(Bitlocker) MBAM Will Not Prompt For Pin on Windows 10 1511

              Image result for bitlocker


Since updating my SCCM TS to Windows v1511 I have spent hours pulling my hair out trying to get MBAM to prompt the user for PIN with no avail, all my previous Windows 10 (pre 1511) worked fine, so i was trying to figure out what had changed.

I check my registry to ensure Group Policy was applying my MBAM / Bitlocker settings which they were, i decided to check within Group Policy to be sure and found this setting:



This setting is specific to Windows 10 v1511 (It will appear after you update ADMX for Windows  10 1511)

https://www.microsoft.com/en-us/download/details.aspx?id=48257&WT.mc_id=rss_alldownloads_all



Although setting states the following 



This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511).

If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)" and "Choose drive encryption method and cipher strength" policy settings (in that order), if they are set. If none of the policies are set, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the setup script.”

MbamClientUi.exe would not run at all, even manually it would open within Task Manager then disappear..




When you set the new 1511 Group Policy you will see :



Once these values appear you can go ahead and either wait, or change: 

ClientWakeupFrequency=1 (DWord) and then restart the BitLocker Management Client Service, once done you should shortly see the prompt appear! (Or run manually from ProgramFiles\Microsoft\MBAM folder)


For further info on Bitlocker/MBAM Steps in your task sequence see my previous posts.