This resulted in a timeout occurring when MbamClientDeployment.ps1 ran. Because the clients didn’t have access to the internet due to firewalls blocking, the clients eventually timed out trying to connect to Microsoft which subsequently took the response time for the MBAM service connection over the allowed limit. Basically the clients were trying to download the latest Root level Certificate Revocation Lists/Certificates from Microsoft’s servers over the internet. Turns out that calls were being made to Windows Update URLs and various “” URLs. To do this I installed a tool called Fiddler (sounds dodgy but it’s a lightweight freeware tool for monitoring web connections – far simpler to implement and use when compared to WireShark or Microsoft Message Analyzer) on a client and once again accessed the URL via Internet Explorer to see what connection attempts were being made by the client when attempting to access the MBAM service. I logged into one of the failed clients, opened Internet Explorer and attempted to connect to the URL for the MBAM Core Service manually – this took 42 feckin seconds! Obviously this is far too slow for the connection via the PowerShell script to be successful so the next question was why was this taking so long…Īfter a period of frustration, emotion and profuse swearing I ended up digging a bit deeper to see what was happening under the hood when trying to connect to the URL of the MBAM Recovery and Hardware Service (i.e. Thank you again for your efforts and I hope you can help us find an solution for this scenario.Whilst deploying MBAM as part of a Windows 10 OSD Task Sequence in SCCM CB the “ MbamClientDeployment.ps1” task was failing I was getting the error message shown below in the client “ smsts.log” file: HRESULT: 0x803d0006 So with co-management enabled is it possible to disable the MBAM portion of the workload or in intune provide a way to enter the PIN in user-mode like MBAM currently does? Otherwise we can't see a way to meet these requirements short of using a 3rd party or writing our own MBAM service. We are aware you can use tenant attach for this but then you can't apply antivirus policies. This in turn means we can't apply Tamper protection.
Here the standard is set by Microsoft for systems that are lost that contain sensitive information:
This wouldn't be an issue except that we are required by various laws to make all efforts to secure our systems according to the standards set out. If we move the workloads in relation to Antivirus this also moves MBAM. We have piloted Co-Management and came across an issue. Dear Team, it is great to see the progression of the SCCM and MBAM integration.
0 kommentar(er)
