How can you use the Self Service feature when MBAM is integrated within SCCM?


Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, namely Self Service and Help Desk abilities as well as updates to Reporting.

In this blog post we’ll look at the Self Service feature for end users.

Self Service

What is the Self Service feature ?  well to put it quite simply, it allows the end user (that has the BitLocker Recovery prompt) to solve the problem by them selves without having to involve anyone else to support them.

To use the Self Service feature, let’s first take a look at an MBAM managed Windows 10 computer. If we open control panel and look at the Configuration Manager agent, we can see that a Configuration Item for MBAM is installed and that this computer is compliant.

And if we check the BitLocker settings, we can see it it encrypted as per the MBAM policy. And we can even query the Recovery key as shown below with

manage-bde -protectors -get c:

BitLocker Recovery

But what if this computer had an issue, such as a change to the BIOS settings causing a BitLocker Recovery prompt at boot up. Well, because this computer is managed by MBAM and the key is stored in ConfigMgrs’ database, this is no problem.

So let’s see how that plays out.

As you can see from the screen above, the Windows 10 computer is prompting the end user for a BitLocker Recovery key as something  (bios change etc) has prompted it to do so.

The end user has two choices here, call their internal help desk or solve it themselves using self service.

So how does MBAM Self Service work

The user can use another Windows device (or phone) to access the self service URL located at their site, in my lab that is https://cm01.windowsnoob.lab.local/SelfService

After logging in with their company credentials, they’ll be prompted with a notice which they need to read and accept.

Notice how the page and notice text are customized for the organization. Once the user accepts the notice they can click on Continue. They are then presented with recovery options.

Here (1), the user can insert the first 8 characters of their Recovery Key ID displayed on their boot up screen and select a reason from one of three options:

  • BIOS/TPM changed
  • OS Files modified
  • Lost PIN-Passphrase

And then click on Get Key. The Recovery Key is displayed in (2).

That’s all you need, there is a third optional option to change your BitLocker credentials via control panel after unlocking the device.

Once entered, the user can boot their computer and all is fine. Job done !

For the ConfigMgr Admins out there that like to do things using SQL, you can also get that recovery key directly using queries within the ConfigMgr database as I show here.

Note: Using the Self Service feature does not trigger a Key Rotation, for more info see

Related reading

In the next blog post I’ll show you how the Help Desk functionality works.

until next time,











This entry was posted in MBAM SelfService. Bookmark the permalink.

2 Responses to How can you use the Self Service feature when MBAM is integrated within SCCM?

  1. Pingback: How can you use the Help Desk feature when MBAM is integrated within SCCM | just another windows noob ?

  2. Pingback: How does Key Rotation work in MBAM integrated with SCCM ? | just another windows noob ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.