Release Notes for MBAM 2.0

To search these release notes, press Ctrl+F.

Read these release notes thoroughly before you install Microsoft BitLocker Administration and Monitoring (MBAM) 2.0. These release notes contain information that is required to successfully install BitLocker Administration and Monitoring 2.0 and contain information that is not available in the product documentation. If there is a difference between these release notes and other MBAM 2.0 documentation, the latest change should be considered authoritative. These release notes supersede the content that is included with this product.

MBAM 2.0 Known Issues

This section contains release notes for MBAM 2.0.

Computer Name field may not appear in the BitLocker Computer Compliance and BitLocker Enterprise Compliance Details reports when you run MBAM with Microsoft System Center Configuration Manager 2007

The Computer Name field may be blank in the BitLocker Computer Compliance and BitLocker Enterprise Compliance Details reports when you use MBAM with Configuration Manager 2007.


Enterprise Compliance Report fails to update after you upgrade the Stand-alone MBAM server infrastructure

If you are using the MBAM Stand-alone topology, and you upgrade the server infrastructure from version 1.0 to 2.0, the Enterprise Compliance Report fails to update.

WORKAROUND: After the upgrade, run the following script on the Compliance and Audit Database:

-- =============================================
-- Script Template
-- =============================================

DECLARE @DatabaseName nvarchar(255);
SET @DatabaseName = DB_NAME()

USE msdb;

SELECT @JobID = job_id
FROM msdb.dbo.sysjobs
WHERE (name = N'CreateCache')

    EXEC dbo.sp_delete_job
         @job_name = N'CreateCache';

EXEC dbo.sp_add_job
    @job_name = N'CreateCache',
    @enabled = 1;

EXEC dbo.sp_add_jobstep
     @job_name = N'CreateCache', 
     @step_name = N'Copy Data',
     @subsystem = N'TSQL',
     @command = N'EXEC [ComplianceCore].UpdateCache',
     @database_name = @DatabaseName,
     @retry_attempts = 5,
     @retry_interval = 5;

EXEC dbo.sp_add_jobschedule
     @job_name = N'CreateCache', 
     @name = N'ReportCacheSchedule1am',
     @freq_type = 4,
     @freq_interval = 1,
     @active_start_time = 010000,
     @active_end_time = 020000;

EXEC dbo.sp_attach_schedule 
     @job_name = N'CreateCache',
     @schedule_name = N'ReportCacheSchedule1am';

EXEC dbo.sp_add_jobschedule
     @job_name = N'CreateCache', 
     @name = N'ReportCacheSchedule7am',
     @freq_type = 4,
     @freq_interval = 1,
     @active_start_time = 070000,
     @active_end_time = 080000;

EXEC dbo.sp_attach_schedule 
     @job_name = N'CreateCache',
     @schedule_name = N'ReportCacheSchedule7am';

EXEC dbo.sp_add_jobschedule
     @job_name = N'CreateCache', 
     @name = N'ReportCacheSchedule1pm',
     @freq_type = 4,
     @freq_interval = 1,
     @active_start_time = 130000,
     @active_end_time = 140000;

EXEC dbo.sp_attach_schedule 
     @job_name = N'CreateCache',
     @schedule_name = N'ReportCacheSchedule1pm';

EXEC dbo.sp_add_jobschedule
     @job_name = N'CreateCache', 
     @name = N'ReportCacheSchedule7pm',
     @freq_type = 4,
     @freq_interval = 1,
     @active_start_time = 190000,
     @active_end_time = 200000;

EXEC dbo.sp_attach_schedule 
     @job_name = N'CreateCache',
     @schedule_name = N'ReportCacheSchedule7pm';

EXEC dbo.sp_add_jobserver
     @job_name = N'CreateCache';

Reports in the Help Desk Portal display a warning if SSL is not configured in SSRS

If SQL Server Reporting Services (SSRS) was not configured to use Secure Socket Layer (SSL), the URL for the reports will be set to HTTP instead of HTTPS when you install the MBAM Server. If you then browse to the Help Desk Portal and select a report, the following message displays: “Only Secure Content is Displayed.”

WORKAROUND: To show the report, click Show All Content. To address this issue, go to the MBAM computer where SQL Server Reporting Services is installed, run Reporting Services Configuration Manager, and then click Web Service URL. Select the appropriate SSL certificate for the server, enter the appropriate SSL port (the default port is 443), and then click Apply.

Non-default instances of the Configuration Manager database are not supported

MBAM looks only for the default instance of the Configuration Manager database in Configuration Manager 2007 and System Center 2012 Configuration Manager. If you use a non-default instance, you cannot install MBAM.


Clicking “Back” in the Compliance Summary report might throw an error

If you drill down into a Compliance Summary report, and then click the Back link in the SSRS report, an error might be thrown.


Used Space Only Encryption does not work correctly

If you encrypt a computer for the first time after you install the MBAM Client, and you have set a Group Policy Object to implement Used Space Only encryption, MBAM erroneously encrypts the entire disk instead of encrypting only the disk’s used space. If a computer is already encrypted when you install the MBAM Client, and you have set the same Group Policy Object, the encryption works correctly and encrypts only the used disk space on your computer.


Cipher strength displays incorrectly on the Computer Compliance report

If you do not set a specific cipher strength in the Choose drive encryption method and cipher strength Group Policy Object, the Computer Compliance report in the Configuration Manager Integration topology always displays “unknown” for the cipher strength, even when the cipher strength uses the default of 128-bit encryption. The report displays the correct cipher strength if you set a specific cipher strength in the Group Policy Object.

WORKAROUND: Always set a specific cipher strength in the Choose drive encryption method and cipher strength Group Policy Object.

Compliance Status Distribution By Drive Type displays old data after you update configuration items

After you update MBAM configuration items in System Center 2012 Configuration Manager, the Compliance Status Distribution By Drive Type bar chart on the BitLocker Enterprise Compliance Dashboard shows data that is based on information from old versions of the configuration items.

WORKAROUND: None. Modification of the MBAM configuration items is not supported, and the report might not appear as expected.

Enhanced Security Configuration may cause reports to display incorrectly

If Internet Explorer Enhanced Security Configuration (ESC) is turned on, an “Access Denied” message might appear when you try to view reports on the MBAM Server. By default, ESC is turned on to protect the server by decreasing the server’s exposure to potential attacks that can occur through web content and application scripts.

WORKAROUND: If the “Access Denied” message appears when you try to view reports on the MBAM Server, you can set a Group Policy Object or change the default manually in your image to disable Enhanced Security Configuration. You can also alternatively view the reports from another computer on which ESC is not enabled.

MBAM Server installation fails when you upgrade from SQL Server 2008 to SQL Server 2012

If you upgrade from SQL Server 2008 to SQL Server 2012, and then try to install the Compliance and Audit Database or the Recovery Database, the installation fails and rolls back. The failure occurs because the required SQLCMD.exe file was removed during the SQL upgrade and cannot be found by the MBAM installer. The MSI log file lines may look similar to the following:

RunDbInstallScript Recovery Db CA: BinDir - E:\MSSQL\100\Tools\Binn\SqlCmd.exeRunDbInstallScript Recovery Db CA: dbInstance - xxxxxx\I01RunDbInstallScript Recovery Db CA: sqlScript- C:\Program Files\Microsoft\Microsoft BitLocker Administration and Monitoring\Setup\KeyRecovery.sqlRunDbInstallScript Recovery Db CA: dbName- MBAM_Recovery_and_HardwareRunDbInstallScript Recovery Db CA: defaultFileName- MBAM_Recovery_and_HardwareRunDbInstallScript Recovery Db CA: defaultDataPath- F:\MSSQL\MSSQL10.I01\MSSQL\DATA\RunDbInstallScript Recovery Db CA: defaultLogPath- K:\MSSQL\MSSQL10.I01\MSSQL\Data\RunDbInstallScript Recovery Db CA: scriptLogPath - C:\Users\xxxxxx\AppData\Local\Temp\InstallKeyComplianceDatabase.log-e -E -S xxxxxxx\I01 -i "C:\Program Files\Microsoft\Microsoft BitLocker Administration and Monitoring\Setup\KeyRecovery.sql" -v DatabaseName="MBAM_Recovery_and_Hardware" DefaultFileName="MBAM_Recovery_and_Hardware" DefaultDataPath="F:\MSSQL\MSSQL10.I01\MSSQL\DATA\" DefaultLogPath="K:\MSSQL\MSSQL10.I01\MSSQL\Data\" -o "C:\Users\xxxxxx\AppData\Local\Temp\InstallKeyComplianceDatabase.log"RunDbInstallScript Recovery Db CA:Starting to run the Recovery database install scriptRunDbInstallScript Recovery Db CA: Sqlcmd log file is located in C:\Users\xxxxxx\AppData\Local\Temp\\InstallKeyRecoveryDatabase.logRunDbInstallScript Recovery Db CA Exception: Install Recovery database Custom Action command line output Exception: The system cannot find the file specified

The MBAM Server Windows Installer is hardcoded to find the SQLCMD.exe path by looking in the Path string value in the registry under HKLM\Software\Microsoft\Microsoft SQL Server\100\Tools\ClientSetup. The key is still present during the migration from SQL Server 2008 to SQL Server 2012, but the path that is referenced by the data value does not contain the SQLCMD.exe file, because the SQL upgrade process removed the file.

WORKAROUND: Temporarily rename the HKLM\Software\Microsoft\Microsoft SQL Server\100\Tools\ClientSetup Path string value to Path_old, and then re-run the MBAM Server Windows Installer. When the installation completes successfully and creates the databases in SQL Server 2012, rename the Path_old value to Path.

Hotfixes and Knowledge Base articles for MBAM 2.0

This section contains hotfixes and KB articles for MBAM 2.0.

KB Article Title Link


Installing Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 fails with "System Center CM Objects Already Installed"


Users cannot retrieve BitLocker Recovery key using MBAM 2.0 Self Service Portal


MBAM client would fail with Event ID 4 and error code 0x8004100E in the Event description


Error Message “Server Error in ‘/Reports’ Application” When You Click Reports Tab in MBAM


Error opening Enterprise or Computer Compliance Reports in MBAM


MBAM Enterprise Reporting Not Getting Updated


Installing MBAM on a Domain Controller is not supported


You receive error code 0x80071a90 during Standalone or Configuration Manager Integration setup of MBAM 2.0


MBAM and Secure Network Communication


MBAM 2.0 Setup fails during Configuration Manager Integration Scenario with SQL Server 2008


MBAM Setup fails if SQL SSRS is not configured properly


MBAM 2.0 Setup fails with "Error retrieving Configuration Manager Server role settings for 'Reporting Services Point' role"


MBAM 2.0 Enterprise Reports are not refreshed in MBAM 2.0 Standalone topology due to SQL job CreateCache failure


MBAM Enterprise Reporting Not Getting Updated


MBAM Supported Computers compliance reporting incorrectly includes unsupported products


Computer Record is Rejected in MBAM

About MBAM 2.0