SCCM: PXE boot fails with “Unsuccessful in getting MP key information. 80004005.”

I recently faced a weird issue with PXE boot.

Nice error in smspxe.log said:

RequestMPKeyInformation: Send() failed.

Unsuccessful in getting MP key information. 80004005.

etc..

Internet search suggested reinstallation of PXE DP (including killing WDS and fill clean of RemoteInstall). I tried that but without any success.

MP was in a good health, gladly replied to http tests, but I still tried to reinstall it. Obviously without any success…

Resolution: I tried to remember what I did recently, before I first noted PXE issue. MBAM 2.5 was installed!

So I removed MBAM and PXE immediately start to reply, successfully connect to MP etc…

Who knew!

Bitlocker: Disable protection of system drive during Microsoft updates

 

Here is an elegant technique to automate Bitlocker protectors disable while Microsoft updates are installing.

This was shared by one of Microsoft Support Engineers.

 

Sometimes Microsoft updates can introduces changes locking the machine. To avoid that you can disable protectors for update time and re-enable them after.

To do that you can use Scheduler and monitor for Windows Updates event.

We need to create two scheduled tasks (either locally or using GPO):

First one is Suspend Bitlocker

It will start on Event

When MSInstaller starts Windows Updates it generates Event ID 1040

At that event we want to run a command to suspend protectors on C:

The second Scheduled Task is similar except Event ID we monitor and action.

When updates are installed an Event ID 1042 is issued

We are going to resume protectors at that event:

 

Note: The machine will have protectors in suspended state during Microsoft updates (they will be resumed after installation finish or after reboot), so it is a potential breach in your security. Use it on your own risk!

MBAM: Clients cannot report to MBAM server

Microsoft Bitlocker Management and Administration server is installed in a single server configuration. Test machine is encrypted, but never reported its state back to the server.

It turned out you need to add a ‘MBAM’ registry key to MBAM server under HKEY_LOCAL_MACHINE\Software\Microsoft

as soon as the key as created, add a DWORD settings with name DisableMachineVerification and set it to 1 

Restart mbamagent on a client machine and now report should pass.

Interesting enough – this ‘feature’ exists since v.1 of MBAM and is still around!

MS has a KB about that http://support.microsoft.com/kb/2612822?wa=wsignin1.0