How can you use the Help Desk feature when MBAM is integrated within SCCM

Introduction

Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, those updates included Self Service and Help Desk abilities as well as Reporting updates.

In a previous blog post you looked at the Self Service feature for end users. This blog post will look at the Help Desk feature. But first, why would a user need to call a help desk (in relation to MBAM). Here’s why.

If a user gets locked out of their Windows computer that is encrypted with BitLocker and provided that that computer is Managed by MBAM integrated with SCCM, then when BitLocker Recovery is triggered (by things like bios changes, software updates etc),  in order to gain access to the computer, they’ll need to unlock it and for that they’ll need the recovery key, either via Self Service which I already covered or by calling the Help Desk.

Some people cannot handle fixing things themselves and always opt for calling the help desk as they want personnel to help assist them in their time of need.

Creating Users and User Groups for MBAM

At the help desk, you have different levels of users and depending on which user group they are in, they can get more advanced functionality. However, to gain access to this functionality requires that the help desk user is a member of a group specified when you setup MBAM.

If you’ve been following my latest SCCM setup guides here, in Part 2 you’ll see that there is a PowerShell script to create users and user groups in Active Directory, including Service Accounts, for functions such as MBAM.

You can see the creation of these user groups below and you can download the script(s) used here.

This script creates some MBAM related users/groups which are shown below.

The Help Desk function uses the MBAM_HD and the MBAM_HD_Adv user groups when I set it up as specified here. Those user groups are used when setting up MBAM within Configuration Manager using the following script. I’ve marked in bold the bit which decides what user group belongs to the the appropriate Help Desks.

.\MBAMWebSiteInstaller.ps1 -SqlServerName <ServerName>
-SqlInstanceName <InstanceName> -SqlDatabaseName
<DatabaseName> -ReportWebServiceUrl <ReportWebServiceUrl>
-HelpdeskUsersGroupName <DomainUserGroup> -HelpdeskAdminsGroupName

<DomainUserGroup>
-MbamReportUsersGroupName
<DomainUserGroup> -SiteInstall Both

You can of course create user groups with your own naming standard for your company as appropriate, this is only an example of how to set it up.

What is important however, is that you add users to that user group, as those users will be able to access the Help Desk abilities in MBAM to provide support to your users.

Help Desk User versus Help Desk Advanced User

The script used above for creating users and user groups creates two Help Desk user groups, one for help desk users and another for help desk advanced users. All you have to do is add users to the appropriate user group, those user groups are called:

  • MBAM_HD
  • MBAM_HD_Adv

The MBAM_HD user group contains users that are help desk users and they have the following abilities.

Provides access to the Manage TPM and Drive Recovery areas of the Administration and Monitoring Website. Individuals who have this role must fill in all fields, including the end-user’s domain and account name, when they use either area.

The MBAM_HD_Adv user group contains users that are help desk advanced users and they have the following abilities.

Provides access to all areas of the Administration and Monitoring Website. Users who have this role enter only the recovery key, and not the end user’s domain and user name, when helping end users recover their drives. If a user is a member of both the MBAM Helpdesk Users group and the MBAM Advanced Helpdesk Users group, the MBAM Advanced Helpdesk Users group permissions override the MBAM Helpdesk Users Group permissions.

Note: For more info about these user groups see this post from Microsoft.

Note: I’ve manually created the two users below, the script does not create them as it expects you to add users the user groups your self.

So Let’s add a user called HelpDeskUser to the MBAM_HD user group.

And let’s add a user called HelpDeskAdvanced to the MBAM_HD_Adv user group

Help Desk User

Logon to a computer as HelpDeskUser and browse to the help desk website, for example in my lab it is: https:\\cm01.windowsnoob.lab.local\helpdesk

You should see the following, note that the user logged on is displayed in the top right of the website:

If the help desk user clicks on Drive Recovery to assist a user calling in for BitLocker Recovery, they will see the following. The need to enter all fields provided including a reason for the request before clicking submit.

After submitting the request they can assist the user by providing them the drive recovery key.

Note that they can copy it to (for example) email the BitLocker recovery key to the user or save the key locally (to email to the user or give it to them over the phone)

or create a .keypackage to be used when recovering corrupted drives.

They can also Manage the TPM (Trusted Platform Module) via the Manage TPM link,

After filling in the needed info, clicking on Submit reveals the TPM Owner Password.

Help Desk Advanced User

Logon to a computer as HelpDeskAdvancedUser and browse to the help desk website, for example in my lab it is: https:\\cm01.windowsnoob.lab.local\helpdesk

You should see the following, note that the user logged on is displayed in the top right of the website:

As before, this user can assist users with Drive Recovery operations, however now it’s easier (and quicker) to do as they only are required to enter the Key ID and Reason for the recovery.

And after clicking submit, the same choices are available as for the Help Desk User.

For Manage TPM, again, there are less ‘required’ items to fill in for the Advanced help desk user (only 3 items are required to fill in versus 5 for the help desk user).

And after clicking submit, the TPM Password owner file is presented.

So there you have it, a help desk functionality for MBAM is provided within SCCM as of System Center Configuration Manager Technical Preview version 1909. Do check it out, it’s awesome !

What about Key Rotation ? to find out how Key Rotation works after using the Help Desk feature see here.

In a later blog post I’ll look at MBAM reporting.

Related reading

 

 

 

 

 

This entry was posted in MBAM, MBAM helpdesk, MBAM SelfService. Bookmark the permalink.

6 Responses to How can you use the Help Desk feature when MBAM is integrated within SCCM

  1. Pingback: How does Key Rotation work in MBAM integrated with SCCM ? | just another windows noob ?

  2. Pingback: A quick look at reporting in MBAM integrated within Microsoft Endpoint Manager Configuration Manager | just another windows noob ?

  3. slundy says:

    Is there a process to add new groups to the Helpdesk Admin role in MBAM? When it wsa set up before I was here the only role granted was the standard help desk role. I’ve created the groups as show above but am not sure how to grant them access after the portal has been set up.

  4. ncbrady says:

    it’s all here > The Help Desk function uses the MBAM_HD and the MBAM_HD_Adv user groups when I set it up as specified here. Those user groups are used when setting up MBAM within Configuration Manager using the following script. I’ve marked in bold the bit which decides what user group belongs to the the appropriate Help Desks.

    .\MBAMWebSiteInstaller.ps1 -SqlServerName
    -SqlInstanceName -SqlDatabaseName
    -ReportWebServiceUrl
    -HelpdeskUsersGroupName -HelpdeskAdminsGroupName

    -MbamReportUsersGroupName
    -SiteInstall Both

    You can of course create user groups with your own naming standard for your company as appropriate, this is only an example of how to set it up.

    What is important however, is that you add users to that user group, as those users will be able to access the Help Desk abilities in MBAM to provide support to your users.

  5. slundy says:

    Since the portal is already there and set up with a current group, is it ok to re-run the script that sets up the site, but change the groups?

  6. ncbrady says:

    yes, go ahead, but include ALL the groups you want to use

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.