Friday, 5 September 2014

Upgrade to MBAM 2.5

MBAM 2.5 was released with MDOP 2014 on 13th May 2014. This was an eagerly awaited release as it added functionality which transformed MBAM into a truly enterprise grade encryption product. In particular it now allows administrators to force users to encrypt their drives (I previously blogged about this here).

This blog post describes an upgrade from MBAM 2.0 SP1 to MBAM 2.5 but can be a reference for upgrades from other versions.

Have a look at the official documentation before you start.

Getting started with MBAM 2.5

Deploying MBAM 2.5

Deploying Server Infrastructure

Configuring MBAM 2.5 Server features

Validating MBAM 2.5

Upgrading to MBAM 2.5  from Previous versions

This last TechNet Library document tells us the steps required to upgrade to MBAM 2.5 from each of the earlier versions.

 OK. Let's crack on. I carried out the following steps to upgrade my stand-alone MBAM environment to V2.5.

Step 1.
Identify the previous version.

MBAM Agent 2.0           --> 2.0.5301.1

MBAM Agent 2.0 SP1   --> 2.1.0117.0

 I see that my current version is MBAM 2.0 SP1 by looking in Programs & Features.

Step 2.
Back up the databases.

My attitude towards backups is - "I'd prefer to be looking at it than looking for it".

Please back up the databases before you start.

Step 3.
Uninstall previous MBAM version (don't worry - the databases will remain intact).

Step 4.
Update the MOF files

Even if you have already done this for a previous version you must do this step again. The MOF files for v2.5 are very slightly different (you have to look closely to see this).


Edit the SMS_DEF.MOF File

See confirmation of the difference when you import the new SMS_DEF.MOF file.

Step 5.
Install MBAM 2.5

Step 6.
Configure MBAM 2.5

You have some choices to make (similar to previous versions).

Installation and configuration completed. See how it tells us that the databases already exist.

Note that I had a problem with prerequisites - required for v2.5 but not my previous version.

Step 7.
Update Group Policy

Have a look at "Deploying MBAM 2.5 Group Policy Objects"

Download MBAM 2.5 Group Policy templates from here

Extract the admx and adml files and copy them to Sysvol on a Domain Controller.

Add the Group Policy Management feature (if you haven't already done so).

New MBAM 2.5 template

You can now force a user to encrypt

Step 7.
Upgrade clients

You can upgrade clients by creating and deploying a ConfigMgr application.

Step 8.

Test, test, test before rolling out to production.

Wednesday, 3 September 2014

ConfigMgr 2012 & Intune: Known authentication issues

There are some really cool new authentication features in Azure and ADFS. Unfortunately they don't play very nicely with Windows Intune and they can be really difficult to troubleshoot if you don't know what the problem is. There are no log files that can point you in the right direction. It just doesn't work.

I've recently seen two of these issues on customer sites:

When you use Multi-Factor Authentication and enroll a device with Windows Intune, you receive the error “This request couldn’t complete”

Workaround: Turn off Windows Azure Multi-Factor Authentication for the Windows Azure subscription you use with Windows Intune.

(Edit 25th November 2014: Azure Multi-Factor Authentication is now supported by Intune)

Windows Phone 8.1 devices fail to enroll with Windows Intune when device authentication is enabled in ADFS

Workaround: Disable device authentication on the ADFS server by unchecking "Enable device authentication" in Edit Global Authentication Policy

The workarounds aren't too clever. The feature is not supported - turn it off.

Here is another one (although I haven't seen this one in action)

When you enroll a Windows 8.1 device that must authenticate to a proxy server, the enrollment process fails with no visible indication as to the cause of the failure

Workaround: For Windows 8.1 devices that must enroll on a network that requires use of an authenticated proxy server, configure and save the credentials for the proxy server prior to enrollment of the device.

These issues have been documented in the "Release Notes for Windows Intune"