Troubleshooting BitLocker Management in ConfigMgr – Part 1. Server side

Introduction

Microsoft blogged about Bitlocker Management capabilities back in May, 2019. They detailed how that would impact and evolve on the following three platforms.

  •     Cloud-based BitLocker management using Microsoft Intune
  •     On-premises BitLocker management using System Center Configuration Manager
  •     Microsoft BitLocker Administration and Monitoring (MBAM)

And recently they’ve posted an updated blog post here where they go into detail about how BitLocker Management in Microsoft Endpoint Manager has evolved (both in Intune and ConfigMgr). This purpose of this mini series is to help you troubleshoot problems related to the installation, configuration and usage of the new BitLocker Management capabilities in ConfigMgr and will be broken down into the following 3 parts.

  • Troubleshooting BitLocker Management in ConfigMgr – Part 1. Server side (this part)
  • Troubleshooting BitLocker Management in ConfigMgr – Part 2. Client side
  • Troubleshooting BitLocker Management in ConfigMgr – Part 3. Common issues

But first let’s take a quick trip down memory lane. Microsoft initially released Bitlocker Management capabilities in the 1905 version (Technical Preview) of Configuration Manager, and expanded upon the abilities up to the release of the BitLocker Management feature contained within Configuration Manager version 1910 (Current Branch).

After 1910 was released they have continued to improve and add new features as you can see by checking out any of the newer Technical Preview releases from Technical Preview version 2002 on wards where many GPO settings were added to the Bitlocker management UI. In addition new capabilities came in TP2005 (set BitLocker Encryption type during the Enable BitLocker and Pre-Provision BitLocker steps in an OSD task sequence that later made their way into Configuration Manager Current Branch version 2006, so it pays to look at the technical preview releases every month.

Note: The screenshot below is taken from Technical Preview version 2008

tp2008.png

I have created many blog posts and videos on the subject, so if you are interested then please take a look at the videos linked below.

Installation and troubleshooting on the server

When you use the BitLocker Management feature in ConfigMgr 1910 or later you can create BitLocker Management policy and deploy that to your clients, they will get the policy and process it, and the MDOP client agent will get installed (if not already installed) and then it will take action based on the settings it finds in the registry and based on the policy settings and the client settings compliance will be set. But, it’s important to understand the flow of how it all works together and to do that you need to understand that things will change based on whether you’ve created BitLocker Management policy or not.

In this post I assume you’ve met the prereqs and enabled the BitLocker Management feature as shown here.

bitlocker management feature is ON.png

 

Before creating policy

First of all, let’s look at a ConfigMgr 2002 Current Branch server where no BitLocker Policy has yet been created. You can think of this as a server that has been recently upgraded from 1910 or one where no one has configured anything related to Bitlocker Management yet. In this blog post the primary server in my lab is not using co-Management but if it was, you’d need to ensure that the Endpoint Protection workload was managed by ConfigMgr if you want ConfigMgr to manage BitLocker Management.

The Configuration Manager client handler for BitLocker is co-management aware. If the device is co-managed, and you switch the Endpoint Protection workload to Intune, then the Configuration Manager client ignores its BitLocker policy. The device gets Windows encryption policy from Intune.

When you switch encryption management authorities and the desired encryption algorithm also changes, you will need to plan for re-encryption .

In the console, expand Endpoint Protection in Assets and Compliance and you’ll see BitLocker Management. Select it, there will be no items found as no policy has yet been created.

no items found.png

In addition, if you open Internet Information Services (IIS) Manager, you will not see any MBAM related applications in there.

iis has no mbam application listed.png

and there will be no MBAM related logs in Windows Event Viewer

no MBAM in Windows event viewer.png

After creating policy

When you create your first BitLocker Management policy you’ll see MBAM related activity revealed in the mpcontrol.log on the ConfigMgr server. This is your first step to look in case of problems on your server.

So let’s create our first BitLocker Management policy.

continue reading the rest of this blog post here on windows-noob.com

This entry was posted in 1910, 2002, BitLocker Management, MBAM, pki, System Center Configuration Manager (Current Branch). Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.