Hi Folks! I’m Naveen kanneganti and Welcome to my blogpost.
Configmgr has release BitLocker Drive Encryption (BDE) in v1910 for on-premises Windows clients running Windows 10 or Windows 8.1. This feature is optional so, you must enable this feature before using it. Enable co-management and benefit from cloud-based BitLocker management with Microsoft Intune is the best approach. However, there are scenario’s where cloud is not an option and require managing on-premises clients. configmgr gives this capability from V1910 and can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM). This post is intended to give you guidance to implement Configmgr Bitlocker management, monitoring and troubleshooting.
Configmgr will provide the following BitLocker management capabilities:
Client deployment
- Bitlocker client deployment with seamless experience in configmgr console to manage devices running Windows 10 or Windows 8.1
Manage encryption policies
- Bitlocker Drive Encryption - Settings like drive encryption and cipher strength on Operating System Drives, Fixed Data Drives and Removable Data Drives.ConfigMgr 1910 only supports starting encryption on the OS drive. It does not support starting encryption on Fixed or Removable drives but support compliance reporting .ConfigMgr 2002 supports Encryption of Fixed and Removable drives.
- Client Management - settings like Bitlocker recovery information to be store and client checking status frequency
-
Compliance - Starting with ConfigMgr 2002 you can force users to get compliant with new security policies
- OS Drive Management - Settings like protector for OS drive, minimum PIN length
- Auto Unlock - When a user unlocks the OS drive specify whether to unlock only an OS drive or all attached drives.
- Setting PIN/Password -Customize your organization's security profile on a per device basis.
Compliance reports
Built-in reports, currently available are:
- Encryption status per volume or per device
- The primary user of the device
- Compliance status
- Reasons for non-compliance
Administration and monitoring website
- User admins outside of Configmgr console able to help with key recovery including key rotation and other BitLocker-related support
User self-service portal
- Users able to get single-use key for unlocking a BitLocker encrypted device. Once this key is used, it generates a new key for the device.
Deploy and Use Bitlocker
Configmgr 1910 introduce Bitlocker management to manage manage BitLocker Drive Encryption (BDE) for configmgr managed devices.
Prerequisites
- Administrator users require full administrator Role in configmgr to create Bitlocker management policies
- for configmgr 1910 ,Https-enabled management Point is required to integrate Bitlocker recovery service
Note: if no HTTPS MP found, client will show “unable to find suitable recovery service MP” in bitlockermanagementhandler.log
- From ConfigMgr 2002 , https Management point is not mandatory to work. however, just HTTPS-enable IIS website on the management point that hosts the recovery service is required
- Client computers need to join on-premises Active directory
- Reporting services point is required to use reports
- IIS server is required to use self-service portal
For more information, please see https://docs.microsoft.com/en-us/configmgr/protect/plan-design/bitlocker-management
Following is the step by step procedure to enable Bitlocker on configmgr Managed Devices
Bitlocker Management Control Policy
- Open the SCCM console
- Go to Assets and Compliance\Overview\Endpoint Protection\BitLocker Management
- Right-click BitLocker Management and click Create Bitlocker Management Control Policy
- Give the name
- Select Client Management and Operating System Drive and then click Next
- On the Setup page select desired options as shown below
- Example
- Choose a drive encryption and cipher strength (windows 10): Enabled
- Operating System Drives: XTS-AES 256-bit
- Fixed Data Drives: XTS-AES 256-bit
- Removable Data Drives: XTS-AES 256-bit
- Example
- On Client Management page, select desired options as shown below and click Next
- Example:
- Configure Bitlocker Management Services: Enabled
- Select bitlocker recovery information: Recovery password and key package
- Check the box Allow recovery information to be stored in plain text
- Note: if no Bitlocker management encryption certificate, you can’t continue to next tab without check box “Allow recovery information to be stored in plain text". if you consider encrypting key recovery information in site database at later stage you can do so follow the article https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/encrypt-recovery-data to encrypt key recovery info in database
- Enter client checking status frequency in (minutes): 90
- Example:
- On Operating System Drive page, select desired options as shown below and click Next
- Example:
- Operating System Drive Encryption Settings: Enabled
- Allow Bitlocker without a compatible TPM (requires a password): Allow
- Select protector for operation system drive: TPM only
- Configure minimum PIN length for startup: 4
- Example:
- On the Summary Page, review your choices and click Next
- On the Completion Page, close the wizard.
Deploy Bitlocker Management Control Policy
- Right click on created PS0 Bitlocker Management Policy and click Deploy
- Select desired collection and simple schedule
- Click ok
Monitoring
- Monitor the progress at <install location>\Logs\mpcontrol.log. When completed you’ll have the following lines in the log
Successfully ran 'C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy RemoteSigned -File "C:\Program Files\Microsoft Configuration Manager\bin\x64\mbamrecoveryserviceinstaller.ps1"'. Exit code = 0.
HandleMPRegistryChanges(): EnableMBAM() succeeded.
- The following SMS_MP_MBAM service is created in IIS at Sites\Default Web Site\SMS_MP_MBAM
Client
- When the Bitlocker Management Control Policy is deployed successfully, you will see MDOP MABM program installed at Control Panel\Programs\Programs and Features
- Reg keys are created as shown below at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement
- The following 2 log files are created at c:\windows\ccm\logs
- BitlockerManagement_GroupPolicyHandler.log
- BitlockerManagementHandler.log
- Check if the client can find Management from BitlockerManagementHandler.log
Bitlocker Encryption on clients
Use Case 1:
When a BitLocker Management policy is deployed to configmgr managed device, a wizard will pop on the device prompting the user to start the bitlocker encryption. This is the recommend and primary method to use. you can also enable BitLocker via Task Sequences or “manually” via manage-bde/scripts.
On a new computer you may run these commands manually or using task sequence during OSD or other methods to enable Bitlocker drive encryption and escrow keys to configmgr. Here is some guidance to help with commands, monitor and troubleshooting
- Run Powershell command gwmi -class mbam_volume -Namespace root\microsoft\mbam. search for Compliant and ReasonsForNoncompliance
- Note: the codes shown at ReasonsForNoncompliance gives the reasons for non-compliant state which helps during troubleshooting
-
- In this case:
- Compliant :0 [ non-Compliant]
- ReasonsForNoncompliance: {1,16,3} [ For codes information, please see https://docs.microsoft.com/en-us/configmgr/protect/tech-ref/bitlocker/non-compliance-codes ]
- In this case:
- Run Powershell command Manage-bde -status and check results as shown below
- In this case:
- Fully decrypted
- In this case:
- In this scenario, Run Powershell command Manage-bde -on c: and restart computer to begin encryption of C drive by Bitlocker Drive Encryption (BDE)
- Note: once the client receives the policy, Microsoft Bitlocker Administration and Monitoring wizard should popup on the clients (MBAM wizard may not appear for RDP/Hyper V).
this is the primary or recommended method to start the bitlocker encryption
- Run Powershell command Manage-bde -status to check the status of bitlocker drive encryption (BDE)
- Run Powershell command gwmi -class mbam_volume -Namespace root\microsoft\mbam. search for Compliant and ReasonsForNoncompliance
- Note: the codes shown at ReasonsForNoncompliance gives the reasons for non-compliant state which helps during troubleshooting
- In this case:
- Compliant: 1 [ Compliant]
- ReasonsForNoncompliance: {} [ it will display codes i.e. {1,16,3}. for codes information, please see https://docs.microsoft.com/en-us/configmgr/protect/tech-ref/bitlocker/non-compliance-codes ]
- You can also search Deployed Bitlocker Management Control Policy in configuration manager applet located at Control Panel\System and Security for Compliant state
- Check Event Viewer logs in Applications and Services Logs\Microsoft\Windows\MBAM\ for events
Use Case 2:
You may have configmgr managed devices already encrypted and escrowed to active directory. We can deploy configmgr policy and escrow keys to configmgr database. Here is some guidance to help deploy monitor and troubleshoot
- Computer already encrypted and keys are backed with AD as shown below
- You can check if recovery backup to active directory is enabled from registry HKLM\Software\Policies\Microsoft\FVE as shown below
- Add computer to Bitlocker Management Policy deployed collection. refer client section to monitor policy deployment. You can monitor policy escrowed to configmgr on client from Applications and Services Logs\Microsoft\Windows\MBAM\Operational in event Viewer.
Install and configure BitLocker portals
Prerequisites
- IIS server is required to use self-service portal
- Microsoft ASP.NET MVC 4.0 is required to install on same IIS server hosting self-service portal
- Sysadmin rights on SQL is required for the account used to run scripts to install self-service portal
For more information, please see https://docs.microsoft.com/en-us/configmgr/protect/plan-design/bitlocker-management
Note: in V1910 install Portals on Primary site. In a hierarchy having CAS, install portals on Primary sites
Install Portals
- Copy the files MBAMWebSiteInstaller.ps1 and MBAMWebsite.cab from configmgr installation folder \cd.latest\SMSSETUP\BIN\X64
Note: in V190 these files are already available at configmgr installation folder \cd.latest\SMSSETUP\BIN\X64
- Run the PowerShell command from the folder having MBAMWebSiteInstaller.ps1 and MBAMWebsite.cab files.
.\MBAMWebSiteInstaller.ps1 -SqlServerName cm01.contoso.com -SqlDatabaseName CM_PS0 -ReportWebServiceUrl http://CM01.contoso.com/ReportServer -HelpdeskUsersGroupName "contoso\PS0 CM BitLocker helpdesk users" -HelpdeskAdminsGroupName "contoso\PS0 CM BitLocker helpdesk admins" -MbamReportUsersGroupName "contoso\PS0 CM BitLocker report users" -SiteInstall Both
[For more information on script usage, please see https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/setup-websites ]
- Access the self-service portal via URL https:// [webserver FQDN]/SelfService
Ex: https://cm01.contoso.com/selfservice/
- Access Administration and monitoring portal via URL https:// [webserver FQDN]/helpdesk
Ex: https://cm01.contoso.com/helpdesk/
- After installation of self-service portal, you can customize portal. Go to Sites>Default Web Site>SelfService node. In the details pane, ASP.NET group, click Application Settings.
- CompanyName = The organization name displays in self-service portal
- DisplayNotice = notice that the user has to acknowledge in self-service portal
- HelpdeskText = helpdesk contact info
- HelpdeskUrl = The link for the HelpdeskText string.
- NoticeTextPath = The text of the initial notice that the user requires to acknowledge. By default, the full file path on the web server is C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website\Notice.txt. Edit and save the file in a plain text editor.
Administration and monitoring Portal
- At Bitlocker recovery screen, note first 8 characters of recovery Key ID
Ex: CB3AB643
- Logon to Administration and monitoring website via URL https:// [webserver FQDN]/helpdesk. Give User Domain, User ID, first 8 characters of recovery Key ID (Ex: CB3AB643) and Reason for Drive Unlock. click Submit.
- Copy the Drive Recovery Key
- Give the recovery key from previous step then press enter
- Continue to Windows log in screen
Self-service portal
- At Bitlocker recovery screen, note first 8 characters of recovery Key ID
Ex: A5A530CC
- Log on to the self-service portal via URL https://[webserver FQDN ]/SelfService using User credentials of the computer from another device. Check the box “I have read and understand the above notice” and click continue
Ex: https://cm01.contoso.com/selfservice/
- Give the Recovery Key ID (ex: A5A530CC) and select a Reason from drop down menu. Click Get Key and then Copy the Bitlocker recovery key generated
- Give the recovery key from previous step then press enter
- Continue to Windows log in screen
Hope this step by step process and Monitoring helps in deployment and troubleshooting!
If you are looking to manage BitLocker from Azure please check URL : https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/bitlocker-intune-and-raven/ba-p/1048033
Best Regards
Naveen Kanneganti
Premier Field Engineer
Microsoft Services
Microsoft
