Windows 10 BitLocker Management Options

%3CLINGO-SUB%20id%3D%22lingo-sub-2118802%22%20slang%3D%22en-US%22%3EWindows%2010%20BitLocker%20Management%20Options%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2118802%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EIntroduction%20%3A%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EStarting%20in%20version%201910%2C%20use%20Configuration%20Manager%20to%20manage%20BitLocker%20Drive%20Encryption%20(BDE)%20for%20on-premises%20Windows%20clients%2C%20which%20are%20joined%20to%20Active%20Directory.%20It%20provides%20full%20BitLocker%20lifecycle%20management%20that%20can%20replace%20the%20use%20of%20Microsoft%20BitLocker%20Administration%20and%20Monitoring%20(MBAM).%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3EConfiguration%20Manager%20doesn't%20enable%20this%20optional%20feature%20by%20default.%20You%20must%20enable%20this%20feature%20before%20using%20it.%3C%2FLI%3E%3CLI%3EConfiguration%20Manager%20provides%20the%20following%20management%20capabilities%20for%20BitLocker%20Drive%20Encryption%3A%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%E2%80%A2Deploy%20the%20BitLocker%20client%20to%20managed%20Windows%20devices%20running%20Windows%2010%20or%20Windows%208.1%3C%2FP%3E%3CP%3E%E2%80%A2Manage%20BitLocker%20policies%20and%20escrow%20recovery%20keys%20for%20on-premises%20and%20Internet-based%20clients%20(Internet-based%20clients%20requires%20version%202010)%3C%2FP%3E%3CP%3E%E2%80%A2Compliance%20reports%3C%2FP%3E%3CP%3E%E2%80%A2Administration%20and%20Monitoring%20web%20site%3A%20allows%20other%20roles%20in%20your%20organization%20(for%20example%20Help%20Desk)%20outside%20of%20the%20Configuration%20Manager%20console%20to%20help%20with%20key%20recovery%2C%20including%20key%20rotation%20and%20other%20BitLocker-related%20support%3C%2FP%3E%3CP%3E%E2%80%A2User%20self-service%20portal%3A%20lets%20users%20help%20themselves%20with%20a%20single-use%20key%20for%20unlocking%20a%20BitLocker%20encrypted%20device.%20Once%20this%20key%20is%20used%2C%20it%20generates%20a%20new%20key%20for%20the%20device%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EBasic%20requirements%20%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EThe%20general%20requirements%20for%20Configuration%20Manager%20to%20manage%20BitLocker%20are%3A%3C%2FP%3E%3CP%3E%E2%80%A2Reporting%20Services%20Point%20(for%20reports)%3C%2FP%3E%3CP%3E%E2%80%A2HTTPS%20on%20the%20Management%20Point%20(for%20key%20recovery)%3C%2FP%3E%3CP%3E%E2%80%A2Self-service%20portal%20or%20the%20administration%20and%20monitoring%20website%20require%20an%20IIS%20server%2C%20this%20can%20be%20a%20site%20system%20or%20a%20dedicated%20server%3C%2FP%3E%3CP%3E%E2%80%A2BitLocker%20management%20isn't%20supported%20on%20virtual%20machines%20(VMs)%20or%20on%20server%20editions%3C%2FP%3E%3CP%3E%E2%80%A2Azure%20Active%20Directory%20(Azure%20AD)-joined%2C%20workgroup%20clients%2C%20or%20clients%20in%20untrusted%20domains%20aren't%20supported.%20BitLocker%20management%20in%20Configuration%20Manager%20only%20supports%20devices%20that%20are%20joined%20to%20on-premises%20Active%20Directory.%20Hybrid%20Azure%20AD-joined%20devices%20are%20also%20supported.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EBest%20practice%3A%20Encryption%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EEncrypt%20recovery%20data%20on%20the%20network%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3ERequired%20for%20recovery%20key%20escrow%3C%2FLI%3E%3CLI%3EUses%20https%20to%20the%20Management%20Point%3C%2FLI%3E%3CLI%3EDifferent%20procedures%20to%20enable%20this%20capability%20depending%20on%20the%20CM%20build%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3EEncrypt%20recovery%20data%20in%20the%20database%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3ERequires%20a%20SQL%20Server%20certificate%20(the%20certificate%20must%20then%20be%20managed)%3C%2FLI%3E%3CLI%3EOption%20to%20encrypt%20only%20recovery%20data%20(recommended)%20vs%20the%20entire%20site%20database%20(may%20reduce%20performance%20by%2025%25)%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CEM%3E%3CSTRONG%3ERecovery%20keys%20are%20never%20deleted%20%E2%80%93%20allows%20recovery%20of%20data%20from%20a%20device%20that%20was%20stolen%20and%20later%20retrieved.%20Each%20encrypted%20volume%20adds%20up%20to%209%20KB%20to%20the%20site%20database.%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EBest%20practice%3A%20Deployment%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EBitLocker%20management%20in%20Configuration%20Manager%20includes%20the%20following%20components%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3EBitLocker%20management%20agent%3A%20enabled%20when%20you%20create%20a%20policy%20and%20deploy%20it%20to%20a%20collection%3C%2FLI%3E%3CLI%3ERecovery%20service%3A%20The%20server%20component%20that%20receives%20BitLocker%20recovery%20data%20from%20clients%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3EBefore%20deploying%20BitLocker%20management%20policies%2C%20enable%20network%20encryption%20(required)%20and%20data%20encryption%20(recommended).%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EAlso%2C%20make%20sure%20that%20the%20partitions%20on%20the%20clients%20are%20ready%20to%20support%20BitLocker%20(see%20slide%20%3C%2FSTRONG%3E%3CSTRONG%3EBest%20practice%3A%20General%20Deployment)%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3ETo%20create%20a%20BitLocker%20management%20policy%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3EThe%20Full%20Administrator%20role%20in%20Configuration%20Manager%20is%20needed%3C%2FLI%3E%3CLI%3EOperating%20System%20Drive%2C%20Fixed%20Drive%2C%20Removable%20Drive%2C%20and%20Client%20Management%20options%20are%20available%3C%2FLI%3E%3CLI%3EWhen%20you%20create%20more%20than%20one%20policy%2C%20you%20can%20configure%20their%20relative%20priority.%20If%20you%20deploy%20multiple%20policies%20to%20a%20client%2C%20it%20uses%20the%20priority%20value%20to%20determine%20its%20settings.%20Starting%20in%20version%202006%2C%20you%20can%20also%20use%20Windows%20PowerShell%20cmdlets%20for%20this%20task.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3EMonitoring%20BitLocker%20deployment%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3EBasic%20compliance%20statistics%20about%20the%20policy%20deployment%20are%20shown%20in%20the%20details%20pane%20of%20the%20BitLocker%20Management%20node%3A%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%E2%80%A2Compliance%20count%3C%2FP%3E%3CP%3E%E2%80%A2Failure%20count%3C%2FP%3E%3CP%3E%E2%80%A2Non-compliance%20count%3C%2FP%3E%3CUL%3E%3CLI%3ETo%20understand%20why%20clients%20are%20reporting%20not%20compliant%20with%20the%20BitLocker%20management%20policy%2C%20non-compliance%20codes%20are%20used%3C%2FLI%3E%3CLI%3EDedicated%20client%20logs%20can%20also%20be%20retrieved%20for%20additional%20troubleshooting%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3EGroup%20Policy%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3EIt%20is%20recommended%20to%20not%20use%20any%20BitLocker%20Group%20Policy%20settings%20along%20with%20Configuration%20Manager%2C%20as%20the%20GPOs%20will%20override%20the%20CM%20settings%20and%20result%20in%20unpredictable%20behavior%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3ERe-encryption%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3EIf%20a%20drive%20is%20already%20encrypted%20with%20BitLocker%2C%20the%20CM%20agent%20will%20%3CI%3Enot%3C%2FI%3E%20re-encrypt%20the%20drive%2C%20but%20will%20evaluate%20the%20CM%20policy%20against%20the%20current%20settings%20%E2%80%93%20if%20these%20don%E2%80%99t%20match%20(for%20example%20because%20of%20different%20encryption%20algorithms)%2C%20CM%20will%20report%20the%20device%20as%20non-compliant%20(but%20the%20device%20is%20still%20protected)%3C%2FLI%3E%3CLI%3ETo%20work%20around%20this%20issue%2C%20it%20is%20necessary%20to%20decrypt%20the%20volumes%20first%2C%20then%20re-encrypt%20them%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3ETPM%20password%20hash%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3EWindows%2010%20does%20not%20save%20the%20TPM%20password%20%E2%80%93%20this%20applied%20to%20previous%20versions%20of%20Windows%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3ECo-management%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3EThe%20Configuration%20Manager%20client%20handler%20for%20BitLocker%20is%20co-management%20aware.%20If%20the%20device%20is%20co-managed%2C%20and%20you%20switch%20the%20Endpoint%20Protection%20workload%20to%20Intune%2C%20then%20the%20Configuration%20Manager%20client%20ignores%20its%20BitLocker%20policy.%20The%20device%20gets%20Windows%20encryption%20policy%20from%20Intune%3C%2FLI%3E%3CLI%3ESwitching%20encryption%20management%20authorities%20while%20maintaining%20the%20desired%20encryption%20algorithm%20doesn't%20require%20any%20additional%20actions%20on%20the%20client.%20However%2C%20if%20you%20switch%20encryption%20management%20authorities%20and%20the%20desired%20encryption%20algorithm%20also%20changes%2C%20you%20will%20need%20to%20plan%20for%20re-encryption.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3EBest%20practice%3A%20BitLocker%20portals%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThe%20BitLocker%20CM%20portals%20must%20be%20installed%20separately%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3EUser%20self-service%20portal%3C%2FLI%3E%3CLI%3EAdministration%20and%20monitoring%20portal%20(for%20help%20desk%20and%20admins)%3C%2FLI%3E%3CLI%3EStarting%20in%20version%202006%2C%20you%20can%20install%20the%20BitLocker%20self-service%20portal%20and%20the%20administration%20and%20monitoring%20website%20at%20the%20central%20administration%20site.%20In%20version%202002%20and%20earlier%2C%20only%20install%20the%20self-service%20portal%20and%20the%20administration%20and%20monitoring%20website%20with%20a%20primary%20site%20database.%20In%20a%20hierarchy%2C%20install%20these%20websites%20for%20each%20primary%20site%3C%2FLI%3E%3CLI%3EHTTPS%20for%20these%20portals%20is%20not%20mandatory%2C%20but%20highly%20recommended%3C%2FLI%3E%3CLI%3EYou%20can%20install%20the%20portals%20on%20an%20existing%20site%20server%20or%20site%20system%20server%20with%20IIS%20installed%2C%20or%20use%20a%20standalone%20web%20server%20to%20host%20them.%20Their%20usage%20is%20typically%20low%2C%20so%20the%20additional%20load%20they%20generate%20is%20negligible%2C%20so%20there%20is%20typically%20no%20need%20to%20use%20a%20dedicated%20web%20server%2C%20unless%20this%20is%20to%20honor%20network%20segmentation%20policies%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3EPortal%20customizations%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3EThe%20self-service%20portal%20can%20be%20customized%20with%20a%20custom%20notice%2C%20your%20organization%20name%2C%20and%20other%20organization-specific%20information%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3ERoadmap%3A%20On-prem%20management%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EBitLocker%20Management%20%2B%20CAS%2FHierarchy%20support%20%3CSTRONG%3E(2006%20release)%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3EBitLocker%20Management%20support%20over%20CMG%20%3CSTRONG%3E(2010%20release)%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3EListing%20on-prem%20stored%20BitLocker%20recovery%20key%20for%20ConfigMgr%20tenant%20attach%20in%20the%20Microsoft%20Endpoint%20Management%20cloud%20console%20%3CSTRONG%3E(CY%202021)%3C%2FSTRONG%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2118802%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ebitlocker%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMDM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20%26amp%3B%20Compliance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Introduction : 

Starting in version 1910, use Configuration Manager to manage BitLocker Drive Encryption (BDE) for on-premises Windows clients, which are joined to Active Directory. It provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM).

  • Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it.
  • Configuration Manager provides the following management capabilities for BitLocker Drive Encryption:

•Deploy the BitLocker client to managed Windows devices running Windows 10 or Windows 8.1

•Manage BitLocker policies and escrow recovery keys for on-premises and Internet-based clients (Internet-based clients requires version 2010)

•Compliance reports

•Administration and Monitoring web site: allows other roles in your organization (for example Help Desk) outside of the Configuration Manager console to help with key recovery, including key rotation and other BitLocker-related support

•User self-service portal: lets users help themselves with a single-use key for unlocking a BitLocker encrypted device. Once this key is used, it generates a new key for the device

 

Basic requirements :

The general requirements for Configuration Manager to manage BitLocker are:

•Reporting Services Point (for reports)

•HTTPS on the Management Point (for key recovery)

•Self-service portal or the administration and monitoring website require an IIS server, this can be a site system or a dedicated server

•BitLocker management isn't supported on virtual machines (VMs) or on server editions

•Azure Active Directory (Azure AD)-joined, workgroup clients, or clients in untrusted domains aren't supported. BitLocker management in Configuration Manager only supports devices that are joined to on-premises Active Directory. Hybrid Azure AD-joined devices are also supported.

 

Best practice: Encryption:

Encrypt recovery data on the network:

  • Required for recovery key escrow
  • Uses https to the Management Point
  • Different procedures to enable this capability depending on the CM build

Encrypt recovery data in the database:

  • Requires a SQL Server certificate (the certificate must then be managed)
  • Option to encrypt only recovery data (recommended) vs the entire site database (may reduce performance by 25%)

Recovery keys are never deleted – allows recovery of data from a device that was stolen and later retrieved. Each encrypted volume adds up to 9 KB to the site database.

 

Best practice: Deployment

BitLocker management in Configuration Manager includes the following components:

  • BitLocker management agent: enabled when you create a policy and deploy it to a collection
  • Recovery service: The server component that receives BitLocker recovery data from clients

Before deploying BitLocker management policies, enable network encryption (required) and data encryption (recommended).

Also, make sure that the partitions on the clients are ready to support BitLocker (see slide Best practice: General Deployment)

To create a BitLocker management policy:

  • The Full Administrator role in Configuration Manager is needed
  • Operating System Drive, Fixed Drive, Removable Drive, and Client Management options are available
  • When you create more than one policy, you can configure their relative priority. If you deploy multiple policies to a client, it uses the priority value to determine its settings. Starting in version 2006, you can also use Windows PowerShell cmdlets for this task.

Monitoring BitLocker deployment:

  • Basic compliance statistics about the policy deployment are shown in the details pane of the BitLocker Management node:

•Compliance count

•Failure count

•Non-compliance count

  • To understand why clients are reporting not compliant with the BitLocker management policy, non-compliance codes are used
  • Dedicated client logs can also be retrieved for additional troubleshooting

Group Policy:

  • It is recommended to not use any BitLocker Group Policy settings along with Configuration Manager, as the GPOs will override the CM settings and result in unpredictable behavior

Re-encryption

  • If a drive is already encrypted with BitLocker, the CM agent will not re-encrypt the drive, but will evaluate the CM policy against the current settings – if these don’t match (for example because of different encryption algorithms), CM will report the device as non-compliant (but the device is still protected)
  • To work around this issue, it is necessary to decrypt the volumes first, then re-encrypt them

TPM password hash:

  • Windows 10 does not save the TPM password – this applied to previous versions of Windows

Co-management:

  • The Configuration Manager client handler for BitLocker is co-management aware. If the device is co-managed, and you switch the Endpoint Protection workload to Intune, then the Configuration Manager client ignores its BitLocker policy. The device gets Windows encryption policy from Intune
  • Switching encryption management authorities while maintaining the desired encryption algorithm doesn't require any additional actions on the client. However, if you switch encryption management authorities and the desired encryption algorithm also changes, you will need to plan for re-encryption.

Best practice: BitLocker portals

 

The BitLocker CM portals must be installed separately:

  • User self-service portal
  • Administration and monitoring portal (for help desk and admins)
  • Starting in version 2006, you can install the BitLocker self-service portal and the administration and monitoring website at the central administration site. In version 2002 and earlier, only install the self-service portal and the administration and monitoring website with a primary site database. In a hierarchy, install these websites for each primary site
  • HTTPS for these portals is not mandatory, but highly recommended
  • You can install the portals on an existing site server or site system server with IIS installed, or use a standalone web server to host them. Their usage is typically low, so the additional load they generate is negligible, so there is typically no need to use a dedicated web server, unless this is to honor network segmentation policies

Portal customizations:

  • The self-service portal can be customized with a custom notice, your organization name, and other organization-specific information

Roadmap: On-prem management

 

  • BitLocker Management + CAS/Hierarchy support (2006 release)
  • BitLocker Management support over CMG (2010 release)
  • Listing on-prem stored BitLocker recovery key for ConfigMgr tenant attach in the Microsoft Endpoint Management cloud console (CY 2021)

 

 

0 Replies