anybody got MBAM integration working yet?

Is anyone rocking an MBAM integration yet?
 
a lot of the docuemtnation i am seeing so far seems very conuluted...
 
like adding a bunch of regkeys  via scripts and then ripping them out later on which seems far from optimal... but i could be missing something? nor was it very clear as to whether or not i need to disable the "enable bitlocker" in a default MDT TS... (Turns out i do... i think :)
 
just added the client install to the deployment TS and will see if i can get it talking back to the db. (not quite sure how it knows where that is since there isn't any config options it looks like) 
 
am curious if any of you guys are implementing that yet with sccm2012/mdt2012 + MBAM being deployed to manage laptop only clients (I am separating that in my rules file via  [IsLaptop] and deploying wn7 x64 enterprise to them)
 
 

well the client install is pretty simple and straight forward. however i know that this is  a fairly new product but it seems a little half baked if we have to go in and import a bunch of regkeys that it couldn't handle on its own (or can pass to it via an install switch etc...) {ok i am done... so end rant}   
 
i see that one of those keys tells it to point to our server in the whitepaper (http://go.microsoft.com/fwlink/?LinkId=229053)
 
so i will continue to follow that and see if i can get working however...
 
per this in the whitpaper:
 
UseKeyRecoveryService
0 = don’t escrow key (next two aren’t needed in this case)
1 = ESCROW IN KEY RECOVERY SYSTEM (RECOMMENDED – COMPUTER NEEDS TO BEABLE TO COMMUNICATE WITH KEY RECOVERY SERVICE – VERIFY THIS BEFORE PROCEEDING).
 
does anyone know how I would validate that this communication is actually talking place?
 
Thanks in advance :)
 
 

They're basically wanting the machine to be joined to the domain first.
 
This isn't a perfect/scripted app like some, but it is complete. I've had much success with it bitlocking 706 of 918 machines with te TPM scripts, BDEHDCFG, and MBAM client pushed through SCCM 2012 task sequence.
 
That said, it took a lot of trial and error.

thanks for the input... i am running into similar issues but i will try adding the BitLocker partition feature and command.
 
have you implemented any of the Group policy settings? 
 
and are you using the Addregkeys/remove regkeys and the scirpt that imports them as well after you install the client?
 
 
 
 

Txbluzmn,
 
you posted "use this for your TaskSequence:"  is this an image or link that didn't come through?

that was a link to the deployment guys page that I think you're already using. sorry... I'm too much of a noob here for them to post my links yet I guess..... HA!

that is funny!
 
you have been helpful and will be sure to mark your post as such to help get you some 'credd' :)
 
I am using enterprise as well and didn't capture with the extra partition. (extrapartition =no) but if that is the culprit it would be easy enough to remediate.
 
i thought .wim's didn't contain multiple partition information and could span multiple partitions?
 
anyways... i found a syntax error in my switch in regards to the add/remove entries by missing the colon ":"
i.e. "cscript.exe StartMBAMEncryption.wsf /AddRegFile:AddMBAMRegEntries.reg /RemoveRegFile:RemoveMBAMRegEntries.reg"
 
am testing this now... hopefully this will work.
 
 
 

still no dice...
 
it keeps timing out as i am guessing that the account running the command doesn't have mbam access.
 
error code 0x803d000d
"the remote endpoint does not exist or could not be located"
 
my reasoning lies in that after the process ends, and while still logged in as local administrator, when I try to navigate to the regkey URL in IE... ... 
 
i get prompted for credentials!
 
arghh... so i am sooo closer :)

well finally got it going via an MDT2012 sequence... ended up having it create the default single partition and then running the ztibde.wsf as the very next step... then install the mbam client during the applications install phase and then last step is kick the script...
 
here is the interesting point... and hopefully someone else will find helpful
 
seems like i had an opposite problem from most in that i couldn't get past the script timeout until i first got rid of an allias that we set up to make the test url easy to remember (mbam.domain.com) AND we changed the path to use https://server:443/PathToService
 
not sure how this will work and manage keys yet if security forces us to implement TPM + PIN... (argh) but so far we are stable! :)
 
actually...
does anybody know if i can just import an MDT gather task as the first step of my Sccm TS to basically enable my rules file for deployment via sccm instead of mdt?
have that pretty slick and fairly elegant and that is keeping me from recreating them in SCCM and keeping it in MDT for now