ConfigMgr Bitlocker Management

Hi Folks! I'm Naveen kanneganti and Welcome to my blogpost.

Configmgr has release BitLocker Drive Encryption (BDE) in v1910 for on-premises Windows clients running Windows 10 or Windows 8.1. This feature is optional so, you must enable this feature before using it. Enable co-management and benefit from cloud-based BitLocker management with Microsoft Intune is the best approach. However, there are scenario's where cloud is not an option and require managing on-premises clients. configmgr gives this capability from V1910 and can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM). This post is intended to give you guidance to implement Configmgr Bitlocker management, monitoring and .

Configmgr will provide the following BitLocker management capabilities:

Client deployment

  • Bitlocker client deployment with seamless experience in configmgr console to manage devices running Windows 10 or Windows 8.1

Manage encryption policies

  • Bitlocker Drive Encryption – Settings like drive encryption and cipher strength on Operating System Drives, Fixed Data Drives and Removable Data Drives
  • Client Management – settings like Bitlocker information to be store and client checking status frequency
  • OS Drive Management – Settings like protector for OS drive, minimum PIN length
  • Compliance- Force users to get compliant before using the device with new security policies
  • Auto Unlock – When a user unlocks the OS drive specify whether to unlock only an OS drive or all attached drives.
  • Setting PIN/Password -Customize your organization's security profile on a per device basis.

Compliance reports

Built-in reports, currently available are:

  • Encryption status per volume or per device
  • The primary user of the device
  • Compliance status
  • Reasons for non-compliance

Administration and monitoring website

  • User admins outside of Configmgr console able to help with key including key rotation and other BitLocker-related support

User self-service portal

  • Users able to get single-use key for unlocking a BitLocker encrypted device. Once this key is used, it generates a new key for the device.

Deploy and Use Bitlocker

Configmgr 1910 introduce Bitlocker management to manage manage BitLocker Drive Encryption (BDE) for configmgr managed devices.

Prerequisites

  • Administrator users require full administrator Role in configmgr to create Bitlocker management policies
  • Https-enabled management Point is required to integrate Bitlocker service

Note: if no HTTPS MP found, client will show “unable to find suitable recovery service MP” in bitlockermanagementhandler.log

Naveen_Kanneganti_0-1585926100333.png
  • Client computers require PKI certificate for client
  • Reporting services point is required to use reports
  • IIS server is required to use self-service portal

For more information, please see https://docs.microsoft.com/en-us/configmgr/protect/plan-design/bitlocker-management

Following is the step by step procedure to enable Bitlocker on configmgr Managed Devices

Bitlocker Management Control Policy

  • Open the SCCM console
  • Go to Assets and ComplianceOverviewEndpoint ProtectionBitLocker Management
  • Right-click BitLocker Management and click Create Bitlocker Management Control Policy
  • Give the name
  • Select Client Management and Operating System Drive and then click Next
Naveen_Kanneganti_1-1585926182399.png
  • On the Setup page select desired options as shown below
    • Example
      • Choose a drive encryption and cipher strength (windows 10): Enabled
      • Operating System Drives: XTS-AES 256-bit
      • Fixed Data Drives: XTS-AES 256-bit
      • Removable Data Drives: XTS-AES 256-bit
Naveen_Kanneganti_2-1585926182406.png
  • On Client Management page, select desired options as shown below and click Next
    • Example:
      • Configure Bitlocker Management Services: Enabled
      • Select bitlocker recovery information: Recovery password and key package
      • Check the box Allow recovery information to be stored in plain text
      • Enter client checking status frequency in (minutes): 90
Naveen_Kanneganti_3-1585926182475.png
  • On Operating System Drive page, select desired options as shown below and click Next
    • Example:
      • Operating System Drive Encryption Settings: Enabled
      • Allow Bitlocker without a compatible TPM (requires a password): Allow
      • Select protector for operation system drive: only
      • Configure minimum PIN length for startup: 4
Naveen_Kanneganti_4-1585926182534.png
  • On the Summary Page, review your choices and click Next
  • On the Completion Page, close the wizard.

Deploy Bitlocker Management Control Policy

  • Right click on created PS0 Bitlocker Management Policy and click Deploy
Naveen_Kanneganti_5-1585926253509.png
  • Select desired collection and simple schedule
  • Click ok
Naveen_Kanneganti_6-1585926253533.png

Monitoring

  • Monitor the progress at Logsmpcontrol.log. When completed you'll have the following lines in the log

Successfully ran ‘C:Windowssystem32WindowsPowerShellv1.0PowerShell.exe -ExecutionPolicy RemoteSigned -File “C:Program FilesMicrosoft Configuration Managerbinx64mbamrecoveryserviceinstaller.ps1″‘. Exit code = 0.

HandleMPRegistryChanges(): EnableMBAM() succeeded.

Naveen_Kanneganti_7-1585926253618.png
  • The following SMS_MP_MBAM service is created in IIS at SitesDefault Web SiteSMS_MP_MBAM
Naveen_Kanneganti_8-1585926253698.png
  • Following RecoveryAndHardwarexxxx tables are created in SCCM Database
Naveen_Kanneganti_9-1585926253785.png

Client

  • When the Bitlocker Management Control Policy is deployed successfully, you will see MDOP MABM program installed at Control PanelProgramsPrograms and Features
Naveen_Kanneganti_10-1585926253789.png

  • Reg keys are created as shown below at ComputerHKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftFVEMDOPBitLockerManagement
Naveen_Kanneganti_11-1585926253798.png
  • The following 2 log files are created at c:windowsccmlogs
  • BitlockerManagement_GroupPolicyHandler.log
  • BitlockerManagementHandler.log
Naveen_Kanneganti_12-1585926253801.png
  • Check if the client can find Management from BitlockerManagementHandler.log
Naveen_Kanneganti_13-1585926253806.png

Bitlocker Encryption on clients

Use Case 1:

On a new computer you may run these commands manually or using task sequence during OSD or other methods to enable Bitlocker drive encryption and escrow keys to configmgr. Here is some guidance to help with commands, monitor and

  • Run Powershell command gwmi -class mbam_volume -Namespace rootmicrosoftmbam. search for Compliant and ReasonsForNoncompliance
    • Note: the codes shown at ReasonsForNoncompliance gives the reasons for non-compliant state which helps during troubleshooting
Naveen_Kanneganti_14-1585926487480.png
  • In this scenario, Run Powershell command Manage-bde -on c: and restart computer to begin encryption of C drive by Bitlocker Drive Encryption (BDE)
  • Note: once the client receives the policy, Microsoft Bitlocker Administration and Monitoring wizard should popup on the clients (MBAM wizard may not appear for RDP/Hyper V)
Naveen_Kanneganti_15-1585926487528.png
  • Run Powershell command Manage-bde -status to check the status of bitlocker drive encryption (BDE)
Naveen_Kanneganti_16-1585926487556.png
Naveen_Kanneganti_17-1585926545176.png
  • You can also search Deployed Bitlocker Management Control Policy in configuration manager applet located at Control PanelSystem and Security for Compliant state
Naveen_Kanneganti_18-1585926545195.png
  • Check Event Viewer logs in Applications and Services LogsMicrosoftWindowsMBAM for events
Naveen_Kanneganti_19-1585926545279.png
  • Configmgr populates the recovery information in the site database
Naveen_Kanneganti_20-1585926545383.png

Use Case 2:

You may have configmgr managed devices already encrypted and escrowed to active directory. We can deploy configmgr policy and escrow keys to configmgr database. Here is some guidance to help deploy monitor and

  • Computer already encrypted and keys are backed with AD as shown below
Naveen_Kanneganti_21-1585926637177.png
  • You can check if recovery backup to active directory is enabled from registry HKLMSoftwarePoliciesMicrosoftFVE as shown below
Naveen_Kanneganti_22-1585926637186.png
  • Add computer to Bitlocker Management Policy deployed collection. refer client section to monitor policy deployment. You can monitor policy escrowed to configmgr on client from Applications and Services LogsMicrosoftWindowsMBAMOperational in event Viewer.
Naveen_Kanneganti_23-1585926637319.png
  • In configmgr database you can see the recovery key info of this computer
Naveen_Kanneganti_24-1585926637494.png

Install and configure BitLocker portals

Prerequisites

  • IIS server is required to use self-service portal
  • Microsoft ASP.NET MVC 4.0 is required to install on same IIS server hosting self-service portal
  • Sysadmin rights on SQL is required for the account used to run scripts to install self-service portal

For more information, please see https://docs.microsoft.com/en-us/configmgr/protect/plan-design/bitlocker-management

Note: in V1910 install Portals on Primary site. In a hierarchy having CAS, install portals on Primary sites

Install Portals

  • Copy the files MBAMWebSiteInstaller.ps1 and MBAMWebsite.cab from configmgr installation folder cd.latestSMSSETUPBINX64

Note: in V190 these files are already available at configmgr installation folder cd.latestSMSSETUPBINX64

Naveen_Kanneganti_25-1585926685966.png
  • Run the PowerShell command from the folder having MBAMWebSiteInstaller.ps1 and MBAMWebsite.cab files.

.MBAMWebSiteInstaller.ps1 -SqlServerName cm01.contoso.com -SqlDatabaseName CM_PS0 -ReportWebServiceUrl http://CM01.contoso.com/ReportServer -HelpdeskUsersGroupName “contosoPS0 CM BitLocker helpdesk users” -HelpdeskAdminsGroupName “contosoPS0 CM BitLocker helpdesk admins” -MbamReportUsersGroupName “contosoPS0 CM BitLocker report users” -SiteInstall Both

[For more information on script usage, please see https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/setup-websites ]

Naveen_Kanneganti_26-1585926686000.png
  • Access the self-service portal via URL https:// [webserver FQDN]/SelfService

Ex: https://cm01.contoso.com/selfservice/

Naveen_Kanneganti_27-1585926686004.png
  • Access Administration and monitoring portal via URL https:// [webserver FQDN]/helpdesk

Ex: https://cm01.contoso.com/helpdesk/

Naveen_Kanneganti_28-1585926686016.png
  • After installation of self-service portal, you can customize portal. Go to Sites>Default Web Site>SelfService node. In the details pane, ASP.NET group, click Application Settings.
    • CompanyName = The organization name displays in self-service portal
    • DisplayNotice = notice that the user has to acknowledge in self-service portal
    • HelpdeskText = helpdesk contact info
    • HelpdeskUrl = The link for the HelpdeskText string.
    • NoticeTextPath = The text of the initial notice that the user requires to acknowledge. By default, the full file path on the web server is C:inetpubMicrosoft BitLocker Management SolutionSelf Service WebsiteNotice.txt. Edit and save the file in a plain text editor.
Naveen_Kanneganti_29-1585926686040.png

Administration and monitoring Portal

  • At Bitlocker recovery screen, note first 8 characters of recovery Key ID

Ex: CB3AB643

Naveen_Kanneganti_30-1585926741503.png
  • Logon to Administration and monitoring website via URL https:// [webserver FQDN]/helpdesk. Give User Domain, User ID, first 8 characters of recovery Key ID (Ex: CB3AB643) and Reason for Drive Unlock. click Submit.
Naveen_Kanneganti_31-1585926741518.png
  • Copy the Drive Recovery Key
Naveen_Kanneganti_32-1585926741533.png
  • Give the recovery key from previous step then press enter
Naveen_Kanneganti_33-1585926741543.png
  • Continue to Windows log in screen
Naveen_Kanneganti_34-1585926741549.jpeg

Self-service portal

  • At Bitlocker recovery screen, note first 8 characters of recovery Key ID

Ex: A5A530CC

Naveen_Kanneganti_35-1585926741557.png
  • Log on to the self-service portal via URL https://[webserver FQDN ]/SelfService using User credentials of the computer from another device. Check the box “I have read and understand the above notice” and click continue

Ex: https://cm01.contoso.com/selfservice/

Naveen_Kanneganti_36-1585926741561.png
  • Give the Recovery Key ID (ex: A5A530CC) and select a Reason from drop down menu. Click Get Key and then Copy the Bitlocker recovery key generated
Naveen_Kanneganti_37-1585926741574.png
  • Give the recovery key from previous step then press enter
Naveen_Kanneganti_38-1585926741585.png
  • Continue to Windows log in screen
Naveen_Kanneganti_39-1585926741591.jpeg

Hope this step by step process and Monitoring helps in deployment and troubleshooting!

If you are looking to manage BitLocker from Azure please check URL : https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/bitlocker-intune-and-raven/ba-p/1048033

Best Regards

Naveen Kanneganti
Premier Field Engineer 
 

Microsoft Services

 

This article was originally published by Microsoft's Secure Blog. You can find the original article here.