How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant”


Microsoft introduced on-premises BitLocker management using System Center Configuration Manager in SCCM Technical Preview version 1905. When enabling these MBAM capabilities in SCCM, you may notice the following error in the BitlockerManagement_GroupPolicyHandler.log.

Unable to find suitable Recovery Service MP. Marking policy non-compliant

As shown below:

This occurs (after enabling the MBAM capabilities) when the client attempts to communicate with the Management Point and when both client and MP are in HTTP mode.

The fix ?

Convert your Management Point server and client to use HTTPS communication (PKI), you can achieve that with the following guides.

  • Setup a 2 tier PKI infrastructure by adding PKI by following this set of blog posts
  • Convert SCCM from HTTP to HTTPS by doing this.

Once done, you’ll now see the following line in theĀ  BitlockerManagement_GroupPolicyHandler.log file. The version number will change based on the SCCM Server version.

Found current management point, CM01.windowsnoob.lab.local (version 8827)


This entry was posted in 1905, BitLocker, MBAM. Bookmark the permalink.

12 Responses to How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant”

  1. Pingback: Configuration Manager technical preview version 1909 is released. | just another windows noob ?

  2. Pingback: How can you use the Self Service feature when MBAM is integrated within SCCM? | just another windows noob ?

  3. Pingback: How can you use the Help Desk feature when MBAM is integrated within SCCM | just another windows noob ?

  4. Pingback: How does Key Rotation work in MBAM integrated with SCCM ? | just another windows noob ?

  5. Pingback: A quick look at reporting in MBAM integrated within Microsoft Endpoint Manager Configuration Manager | just another windows noob ?

  6. Pingback: Want to learn about MBAM integrated with Microsoft Endpoint Manager Configuration Manager ? | just another windows noob ?

  7. lensterman says:

    I have set up Bitlocker using CM 1910 using the guides provided. I have noticed in BitlockerManagementHandler.log on my devices the message below is showing as mentioned in this article:

    Unable to find suitable Recovery Service MP. Forcing policy non-compliant

    HTTPs has been set up on the MP and the client is showing as PKI in the CM agent /applet and the client has registered OK and shows no errors in the ClientIDManagerStartup.log. The client version is 5.00.8913.102.

    Is there anything else that could be causing this error?

    • ncbrady says:

      did you verify that the MBAM application on the MP is running without error ? also, is the client version the same as the MP

  8. lensterman says:

    Thank you for the reply.
    There are no errors in \Monitoring\Overview\System Status\Site Status\Management Point and there are also no MBAM related errors in the MPControl.log.
    If there is anywhere else that I should look in, please let me know.
    The MP is running on the primary site server (No SCCM client installed), the client version matches the version that is displayed in the Client Upgrade tab in hierarchy settings.

  9. rejohnson says:

    With 2002, BL management should only require HTTPS on the website, but I can’t get it to work. We’re using hybrid HTTPS with CMG and that created a self-signed cert for the MP website. That cert doesn’t appear to work with BL management. I’m going to try a wildcard cert but I’m very much concerned that will break our CMG configuration and that won’t do with COVID-19 requiring a remote workforce.

  10. rejohnson says:

    Good news, I was able to bind a wildcard cert on the MP website. The client/CMG connection did fail temporarily per the locationservices.log but recovered after restarting ccmexec.

    Now to figure out how to get MBAM and Group Policy to match to get compliance to work!

    • mikcourtney says:

      How did your bitlocker management work through the CMG, it seems to want the primary MP (where the bitlocker components installed by default)

      We’re using an internal PKI cert (trusted by all clients) for a cert on the SCCM_MP_MBAM site although the MP is HTTP rather than HTTPS?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.