ConfigMgr Bitlocker Management

Hi Folks! I'm Naveen kanneganti and Welcome to my blogpost.

Configmgr has release BitLocker Drive Encryption (BDE) in v1910 for on-premises Windows clients running Windows 10 or Windows 8.1. This feature is optional so, you must enable this feature before using it. Enable co-management and benefit from cloud-based BitLocker management with Microsoft Intune is the best approach. However, there are scenario's where cloud is not an option and require managing on-premises clients. configmgr gives this capability from V1910 and can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM). This post is intended to give you guidance to implement Configmgr Bitlocker management, monitoring and .

Configmgr will provide the following BitLocker management capabilities:

Client deployment

  • Bitlocker client deployment with seamless experience in configmgr console to manage devices running Windows 10 or Windows 8.1

Manage encryption policies

  • Bitlocker Drive Encryption – Settings like drive encryption and cipher strength on Operating System Drives, Fixed Data Drives and Removable Data Drives
  • Client Management – settings like Bitlocker information to be store and client checking status frequency
  • OS Drive Management – Settings like protector for OS drive, minimum PIN length
  • Compliance- Force users to get compliant before using the device with new security policies
  • Auto Unlock – When a user unlocks the OS drive specify whether to unlock only an OS drive or all attached drives.
  • Setting PIN/Password -Customize your organization's security profile on a per device basis.

Compliance reports

Built-in reports, currently available are:

  • Encryption status per volume or per device
  • The primary user of the device
  • Compliance status
  • Reasons for non-compliance

Administration and monitoring website

  • User admins outside of Configmgr console able to help with key including key rotation and other BitLocker-related support

User self-service portal

  • Users able to get single-use key for unlocking a BitLocker encrypted device. Once this key is used, it generates a new key for the device.

Deploy and Use Bitlocker

Configmgr 1910 introduce Bitlocker management to manage manage BitLocker Drive Encryption (BDE) for configmgr managed devices.


  • Administrator users require full administrator Role in configmgr to create Bitlocker management policies
  • Https-enabled management Point is required to integrate Bitlocker service

Note: if no HTTPS MP found, client will show “unable to find suitable recovery service MP” in bitlockermanagementhandler.log

  • Client computers require PKI certificate for client
  • Reporting services point is required to use reports
  • IIS server is required to use self-service portal

For more information, please see

Following is the step by step procedure to enable Bitlocker on configmgr Managed Devices

Bitlocker Management Control Policy

  • Open the SCCM console
  • Go to Assets and ComplianceOverviewEndpoint ProtectionBitLocker Management
  • Right-click BitLocker Management and click Create Bitlocker Management Control Policy
  • Give the name
  • Select Client Management and Operating System Drive and then click Next
  • On the Setup page select desired options as shown below
    • Example
      • Choose a drive encryption and cipher strength (windows 10): Enabled
      • Operating System Drives: XTS-AES 256-bit
      • Fixed Data Drives: XTS-AES 256-bit
      • Removable Data Drives: XTS-AES 256-bit
  • On Client Management page, select desired options as shown below and click Next
    • Example:
      • Configure Bitlocker Management Services: Enabled
      • Select bitlocker recovery information: Recovery password and key package
      • Check the box Allow recovery information to be stored in plain text
      • Enter client checking status frequency in (minutes): 90
  • On Operating System Drive page, select desired options as shown below and click Next
    • Example:
      • Operating System Drive Encryption Settings: Enabled
      • Allow Bitlocker without a compatible TPM (requires a password): Allow
      • Select protector for operation system drive: only
      • Configure minimum PIN length for startup: 4
  • On the Summary Page, review your choices and click Next
  • On the Completion Page, close the wizard.

Deploy Bitlocker Management Control Policy

  • Right click on created PS0 Bitlocker Management Policy and click Deploy
  • Select desired collection and simple schedule
  • Click ok


  • Monitor the progress at Logsmpcontrol.log. When completed you'll have the following lines in the log

Successfully ran ‘C:Windowssystem32WindowsPowerShellv1.0PowerShell.exe -ExecutionPolicy RemoteSigned -File “C:Program FilesMicrosoft Configuration Managerbinx64mbamrecoveryserviceinstaller.ps1″‘. Exit code = 0.

HandleMPRegistryChanges(): EnableMBAM() succeeded.

  • The following SMS_MP_MBAM service is created in IIS at SitesDefault Web SiteSMS_MP_MBAM
  • Following RecoveryAndHardwarexxxx tables are created in SCCM Database


  • When the Bitlocker Management Control Policy is deployed successfully, you will see MDOP MABM program installed at Control PanelProgramsPrograms and Features

  • Reg keys are created as shown below at ComputerHKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftFVEMDOPBitLockerManagement
  • The following 2 log files are created at c:windowsccmlogs
  • BitlockerManagement_GroupPolicyHandler.log
  • BitlockerManagementHandler.log
  • Check if the client can find Management from BitlockerManagementHandler.log

Bitlocker Encryption on clients

Use Case 1:

On a new computer you may run these commands manually or using task sequence during OSD or other methods to enable Bitlocker drive encryption and escrow keys to configmgr. Here is some guidance to help with commands, monitor and

  • Run Powershell command gwmi -class mbam_volume -Namespace rootmicrosoftmbam. search for Compliant and ReasonsForNoncompliance
    • Note: the codes shown at ReasonsForNoncompliance gives the reasons for non-compliant state which helps during troubleshooting
  • In this scenario, Run Powershell command Manage-bde -on c: and restart computer to begin encryption of C drive by Bitlocker Drive Encryption (BDE)
  • Note: once the client receives the policy, Microsoft Bitlocker Administration and Monitoring wizard should popup on the clients (MBAM wizard may not appear for RDP/Hyper V)
  • Run Powershell command Manage-bde -status to check the status of bitlocker drive encryption (BDE)
  • You can also search Deployed Bitlocker Management Control Policy in configuration manager applet located at Control PanelSystem and Security for Compliant state
  • Check Event Viewer logs in Applications and Services LogsMicrosoftWindowsMBAM for events
  • Configmgr populates the recovery information in the site database

Use Case 2:

You may have configmgr managed devices already encrypted and escrowed to active directory. We can deploy configmgr policy and escrow keys to configmgr database. Here is some guidance to help deploy monitor and

  • Computer already encrypted and keys are backed with AD as shown below
  • You can check if recovery backup to active directory is enabled from registry HKLMSoftwarePoliciesMicrosoftFVE as shown below
  • Add computer to Bitlocker Management Policy deployed collection. refer client section to monitor policy deployment. You can monitor policy escrowed to configmgr on client from Applications and Services LogsMicrosoftWindowsMBAMOperational in event Viewer.
  • In configmgr database you can see the recovery key info of this computer

Install and configure BitLocker portals


  • IIS server is required to use self-service portal
  • Microsoft ASP.NET MVC 4.0 is required to install on same IIS server hosting self-service portal
  • Sysadmin rights on SQL is required for the account used to run scripts to install self-service portal

For more information, please see

Note: in V1910 install Portals on Primary site. In a hierarchy having CAS, install portals on Primary sites

Install Portals

  • Copy the files MBAMWebSiteInstaller.ps1 and from configmgr installation folder cd.latestSMSSETUPBINX64

Note: in V190 these files are already available at configmgr installation folder cd.latestSMSSETUPBINX64

  • Run the PowerShell command from the folder having MBAMWebSiteInstaller.ps1 and files.

.MBAMWebSiteInstaller.ps1 -SqlServerName -SqlDatabaseName CM_PS0 -ReportWebServiceUrl -HelpdeskUsersGroupName “contosoPS0 CM BitLocker helpdesk users” -HelpdeskAdminsGroupName “contosoPS0 CM BitLocker helpdesk admins” -MbamReportUsersGroupName “contosoPS0 CM BitLocker report users” -SiteInstall Both

[For more information on script usage, please see ]

  • Access the self-service portal via URL https:// [webserver FQDN]/SelfService


  • Access Administration and monitoring portal via URL https:// [webserver FQDN]/helpdesk


  • After installation of self-service portal, you can customize portal. Go to Sites>Default Web Site>SelfService node. In the details pane, ASP.NET group, click Application Settings.
    • CompanyName = The organization name displays in self-service portal
    • DisplayNotice = notice that the user has to acknowledge in self-service portal
    • HelpdeskText = helpdesk contact info
    • HelpdeskUrl = The link for the HelpdeskText string.
    • NoticeTextPath = The text of the initial notice that the user requires to acknowledge. By default, the full file path on the web server is C:inetpubMicrosoft BitLocker Management SolutionSelf Service WebsiteNotice.txt. Edit and save the file in a plain text editor.

Administration and monitoring Portal

  • At Bitlocker recovery screen, note first 8 characters of recovery Key ID

Ex: CB3AB643

  • Logon to Administration and monitoring website via URL https:// [webserver FQDN]/helpdesk. Give User Domain, User ID, first 8 characters of recovery Key ID (Ex: CB3AB643) and Reason for Drive Unlock. click Submit.
  • Copy the Drive Recovery Key
  • Give the recovery key from previous step then press enter
  • Continue to Windows log in screen

Self-service portal

  • At Bitlocker recovery screen, note first 8 characters of recovery Key ID

Ex: A5A530CC

  • Log on to the self-service portal via URL https://[webserver FQDN ]/SelfService using User credentials of the computer from another device. Check the box “I have read and understand the above notice” and click continue


  • Give the Recovery Key ID (ex: A5A530CC) and select a Reason from drop down menu. Click Get Key and then Copy the Bitlocker recovery key generated
  • Give the recovery key from previous step then press enter
  • Continue to Windows log in screen

Hope this step by step process and Monitoring helps in deployment and troubleshooting!

If you are looking to manage BitLocker from Azure please check URL :

Best Regards

Naveen Kanneganti
Premier Field Engineer 

Microsoft Services


This article was originally published by Microsoft's Secure Blog. You can find the original article here.