Hi Manoj, We have deployed MBAM solution in organization and set domain MBAM GPO for OS,Fixed drive and removable drives. MBAM policies works fine for OS and fixed drives anyway we want prevent members of local administar groups from turning off bitlocker so we applied this recommended solution http://blogs.technet.com/b/askcore/archive/2010/08/13/how-to-prevent-local-administrator-from-turning-off-bitlocker.aspx This workaround solved one issue but now we can't find way how optionally let users choise to encrypt their removable drives when bitlocker menu is hidden from control panel and MBAM control menu only let users to change their PIN or password. When USB stick is connected MBAM policy error was recorded as you can see below MBAM Removable drive policy is enabled and allow users encrypt, suspend and decrypt removable drive anyway when user connect USB drive mbam wil not force mbam wizard to let user to encrypt removable drive I appreciate all solutions Thank you Jan Log Name: Microsoft-Windows-MBAM/Admin Source: Microsoft-Windows-MBAM Date: 3.5.2012 13:04:42 Event ID: 2 Task Category: None Level: Error Keywords: User: SYSTEM Computer: Description: An error occured while applying MBAM policies. Volume ID:\\?\Volume{53e9573a-909a-19e1-9331-806e6f6e6963}\ Error code: 0x803d0013 Details: A message containing a fault was received from the remote endpoint. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-MBAM" Guid="{1C6E854B-3DF3-4A6F-9401-F58F1D1C504D}" /> <EventID>2</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2012-05-03T11:04:42.491920700Z" /> <EventRecordID>10</EventRecordID> <Correlation /> <Execution ProcessID="2564" ThreadID="348" /> <Channel>Microsoft-Windows-MBAM/Admin</Channel> <Computer></Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="VolumeId">\\?\Volume{53e9573a-909a-19e1-9331-806e6f6e6963}\</Data> <Data Name="ErrorCode">0x803d0013</Data> <Data Name="ErrorString">A message containing a fault was received from the remote endpoint. </Data> </EventData> </Event>

Please try the following steps: Add a registry key on MBAM server under HKLM\Software\Microsoft\MBAM Dword 32-bit value called DisableMachineVerification and set to 1Juke Chou TechNet Community Support

Please try the following steps: Add a registry key on MBAM server under HKLM\Software\Microsoft\MBAM Dword 32-bit value called DisableMachineVerification and set to 1Juke Chou TechNet Community Support

this is already set in mbam server registry but still no popup to encrypt attached usb stick, for test purposes i tried set mbam policy deny write access to removable drives not protected by bitlocker and this policy works fine but till no luck how force mbam client to promt users to encrypt usb stick MBAM server under HKLM\Software\Microsoft\MBAM Dword 32-bit value called DisableMachineVerification and set to 1 Thanks for ideas Jan

this is already set in mbam server registry but still no popup to encrypt attached usb stick, for test purposes i tried set mbam policy deny write access to removable drives not protected by bitlocker and this policy works fine but till no luck how force mbam client to promt users to encrypt usb stick MBAM server under HKLM\Software\Microsoft\MBAM Dword 32-bit value called DisableMachineVerification and set to 1 Thanks for ideas Jan

Hi One possible cause for the issue is the Group Policies not configured properly, so I advise you delete the old Group Policies and use the latest version of GPMC from RSAT on a Win 7 client and re-configure the policies. After you have re-configured the Group Polices, please restart the clients to take effect. Wish the below links are helpful for you: http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/22b1d081-9b11-4c08-bb25-4c8cf0960208/ http://blogs.technet.com/b/askcore/archive/2011/07/27/mbam-setup-fails-with-sql-error-error-obtaining-a-certificate-protected-by-the-master-key.aspx Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi One possible cause for the issue is the Group Policies not configured properly, so I advise you delete the old Group Policies and use the latest version of GPMC from RSAT on a Win 7 client and re-configure the policies. After you have re-configured the Group Polices, please restart the clients to take effect. Wish the below links are helpful for you: http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/22b1d081-9b11-4c08-bb25-4c8cf0960208/ http://blogs.technet.com/b/askcore/archive/2011/07/27/mbam-setup-fails-with-sql-error-error-obtaining-a-certificate-protected-by-the-master-key.aspx Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

For Removable Drives, Microsoft recommends to use this GPO. MDOP MBAM-->Removable Drives -->Deny Write Access to Removable Drives not protected by BitLocker. So when user inserts a USB stick, we will prompt him to Enable Encryption for Read + Write Access. If he does not choose to encrypt, then he gets Read access only. So when you go through BitLocker wizard, you supply a password and complete the BitLocker encrption for removable drive. MBAM agent will push the recovery key to SQL DB also. A user can change the pwd of his removable device using MBAM Control Panel applet. Note: MBAM will never prompt a user to start encryption for removable drives. Manoj Sehgal