Microsoft BitLocker Administration and Monitoring (MBAM) Release Notes
To search these release notes, press Ctrl+F.
Read these release notes thoroughly before you install Microsoft BitLocker Administration and Monitoring (MBAM). These release notes contain information that is required to successfully install Microsoft BitLocker Administration and Monitoring and contain information that is not available in the product documentation. If there is a difference between these release notes and other Microsoft BitLocker Administration and Monitoring documentation, the latest change should be considered authoritative. These release notes supersede the content included with this product.
Providing Feedback
Tell us what you think about our documentation for MBAM by giving us your feedback and comments. Send your documentation feedback to mdopdocs@microsoft.com.
MBAM Setup Issues
This section contains release notes for Microsoft BitLocker Administration and Monitoring Setup and installation.
If You Select the “Use a certificate to encrypt the network communication” Option During Setup, Existing Database Connections and Dependent Applications Can Stop Functioning
After you install either the Recovery and Hardware or the Compliance Status Database features, you can then configure Microsoft BitLocker Administration and Monitoring for Encrypted network communication. If you select this option, Microsoft BitLocker Administration and Monitoring Setup configures the instance of the SQL Server Database Engine to use Secure Sockets Layer (SSL) for communication between the applicable database and both the Administration and Monitoring Server and the Compliance and Audit Report Server features.
If the instance of the SQL Server Database Engine was not already configured to use SSL, Setup configures it to use SSL. This can prevent applications that are trying to use non-MBAM databases on the instance of the SQL Server Database Engine from communicating with their databases.
If the instance of the SQL Server Database Engine was already configured to use SSL, it is configured to use the certificate that the user selected during setup. If this certificate differs from the one that was already in use, it can prevent applications from running that are using SQL Server databases on the instance of the SQL Server Database Engine.
WORKAROUND: None
MBAM Setup Fails During Installation When You Use a Local Administrator Account
Microsoft BitLocker Administration and Monitoring Setup fails when you use a local Administrator account. The log file contains the following information:
Locating group 'MBAM Report Users'
Adding <GUID>' to group 'MBAM Report Users'
Locating group 'MBAM Recovery and Hardware DB Access'
Adding 'S-1-5-20' to group 'MBAM Recovery and Hardware DB Access'
Exception: A new member could not be added to a local group because the member has the wrong account type.
StackTrace: at System.DirectoryServices.AccountManagement.SAMStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes)
at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes)
at System.DirectoryServices.AccountManagement.SAMStoreCtx.Update(Principal p)
at Microsoft.Windows.Mdop.BitlockerManagement.Setup.Groups.CreateGroupsDeferred(Session session)
InnerException:Exception: A new member could not be added to a local group because the member has the wrong account type.
InnerException:StackTrace: at System.DirectoryServices.AccountManagement.UnsafeNativeMethods.IADsGroup.Add(String bstrNewItem)
at System.DirectoryServices.AccountManagement.SAMStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes)
CustomAction MbamCreateGroupsDeferred returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 11:41:29: InstallExecute. Return value 3.
WORKAROUND: Use a domain account with administrative credentials on the server computer when you install Microsoft BitLocker Administration and Monitoring.
Setup Reconfigures the Instance of the SQL Server Database Engine to Not Use SSL If You Select “Do not encrypt network communication”
When you install either the Recovery and Hardware or the Compliance Status Database features, Microsoft BitLocker Administration and Monitoring Setup lets you configure Microsoft BitLocker Administration and Monitoring by selecting Encrypted network communication. If you decide not to encrypt the network communication, Setup reconfigures the instance of the SQL Server Database Engine to not use SSL.
- If the instance of the SQL Server Database Engine was already configured to use SSL, Microsoft BitLocker Administration and Monitoring Setup disables SSL on the instance of the SQL Server Database Engine. This changes communication security between the applications that use databases that are not related to MBAM databases on the instance of the SQL Server Database Engine.
WORKAROUND: None
Missing Prerequisite for the IIS Management Scripts and Tools Web Server Feature
Microsoft BitLocker Administration and Monitoring Setup is dependent on the IIS Management Scripts and Tools web server feature, but it is not an enforced prerequisite. Server setup lets you install Microsoft BitLocker Administration and Monitoring when this feature is missing; however, later, the backup service MBAM VSS Writer starts and then stops because it cannot locate the (Windows Management Instrumentation) WMI Internet Information Services (IIS) provider. There is no message for this condition except in the event log. Installation of Microsoft BitLocker Administration and Monitoring without IIS Management Scripts and Tools causes backup operations not to run for Microsoft BitLocker Administration and Monitoring.
WORKAROUND: Ensure that the IIS Management Scripts and Tools web server feature is installed before you start the Microsoft BitLocker Administration and Monitoring Setup.
Setup Stops Responding During “Installing selected features” When Setup Is Configured to Use a Certificate
Microsoft BitLocker Administration and Monitoring Setup stops responding during the Installing selected features phase of setup. This occurs during installation of the Recovery and Hardware Database or the Compliance Status Database feature after you had selected the Use a certificate to encrypt the network communication option, and if the instance of the SQL Server Database Engine cannot access the certificate that was specified during setup.
WORKAROUND: Update the permissions on the certificate so that the Windows service for the applicable instance of the SQL Server Database Engine has access to it or change the account under which the instance of the SQL Server Database Engine runs so that the database engine can use the certificate. To determine the permissions for the certificate, at the command line, type the following command: certutil -v -store MY
MBAM Setup Stops When You Install SQL Server Reporting Services
During Microsoft BitLocker Administration and Monitoring installation, when you select an instance of SQL Server Reporting Services (SSRS) and the instance of SSRS is not available or configured incorrectly, the Microsoft BitLocker Administration and Monitoring Setup might pause for up to 1 minute while attempting to communicate with the instance of SSRS.
WORKAROUND: Wait for at least 1 minute for Microsoft BitLocker Administration and Monitoring Setup to resume while the Setup program attempts to contact the instance of SSRS.
Administration and Monitoring Server Does Not Run After Setup
After Microsoft BitLocker Administration and Monitoring Setup successfully installs the Administration and Monitoring Server feature, Microsoft BitLocker Administration and Monitoring displays errors when attempting to access the Management Console. This issue occurs for one of the following reasons:
One or more prerequisites on the Administration and Monitoring Server were removed after the Microsoft BitLocker Administration and Monitoring installation.
One or more prerequisites where installed on the server and later removed before running Microsoft BitLocker Administration and Monitoring Setup.
WORKAROUND: Review the Microsoft BitLocker Administration and Monitoring documentation and confirm that all Microsoft BitLocker Administration and Monitoring prerequisites are installed.
Selecting Documentation Links During Setup Results in an Application Error after Setup is Finished
When you click a documentation link during setup and then close the Setup program by clicking Cancel or Finish after Setup has successfully finished, an error message states that the application has encountered an error. The problem is caused by an access violation error in the Windows Task Scheduler.
WORKAROUND: None. You can ignore this error.
Failed MBAM Setup Does Not Remove New Databases
If the Microsoft BitLocker Administration and Monitoring Setup fails, Setup might fail to remove the newly created databases. This can cause failures during subsequent installations.
WORKAROUND: Choose a different name for the database instance during the subsequent installation.
Setup Does Not Recognize Valid Network Load-Balancing Cluster Certificates
During the Microsoft BitLocker Administration and Monitoring Administration and Monitoring Server installation with the network encryption option selected, the cluster certificate is not recognized as a valid certificate. The certificate is recognized as valid when the certificate for communication with the database is installed, but is rejected for communication by the load-balancing cluster.
WORKAROUND: Confirm that the certificate revocation list (CRL) associated with the certificate is accessible or use a certificate that does not require validation by using the CRL.
Client Issues
This section contains release notes that are relevant to the Microsoft BitLocker Administration and Monitoring client.
Client Takes 24 Hours to Check Hardware Compatibility State After Initial Check
After the Microsoft BitLocker Administration and Monitoring client is installed for the first time, the client receives the hardware status from the server, and then sets a timer based on the current state. After this timer expires, the client checks the server again. Depending on the computer’s initial status, it can take between 24 hours and one week to check again:
If the computer is unknown: 24 hours from the first check
If the computer is incompatible: 7 days from the first check
Is the computer is compatible: 24 hours from the first check
WORKAROUND: To force an immediate re-check of the computer’s hardware compatibility state, use a registry editing tools such as RegEdit to delete the following registry value, and then restart the MBAM Client service on the client computer:
HKCU\Software\Microsoft\MBAM
Client Window is Blank After the Computer Is Locked
If the MBAM Client window is open when a computer is locked, the window can appear blank when the user unlocks the computer.
WORKAROUND: Use this Knowledge Base article to prevent the client window from appearing blank: Article 2425534 (https://go.microsoft.com/fwlink/?LinkID=232521).
Management Console: Manage TPM
This section contains release notes that are relevant to the Manage TPM section of the Management Console.
Hardware Compatibility Issues
This section contains release notes that are relevant to the Hardware Compatibility section of the Management Console.
Hardware Compatibility Page Takes a Long Time to Display
The Microsoft BitLocker Administration and Monitoring Hardware Compatibility page can take a long time to display all hardware models that have been collected by the Microsoft BitLocker Administration and Monitoring agent if there are more than 1000 computer models in the organization.
WORKAROUND: When managing a large number of computer models, the hardware administrator can use the Advanced Search option on the Hardware Compatibility page to receive faster Search results. By clicking Advanced Search, the administrator can specify the manufacture and model, BIOS Maker and BIOS version, TPM maker and TPM version, and Capability status that will be returned in the Search results. This returns a smaller and more focused list of computers in less time.
Reports Issues
This section contains release notes that are relevant to the Reports feature of MBAM.
Reports Might Not Render Any Data
The Reports caching feature caches data in 6-hour intervals. Therefore, it could take as many as 6 hours for any reporting data to become visible in the Reports after they are installed for the first time.
WORKAROUND: None
Enterprise Compliance Reports Are Missing Recent Data
By default, the Microsoft BitLocker Administration and Monitoring Enterprise Compliance Report is created from a SQL Server Agent job that runs every 6 hours. The frequency of this report can be configured, but the report cannot provide data more recent than the last SQL Server Agent job.
WORKAROUND: If more recent data is required, for example to view compliance information about a specific computer or user, you can run the Computer Compliance Report. This report is not dependent on a SQL Server Agent job to create the report.
Selecting a Report Link in the Management Console Generates a “This webpage cannot be displayed” Error
The links in the Microsoft BitLocker Administration and Monitoring Compliance and Audit Reports page for Enterprise Compliance Report, Computer Compliance Report, Hardware Audit Report and Recovery Audit Report use the short name instead of DNS names. This generates an error when the short name cannot be resolved.
WORKAROUND: When you receive this error message, you must update the Web.config for the Management Console website. By default, it is found here:
C:\inetpub\BitLocker Management Solution\Help Desk Website
Find the following line in the file:
<add key="Microsoft.Mbam.Reports.Url" value="https://<ComputerName>/ReportServer/Pages/ReportViewer.aspx?/Malta+Compliance+Reports/"/>
In the Value section, change <ComputerName> to the fully qualified domain name for the server hosting the reports.
Reports Are Missing Data when an End Date is Specified
When you select a date range in a report, the results for the actual end date is not included in the report output.
WORKAROUND: Add an additional day to the End Date filter to view the expected results.