Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, namely Self Service and Help Desk abilities as well as updates to Reporting.
In this blog post we’ll look at the Self Service feature for end users.
What is the Self Service feature ? well to put it quite simply, it allows the end user (that has the BitLocker Recovery prompt) to solve the problem by them selves without having to involve anyone else to support them.
To use the Self Service feature, let’s first take a look at an MBAM managed Windows 10 computer. If we open control panel and look at the Configuration Manager agent, we can see that a Configuration Item for MBAM is installed and that this computer is compliant.
And if we check the BitLocker settings, we can see it it encrypted as per the MBAM policy. And we can even query the Recovery key as shown below with
manage-bde -protectors -get c:
But what if this computer had an issue, such as a change to the BIOS settings causing a BitLocker Recovery prompt at boot up. Well, because this computer is managed by MBAM and the key is stored in ConfigMgrs’ database, this is no problem.
So let’s see how that plays out.
The end user has two choices here, call their internal help desk or solve it themselves using self service.
So how does MBAM Self Service work
The user can use another Windows device (or phone) to access the self service URL located at their site, in my lab that is https://cm01.windowsnoob.lab.local/SelfService
After logging in with their company credentials, they’ll be prompted with a notice which they need to read and accept.
- BIOS/TPM changed
- OS Files modified
- Lost PIN-Passphrase
And then click on Get Key. The Recovery Key is displayed in (2).
Once entered, the user can boot their computer and all is fine. Job done !
For the ConfigMgr Admins out there that like to do things using SQL, you can also get that recovery key directly using queries within the ConfigMgr database as I show here.
Note: Using the Self Service feature does not trigger a Key Rotation, for more info see https://www.niallbrady.com/2019/10/07/how-does-key-rotation-work-in-mbam-integrated-with-sccm/
- On-premises BitLocker management using System Center Configuration Manager
- How can I get BitLocker Recovery Keys from the ConfigMgr database
- How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant”
In the next blog post I’ll show you how the Help Desk functionality works.
until next time,