Feb 09 2021 01:18 AM
Feb 09 2021 01:18 AM
Starting in version 1910, use Configuration Manager to manage BitLocker Drive Encryption (BDE) for on-premises Windows clients, which are joined to Active Directory. It provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM).
•Deploy the BitLocker client to managed Windows devices running Windows 10 or Windows 8.1
•Manage BitLocker policies and escrow recovery keys for on-premises and Internet-based clients (Internet-based clients requires version 2010)
•Administration and Monitoring web site: allows other roles in your organization (for example Help Desk) outside of the Configuration Manager console to help with key recovery, including key rotation and other BitLocker-related support
•User self-service portal: lets users help themselves with a single-use key for unlocking a BitLocker encrypted device. Once this key is used, it generates a new key for the device
Basic requirements :
The general requirements for Configuration Manager to manage BitLocker are:
•Reporting Services Point (for reports)
•HTTPS on the Management Point (for key recovery)
•Self-service portal or the administration and monitoring website require an IIS server, this can be a site system or a dedicated server
•BitLocker management isn't supported on virtual machines (VMs) or on server editions
•Azure Active Directory (Azure AD)-joined, workgroup clients, or clients in untrusted domains aren't supported. BitLocker management in Configuration Manager only supports devices that are joined to on-premises Active Directory. Hybrid Azure AD-joined devices are also supported.
Best practice: Encryption:
Encrypt recovery data on the network:
Encrypt recovery data in the database:
Recovery keys are never deleted – allows recovery of data from a device that was stolen and later retrieved. Each encrypted volume adds up to 9 KB to the site database.
Best practice: Deployment
BitLocker management in Configuration Manager includes the following components:
Before deploying BitLocker management policies, enable network encryption (required) and data encryption (recommended).
Also, make sure that the partitions on the clients are ready to support BitLocker (see slide Best practice: General Deployment)
To create a BitLocker management policy:
Monitoring BitLocker deployment:
TPM password hash:
Best practice: BitLocker portals
The BitLocker CM portals must be installed separately:
Roadmap: On-prem management