Microsoft BitLocker Administration and Monitoring (MBAM) is the ability to have a client agent (the MDOP MBAM agent) on your Windows devices to enforce BitLocker encryption including algorithm type, and to store the recovery keys in your database, securely. It includes reporting, key rotation, compliance and more.
The purpose of this blog post is to gather together guides and videos I’ve created since Bitlocker Management appeared as a feature in Configuration Manager Technical Preview version 1905 and onwards to it’s release in production in Configuration Manager version 1910 (Current Branch).
- BitLocker management – Part 1 Initial setup
- BitLocker management – Part 2 Deploy portals
- BitLocker management – Part 3 Customize portals
- BitLocker management – Part 4 Force encryption with no user action
- BitLocker management – Part 5 key rotation
- BitLocker management – Part 6 Force decryption with no user action
- BitLocker management – Part 7 Reporting and compliance
- BitLocker management – Part 8 Migration
- BitLocker management – Part 9 Group Policy settings
- BitLocker management – Part 10 Troubleshooting
- Getting started with On-premises BitLocker management using SCCM
- How does Key Rotation work in MBAM integrated with SCCM ?
- How can you use the Self Service feature when MBAM is integrated within SCCM?
- How can you use the Help Desk feature when MBAM is integrated within SCCM?
- A quick look at reporting in MBAM integrated within Microsoft Endpoint Manager Configuration Manager
- How can I get BitLocker Recovery Keys from the ConfigMgr database
- How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant”
- How to use Full Disk Encryption in a task sequence in Configuration Manager 1910
- Full disk encryption (in ConfigMgr 1910) – a closer look using real hardware
- Download the Windows 10 version 1909 ADMX templates
- How to use the Central Store for Windows 10 ADMX files
- How can we utilize the Bitlocker Management feature during OSD with Endpoint Manager
- using BitLocker Management in ConfigMgr and do OSD, read this !
- Hotfix available for ConfigMgr version 2103 to solve policy storm issues caused by Invoke-MbamClientDeployment.ps1
- What’s new in 1910 – https://docs.microsoft.com/en-us/configmgr/core/plan-design/changes/whats-new-in-version-1910
- Plan – https://docs.microsoft.com/en-us/configmgr/protect/plan-design/bitlocker-management
- Deploy – https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/deploy-management-agent
- Encrypt recovery data – https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/encrypt-recovery-data
- Install the MBAM portals – https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/setup-websites
- Migration – https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/deploy-management-agent#migration-considerations
- Planning for MBAM Group Policy – https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-group-policy-requirements
- MBAM ADMX – https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/solutions/how-to-download-and-deploy-mdop-group-policy–admx–templates
- Download the ADMX – v.2.8
Note: BitLocker Management integrated in 1910 requires a https enabled management point. If you’d like help to configure PKI then see my links below. Please keep in mind that since I blogged this, Microsoft Endpoint Manager 2002 was released and it contains updates to the BitLocker Management feature (and requirements) shown here.
- The BitLocker recovery service requires HTTPS to encrypt the recovery keys across the network from the Configuration Manage client to the management point. There are two options:
- HTTPS-enable the IIS website on the management point that hosts the recovery service. This option only applies to Configuration Manager version 2002.
- Configure the management point for HTTPS. This option applies to Configuration Manager versions 1910 or 2002.
For more information, see Encrypt recovery data.
Setting up PKI in a lab
- Part 1 – Introduction and server setup
- Part 2 – Install and do initial configuration on the Standalone Offline Root CA
- Part 3 – Prepare the HTTP Web server for CDP and AIA Publication
- Part 4 – Post configuration on the Standalone Offline Root CA
- Part 5 – Installing the Enterprise Issuing CA
- Part 6 – Perform post installation tasks on the Issuing CA
- Part 7 – Install and configure the OCSP Responder role service
- Part 8 – Configure AutoEnroll and Verify PKI health
Convert ConfigMgr from HTTP to HTTPS
- How can I configure System Center Configuration Manager in HTTPS mode (PKI) – Part 1
- How can I configure System Center Configuration Manager in HTTPS mode (PKI) – Part 2