How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant”

Introduction

Microsoft introduced on-premises BitLocker management using System Center Configuration Manager in SCCM Technical Preview version 1905. When enabling these MBAM capabilities in SCCM, you may notice the following error in the BitlockerManagement_GroupPolicyHandler.log.

Unable to find suitable Recovery Service MP. Marking policy non-compliant

As shown below:

This occurs (after enabling the MBAM capabilities) when the client attempts to communicate with the Management Point and when both client and MP are in HTTP mode.

The fix ?

Convert your Management Point server and client to use HTTPS communication (PKI), you can achieve that with the following guides.

  • Setup a 2 tier PKI infrastructure by adding PKI by following this set of blog posts
  • Convert SCCM from HTTP to HTTPS by doing this.

Once done, you’ll now see the following line in theĀ  BitlockerManagement_GroupPolicyHandler.log file. The version number will change based on the SCCM Server version.

Found current management point, CM01.windowsnoob.lab.local (version 8827)

 

This entry was posted in 1905, BitLocker, MBAM. Bookmark the permalink.

9 Responses to How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant”

  1. Pingback: Configuration Manager technical preview version 1909 is released. | just another windows noob ?

  2. Pingback: How can you use the Self Service feature when MBAM is integrated within SCCM? | just another windows noob ?

  3. Pingback: How can you use the Help Desk feature when MBAM is integrated within SCCM | just another windows noob ?

  4. Pingback: How does Key Rotation work in MBAM integrated with SCCM ? | just another windows noob ?

  5. Pingback: A quick look at reporting in MBAM integrated within Microsoft Endpoint Manager Configuration Manager | just another windows noob ?

  6. Pingback: Want to learn about MBAM integrated with Microsoft Endpoint Manager Configuration Manager ? | just another windows noob ?

  7. lensterman says:

    I have set up Bitlocker using CM 1910 using the guides provided. I have noticed in BitlockerManagementHandler.log on my devices the message below is showing as mentioned in this article:

    Unable to find suitable Recovery Service MP. Forcing policy non-compliant

    HTTPs has been set up on the MP and the client is showing as PKI in the CM agent /applet and the client has registered OK and shows no errors in the ClientIDManagerStartup.log. The client version is 5.00.8913.102.

    Is there anything else that could be causing this error?

  8. lensterman says:

    Thank you for the reply.
    There are no errors in \Monitoring\Overview\System Status\Site Status\Management Point and there are also no MBAM related errors in the MPControl.log.
    If there is anywhere else that I should look in, please let me know.
    The MP is running on the primary site server (No SCCM client installed), the client version matches the version that is displayed in the Client Upgrade tab in hierarchy settings.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.