This article is contributed. See the original author and article here.

 


 


Hi Folks! I’m Naveen kanneganti and Welcome to my blogpost.


 


Configmgr has release BitLocker Drive Encryption (BDE) in v1910 for on-premises Windows clients running Windows 10 or Windows 8.1. This feature is optional so, you must enable this feature before using it. Enable co-management and benefit from cloud-based BitLocker management with Microsoft Intune is the best approach. However, there are scenario’s where cloud is not an option and require managing on-premises clients. configmgr gives this capability from V1910 and can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM). This post is intended to give you guidance to implement Configmgr Bitlocker management, monitoring and troubleshooting.


 


Configmgr will provide the following BitLocker management capabilities:


 


Client deployment



  • Bitlocker client deployment with seamless experience in configmgr console to manage devices running Windows 10 or Windows 8.1


Manage encryption policies



  • Bitlocker Drive Encryption – Settings like drive encryption and cipher strength on Operating System Drives, Fixed Data Drives and Removable Data Drives.ConfigMgr 1910 only supports starting encryption on the OS drive. It does not support starting encryption on Fixed or Removable drives but support compliance reporting .ConfigMgr 2002 supports Encryption of Fixed and Removable drives.

  • Client Management – settings like Bitlocker recovery information to be store and client checking status frequency


  • Compliance – Starting with ConfigMgr 2002 you can force users to get compliant with new security policies



  • OS Drive Management – Settings like protector for OS drive, minimum PIN length

  • Auto Unlock – When a user unlocks the OS drive specify whether to unlock only an OS drive or all attached drives.

  • Setting PIN/Password -Customize your organization’s security profile on a per device basis.


Compliance reports


Built-in reports, currently available are:



  • Encryption status per volume or per device

  • The primary user of the device

  • Compliance status

  • Reasons for non-compliance


Administration and monitoring website



  • User admins outside of Configmgr console able to help with key recovery including key rotation and other BitLocker-related support


User self-service portal



  • Users able to get single-use key for unlocking a BitLocker encrypted device. Once this key is used, it generates a new key for the device.


 


Deploy and Use Bitlocker


Configmgr 1910 introduce Bitlocker management to manage manage BitLocker Drive Encryption (BDE) for configmgr managed devices.


 


Prerequisites



  • Administrator users require full administrator Role in configmgr to create Bitlocker management policies

  • for configmgr 1910 ,Https-enabled management Point is required to integrate Bitlocker recovery service


Note: if no HTTPS MP found, client will show “unable to find suitable recovery service MP” in bitlockermanagementhandler.log


Naveen_Kanneganti_0-1585926100333.png


 



  • From ConfigMgr 2002 , https Management point is not mandatory to work. however, just HTTPS-enable IIS website on the management point that hosts the recovery service is required

  • Client computers need to join on-premises Active directory

  • Reporting services point is required to use reports

  • IIS server is required to use self-service portal


For more information, please see https://docs.microsoft.com/en-us/configmgr/protect/plan-design/bitlocker-management


 


Following is the step by step procedure to enable Bitlocker on configmgr Managed Devices


 


Bitlocker Management Control Policy



  • Open the SCCM console

  • Go to Assets and ComplianceOverviewEndpoint ProtectionBitLocker Management

  • Right-click BitLocker Management and click Create Bitlocker Management Control Policy

  • Give the name

  • Select Client Management and Operating System Drive and then click Next


Naveen_Kanneganti_1-1585926182399.png


 



  • On the Setup page select desired options as shown below

    • Example

      • Choose a drive encryption and cipher strength (windows 10): Enabled

      • Operating System Drives: XTS-AES 256-bit

      • Fixed Data Drives: XTS-AES 256-bit

      • Removable Data Drives: XTS-AES 256-bit






Naveen_Kanneganti_2-1585926182406.png


 



  • On Client Management page, select desired options as shown below and click Next

    • Example:

      • Configure Bitlocker Management Services: Enabled

      • Select bitlocker recovery information: Recovery password and key package

      • Check the box Allow recovery information to be stored in plain text


      • Enter client checking status frequency in (minutes): 90






Naveen_Kanneganti_3-1585926182475.png


 



  • On Operating System Drive page, select desired options as shown below and click Next

    • Example:

      • Operating System Drive Encryption Settings: Enabled

      • Allow Bitlocker without a compatible TPM (requires a password): Allow

      • Select protector for operation system drive: TPM only

      • Configure minimum PIN length for startup: 4






Naveen_Kanneganti_4-1585926182534.png


 



  • On the Summary Page, review your choices and click Next

  • On the Completion Page, close the wizard.


 


Deploy Bitlocker Management Control Policy



  • Right click on created PS0 Bitlocker Management Policy and click Deploy


Naveen_Kanneganti_5-1585926253509.png


 



  • Select desired collection and simple schedule

  • Click ok


Naveen_Kanneganti_6-1585926253533.png


 


 


Monitoring



  • Monitor the progress at <install location>Logsmpcontrol.log. When completed you’ll have the following lines in the log


Successfully ran ‘C:Windowssystem32WindowsPowerShellv1.0PowerShell.exe -ExecutionPolicy RemoteSigned -File “C:Program FilesMicrosoft Configuration Managerbinx64mbamrecoveryserviceinstaller.ps1″‘. Exit code = 0.


 


HandleMPRegistryChanges(): EnableMBAM() succeeded.


Naveen_Kanneganti_7-1585926253618.png


 



  • The following SMS_MP_MBAM service is created in IIS at SitesDefault Web SiteSMS_MP_MBAM


Naveen_Kanneganti_8-1585926253698.png


 


 


Client



  • When the Bitlocker Management Control Policy is deployed successfully, you will see MDOP MABM program installed at Control PanelProgramsPrograms and Features


Naveen_Kanneganti_10-1585926253789.png


 



  • Reg keys are created as shown below at ComputerHKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftFVEMDOPBitLockerManagement


Naveen_Kanneganti_11-1585926253798.png


 



  • The following 2 log files are created at c:windowsccmlogs

  • BitlockerManagement_GroupPolicyHandler.log

  • BitlockerManagementHandler.log


Naveen_Kanneganti_12-1585926253801.png


 



  • Check if the client can find Management from BitlockerManagementHandler.log


Naveen_Kanneganti_13-1585926253806.png


 


 


Bitlocker Encryption on clients


 


Use Case 1:


When a BitLocker Management policy is deployed to configmgr managed device, a wizard will pop on the device prompting the user to start the bitlocker encryption. This is the recommend and primary method to use. you can also enable BitLocker via Task Sequences or “manually” via manage-bde/scripts.


 


On a new computer you may run these commands manually or using task sequence during OSD or other methods to enable Bitlocker drive encryption and escrow keys to configmgr. Here is some guidance to help with commands, monitor and troubleshooting



  • Run Powershell command gwmi -class mbam_volume -Namespace rootmicrosoftmbam. search for Compliant and ReasonsForNoncompliance

    • Note: the codes shown at ReasonsForNoncompliance gives the reasons for non-compliant state which helps during troubleshooting





 



  • Run Powershell command Manage-bde -status and check results as shown below

    • In this case:

      • Fully decrypted






Naveen_Kanneganti_14-1585926487480.png


 



  • In this scenario, Run Powershell command Manage-bde -on c: and restart computer to begin encryption of C drive by Bitlocker Drive Encryption (BDE)

  • Note: once the client receives the policy, Microsoft Bitlocker Administration and Monitoring wizard should popup on the clients (MBAM wizard may not appear for RDP/Hyper V). 

    this is the primary or recommended method to start the bitlocker encryption




Naveen_Kanneganti_15-1585926487528.png


 



  • Run Powershell command Manage-bde -status to check the status of bitlocker drive encryption (BDE)


Naveen_Kanneganti_16-1585926487556.png


 



  • Run Powershell command gwmi -class mbam_volume -Namespace rootmicrosoftmbam. search for Compliant and ReasonsForNoncompliance



Naveen_Kanneganti_17-1585926545176.png


 



  • You can also search Deployed Bitlocker Management Control Policy in configuration manager applet located at Control PanelSystem and Security for Compliant state


Naveen_Kanneganti_18-1585926545195.png


 



  • Check Event Viewer logs in Applications and Services LogsMicrosoftWindowsMBAM for events


Naveen_Kanneganti_19-1585926545279.png


 


 


Use Case 2:


You may have configmgr managed devices already encrypted and escrowed to active directory. We can deploy configmgr policy and escrow keys to configmgr database. Here is some guidance to help deploy monitor and troubleshoot



  • Computer already encrypted and keys are backed with AD as shown below


Naveen_Kanneganti_21-1585926637177.png


 



  • You can check if recovery backup to active directory is enabled from registry HKLMSoftwarePoliciesMicrosoftFVE as shown below


Naveen_Kanneganti_22-1585926637186.png


 



  • Add computer to Bitlocker Management Policy deployed collection. refer client section to monitor policy deployment. You can monitor policy escrowed to configmgr on client from Applications and Services LogsMicrosoftWindowsMBAMOperational in event Viewer.


Naveen_Kanneganti_23-1585926637319.png


 


 


Install and configure BitLocker portals


 


Prerequisites



  • IIS server is required to use self-service portal

  • Microsoft ASP.NET MVC 4.0 is required to install on same IIS server hosting self-service portal

  • Sysadmin rights on SQL is required for the account used to run scripts to install self-service portal


For more information, please see https://docs.microsoft.com/en-us/configmgr/protect/plan-design/bitlocker-management


Note: in V1910 install Portals on Primary site. In a hierarchy having CAS, install portals on Primary sites


 


Install Portals



  • Copy the files MBAMWebSiteInstaller.ps1 and MBAMWebsite.cab from configmgr installation folder cd.latestSMSSETUPBINX64


Note: in V190 these files are already available at configmgr installation folder cd.latestSMSSETUPBINX64


 


Naveen_Kanneganti_25-1585926685966.png


 



  • Run the PowerShell command from the folder having MBAMWebSiteInstaller.ps1 and MBAMWebsite.cab files.


.MBAMWebSiteInstaller.ps1 -SqlServerName cm01.contoso.com -SqlDatabaseName CM_PS0 -ReportWebServiceUrl http://CM01.contoso.com/ReportServer -HelpdeskUsersGroupName “contosoPS0 CM BitLocker helpdesk users” -HelpdeskAdminsGroupName “contosoPS0 CM BitLocker helpdesk admins” -MbamReportUsersGroupName “contosoPS0 CM BitLocker report users” -SiteInstall Both


 


[For more information on script usage, please see https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/setup-websites ]


Naveen_Kanneganti_26-1585926686000.png


 



  • Access the self-service portal via URL https:// [webserver FQDN]/SelfService


Ex: https://cm01.contoso.com/selfservice/


Naveen_Kanneganti_27-1585926686004.png


 


 



  • Access Administration and monitoring portal via URL https:// [webserver FQDN]/helpdesk


Ex: https://cm01.contoso.com/helpdesk/


Naveen_Kanneganti_28-1585926686016.png


 



  • After installation of self-service portal, you can customize portal. Go to Sites>Default Web Site>SelfService node. In the details pane, ASP.NET group, click Application Settings.

    • CompanyName = The organization name displays in self-service portal

    • DisplayNotice = notice that the user has to acknowledge in self-service portal

    • HelpdeskText = helpdesk contact info

    • HelpdeskUrl = The link for the HelpdeskText string.

    • NoticeTextPath = The text of the initial notice that the user requires to acknowledge. By default, the full file path on the web server is C:inetpubMicrosoft BitLocker Management SolutionSelf Service WebsiteNotice.txt. Edit and save the file in a plain text editor.




Naveen_Kanneganti_29-1585926686040.png


 


Administration and monitoring Portal



  • At Bitlocker recovery screen, note first 8 characters of recovery Key ID


Ex: CB3AB643


Naveen_Kanneganti_30-1585926741503.png


 



  • Logon to Administration and monitoring website via URL https:// [webserver FQDN]/helpdesk. Give User Domain, User ID, first 8 characters of recovery Key ID (Ex: CB3AB643) and Reason for Drive Unlock. click Submit.


Naveen_Kanneganti_31-1585926741518.png


 



  • Copy the Drive Recovery Key


Naveen_Kanneganti_32-1585926741533.png


 



  • Give the recovery key from previous step then press enter


Naveen_Kanneganti_33-1585926741543.png


 



  • Continue to Windows log in screen


Naveen_Kanneganti_34-1585926741549.jpeg


 


Self-service portal



  • At Bitlocker recovery screen, note first 8 characters of recovery Key ID


Ex: A5A530CC


Naveen_Kanneganti_35-1585926741557.png


 



  • Log on to the self-service portal via URL https://[webserver FQDN ]/SelfService using User credentials of the computer from another device. Check the box “I have read and understand the above notice” and click continue


Ex: https://cm01.contoso.com/selfservice/


Naveen_Kanneganti_36-1585926741561.png


 



  • Give the Recovery Key ID (ex: A5A530CC) and select a Reason from drop down menu. Click Get Key and then Copy the Bitlocker recovery key generated


Naveen_Kanneganti_37-1585926741574.png


 



  • Give the recovery key from previous step then press enter


Naveen_Kanneganti_38-1585926741585.png


 



  • Continue to Windows log in screen


Naveen_Kanneganti_39-1585926741591.jpeg


 


Hope this step by step process and Monitoring helps in deployment and troubleshooting!


If you are looking to manage BitLocker from Azure please check URL : https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/bitlocker-intune-and-raven/ba-p/1048033


 


Best Regards


Naveen Kanneganti
Premier Field Engineer 
 


Microsoft Services


 


 


 


 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.