Want to learn about the new Bitlocker Management feature in Microsoft Endpoint Manager Configuration Manager ?

Introduction

Microsoft BitLocker Administration and Monitoring (MBAM) is the ability to have a client agent (the MDOP MBAM agent) on your Windows devices to enforce BitLocker encryption including algorithm type, and to store the recovery keys in your database, securely. It includes reporting, key rotation, compliance and more.

The following blog post from Microsoft details their future direction with regard to BitLocker Management and is  a must read. They’ve since written a new blog about the subject here.

 

The purpose of this blog post is to gather together guides and videos I’ve created since Bitlocker Management appeared as a feature in Configuration Manager Technical Preview version  1905 and onwards to it’s release in production in Configuration Manager version 1910 (Current Branch).

Videos

Guides

Microsoft Docs

Note: BitLocker Management  integrated in 1910 requires a https enabled management point. If you’d like help to configure PKI then see my links below. Please keep in mind that since I blogged this, Microsoft Endpoint Manager 2002 was released and it contains updates to the BitLocker Management feature (and requirements) shown here.

  • The BitLocker recovery service requires HTTPS to encrypt the recovery keys across the network from the Configuration Manage client to the management point. There are two options:
    • HTTPS-enable the IIS website on the management point that hosts the recovery service. This option only applies to Configuration Manager version 2002.
    • Configure the management point for HTTPS. This option applies to Configuration Manager versions 1910 or 2002.

    For more information, see Encrypt recovery data.

Setting up PKI in a lab

Convert ConfigMgr from HTTP to HTTPS

This entry was posted in 1909, 1910, Group Policy, Key Rotation, MBAM helpdesk, MBAM Reporting, MBAM SelfService, PKI, pki. Bookmark the permalink.

29 Responses to Want to learn about the new Bitlocker Management feature in Microsoft Endpoint Manager Configuration Manager ?

  1. gowdey says:

    Great stuff as always Niall!

  2. Pingback: Learn about MBAM integration in Microsoft Endpoint Configuration Manager version 1910 | just another windows noob ?

  3. Pingback: Learn about MBAM in Microsoft Endpoint Configuration Manager version 1910 – part 6 decrypting drives | just another windows noob ?

  4. Pingback: Learn about MBAM in Microsoft Endpoint Configuration Manager version 1910 – part 7 Reporting and compliance | just another windows noob ?

  5. Pingback: Learn about MBAM in Microsoft Endpoint Configuration Manager version 1910 – part 8 Migration | just another windows noob ?

  6. Phoenixtekk says:

    Yeap, this is one to keep handy. Thanks again…

  7. Pingback: System Center Ocak 2020 Bülten – Sertaç Topal

  8. Pingback: Learn about Bitlocker Management in Microsoft Endpoint Configuration Manager version 1910 – part 9 Group Policy | just another windows noob ?

  9. Pingback: Learn about Bitlocker Management in Microsoft Endpoint Configuration Manager version 1910 – Part 2, configure portals | just another windows noob ?

  10. Pingback: Learn about Bitlocker Management in Microsoft Endpoint Configuration Manager version 1910 – part 3 customize the portals | just another windows noob ?

  11. Pingback: Learn about Bitlocker Management in Microsoft Endpoint Configuration Manager version 1910 – part 4 Enforce encryption | just another windows noob ?

  12. Pingback: Learn about Bitlocker Management in Microsoft Endpoint Configuration Manager version 1910 – part 5 key rotation | just another windows noob ?

  13. Pingback: Learn about Bitlocker Management in Microsoft Endpoint Configuration Manager version 1910 – part 6 forcing decryption | just another windows noob ?

  14. Pingback: Full disk encryption (in ConfigMgr 1910) – a closer look on real hardware | just another windows noob ?

  15. magviegas says:

    Hi Niall, those are amazing tutorials, thank you!

    BTW, have you seen a problem where the registry key MDOPBitLockerManagement is never populated with the corresponding MBAM entries? The MDOP is installed successfully, I see no errors in the logs, but the client never starts encrypting and I guess this is the reason. This is happening with a few clients out of 200.

    Thanks a lot!
    Marcelo Viegas

    • ncbrady says:

      hi Marcelo,
      thanks for the thanks, so can you go into more detail about what you are seeing exactly ? are you saying the reg keys don’t get created at all ? were these devices ever managed by MBAM ? do they have the correct client version and the MDOP agent installed ?

  16. sam says:

    Hi Niall,

    Thank you very much for detailed guide on Bitlocker management.

    I need to implement Bitlocker on around 5k (Win10 1909) devices using ConfigMgr 1910. All the pre-requisites like https enabled MP and TPM are installed/configured.

    we have two MBAM policies, one for desktop (TPM only) and another for laptop (TPM + PIN), both policies having identical settings except below,

    • OS Drive encryption settings (for desktop chassis):
    – Allow Bitlocker without a compatible TPM (requires a password) – Do Not Allow
    – Select Protector for a operating system drive – TPM only

    • OS Drive encryption settings (for laptop chassis):
    – Allow Bitlocker without a compatible TPM (requires a password) – Allow
    – Select Protector for a operating system drive – TPM and PIN

    As you suggested, DCM baseline also created to start encryption without end user intervention, and I can see, those two registry keys being created on endpoint.

    However for unknown reason, automatic encryption is not working and I see no error in MBAM event logs and SCCM Bitlocker logs as well. We have no MBAM group policy settings, which may conflict with SCCM policy.

    If I trigger encryption manually, that encrypts the disk with settings from Bitlocker policy and reports the state as ‘compliant’ as well.

    Not sure, what I’m missing here. any help would be appreciated….!!!

    • ncbrady says:

      hi there,
      first of all the DCM baseline to ‘force encryption’ must be set BEFORE the computers get bitlocker encrytpion policies,
      have you verified that ?

      • sam says:

        Thanks Niall for prompt response..

        Yes, I can confirm that, DCM policy enforced before bitlocker policy.. just running out-of ideas now 🙁

        • ncbrady says:

          are you verifying on real hardware ? did you make sure that the TPM shows up in the device manager ? is it enabled in the bios…

          • sam says:

            Yes, I’ve 2 physical machines where TPM is enabled in BIOS and appears in device manager as well..

    • Mripra says:

      I am also having the similar issue. Do you think any gpo policy might be interfering with writing those policy from SCCM?

      • ncbrady says:

        it’s possible, so to find out, make sure your bitlocker management computers are in an OU that is not targeted by any MDOP related GPO for testing.

        • Mripra says:

          Only GPO policy for MDOP I have is the one to show which number to call if the user get the Bitlocker screen. Its from one your tutorial.

  17. Mripra says:

    I am also having the similar issue. Do you think any gpo policy might be interfering with writing those policy from SCCM?

  18. CS says:

    This is very detailed and explanatory post and will come in handy for anyone looking to integrate Bitlocker Management with SCCM . Big Thank you !

    Would anyone be able to share what the client behaviour is for windows endpoints where they were already Bitlocked and the backend was moved to SCCM . Will they still get pop up to encrypt . Will all client policies be reapplied ?

  19. Pingback: How can we utilize the Bitlocker Management feature during OSD with Endpoint Manager | just another windows noob ?

  20. Pingback: Troubleshooting BitLocker Management in ConfigMgr – Part 1. Server side | just another windows noob ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.