
BitLocker Fixed Data Drives Protection configuration item
- MBAM Supported Computers collection
Manually delete the MBAM Reports folder in the Configuration Manager SQL Server Reporting Services site. To do this:
Use Internet Explorer to browse to the reporting services point, for example, http://<yourcmserver>/reports.
Click the appropriate Configuration Manager site code link.
Delete the MBAM folder.
- Use Internet Explorer to browse to the reporting services point, for example, http://<yourcmserver>/reports.
Use the MBAM Server installer to reinstall the Configuration Manager Integration objects. The client computers will begin to upload BitLocker compliance data again over time.
Submit button on Self-Service Portal does not work in Internet Explorer 10
When you use Internet Explorer 10 to access the Administration and Monitoring Website, the Submit button on the website does not work.
Workaround: On the server where you installed the Administration and Monitoring Website, install Hotfix for ASP.NET browser definition files.
International domain names are not supported
MBAM 2.0 SP1 does not support international domain names.
Reports in the Administration and Monitoring website display a warning if SSL is not configured in SSRS
If SQL Server Reporting Services (SSRS) was not configured to use Secure Socket Layer (SSL), the URL for the reports will be set to HTTP instead of HTTPS when you install the MBAM Server. If you then browse to the Administration and Monitoring website and select a report, the following message displays: “Only Secure Content is Displayed.”
Workaround: To correct this issue, configure SSL in Reporting Services Configuration Manager on the MBAM server where SQL Server Reporting Services is installed. Uninstall and then reinstall the Administration and Monitoring Server website.
Clicking Back in the Compliance Summary report might create an error
If you drill down into a Compliance Summary report, and then click the Back link in the SSRS report, an error might occur.
Used Space Only Encryption does not work correctly
If you encrypt a computer for the first time after you install the MBAM Client, and you have set a Group Policy Object to implement Used Space Only Encryption, MBAM erroneously encrypts the entire disk instead of encrypting only the disk’s used space. If a computer is already encrypted with Used Space Only Encryption before you install the MBAM Client, and you have set the same Used Space Only Encryption Group Policy Object, MBAM recognizes the setting and reports the encryption correctly in the compliance reports.
Cipher strength displays incorrectly in the Computer Compliance report
If you do not set a specific cipher strength in the Choose drive encryption method and cipher strength Group Policy Object, the Computer Compliance report in the Configuration Manager integrated topology always displays Unknown for the cipher strength, even when the cipher strength uses the default of 128-bit encryption. The report displays the correct cipher strength if you set a specific cipher strength in the Group Policy Object.
Workaround: Always set a specific cipher strength in the Choose drive encryption method and cipher strength Group Policy Object.
Compliance Status Distribution By Drive Type displays old data after you update configuration items
After you update MBAM configuration items in System Center 2012 Configuration Manager, the Compliance Status Distribution By Drive Type bar chart on the BitLocker Enterprise Compliance Dashboard shows data that is based on information from old versions of the configuration items.
Workaround: None. Modification of the MBAM configuration items is not supported, and the report might not appear as expected.
Enhanced Security Configuration may cause reports to display incorrectly
If Internet Explorer Enhanced Security Configuration (ESC) is turned on, an Access Denied message might appear when you try to view reports on the MBAM Server. By default, Enhanced Security Configuration is turned on to protect the server by decreasing the server’s exposure to potential attacks that can occur through web content and application scripts.
Workaround: If the Access Denied message appears when you try to view reports on the MBAM Server, you can set a Group Policy Object or change the default manually in your image to disable Enhanced Security Configuration. You can also alternatively view the reports from another computer on which Enhanced Security Configuration is not enabled.
MBAM Server installation fails when you upgrade from SQL Server 2008 to SQL Server 2012
If you upgrade from SQL Server 2008 to SQL Server 2012, and then try to install the Compliance and Audit Database or the Recovery Database, the installation fails and rolls back. The failure occurs because the required SQLCMD.exe file was removed during the SQL Server upgrade, and it cannot be found by the MBAM installer. The MSI log file lines may look similar to the following:
RunDbInstallScript Recovery Db CA: BinDir - E:\MSSQL\100\Tools\Binn\SqlCmd.exe
RunDbInstallScript Recovery Db CA: dbInstance - xxxxxx\I01
RunDbInstallScript Recovery Db CA: sqlScript- C:\Program Files\Microsoft\Microsoft BitLocker Administration and Monitoring\Setup\KeyRecovery.sql
RunDbInstallScript Recovery Db CA: dbName- MBAM_Recovery_and_Hardware
RunDbInstallScript Recovery Db CA: defaultFileName- MBAM_Recovery_and_Hardware
RunDbInstallScript Recovery Db CA: defaultDataPath- F:\MSSQL\MSSQL10.I01\MSSQL\DATA\
RunDbInstallScript Recovery Db CA: defaultLogPath- K:\MSSQL\MSSQL10.I01\MSSQL\Data\
RunDbInstallScript Recovery Db CA: scriptLogPath - C:\Users\xxxxxx\AppData\Local\Temp\InstallKeyComplianceDatabase.log
-e -E -S xxxxxxx\I01 -i "C:\Program Files\Microsoft\Microsoft BitLocker Administration and Monitoring\Setup\KeyRecovery.sql" -v DatabaseName="MBAM_Recovery_and_Hardware" DefaultFileName="MBAM_Recovery_and_Hardware" DefaultDataPath="F:\MSSQL\MSSQL10.I01\MSSQL\DATA\" DefaultLogPath="K:\MSSQL\MSSQL10.I01\MSSQL\Data\" -o "C:\Users\xxxxxx\AppData\Local\Temp\InstallKeyComplianceDatabase.log"
RunDbInstallScript Recovery Db CA:Starting to run the Recovery database install script
RunDbInstallScript Recovery Db CA: Sqlcmd log file is located in C:\Users\xxxxxx\AppData\Local\Temp\\InstallKeyRecoveryDatabase.log
RunDbInstallScript Recovery Db CA Exception: Install Recovery database Custom Action command line output Exception: The system cannot find the file specified
The MBAM Server Windows Installer is hardcoded to find the SQLCMD.exe path by looking in the Path string value in the registry under HKLM\Software\Microsoft\Microsoft SQL Server\100\Tools\ClientSetup. The key is still present during the migration from SQL Server 2008 to SQL Server 2012, but the path that is referenced by the data value does not contain the SQLCMD.exe file, because the SQL upgrade process removed the file.
Workaround: Temporarily rename the HKLM\Software\Microsoft\Microsoft SQL Server\100\Tools\ClientSetup path string value to Path_old, and then run Windows Installer on the MBAM Server again. When the installation completes successfully and creates the databases in SQL Server 2012, rename Path_old to Path.
ConceptsAbout MBAM 2.0 SP1
You can learn more about MDOP in the TechNet Library, search for troubleshooting on the TechNet Wiki, or follow us on Facebook or Twitter.