Microsoft released Technical Preview 2102 and it’s got a bunch of new updates as usual, including some updates for BitLocker Management via the cloud management gateway. To get some ideas about how BitLocker Management via a CMG works please see my blog posts below.
- BitLocker management via a cloud management gateway (CMG) in ConfigMgr 2010
- Improvements to BitLocker management in Endpoint Manager update 2010
In current branch version 2010, you can manage BitLocker policies and escrow recovery keys over a cloud management gateway (CMG). This support included a couple of limitations. Starting in this technical preview release, BitLocker management policies over a CMG support the following capabilities:
- Recovery keys for removable drives
- TPM password hash, otherwise known as TPM owner authorization
So Let’s take a look at the new BitLockers Management abilties on a newly deployed Surface. After I installed Windows 10 version 20h2 on it I disconnected it from the LAN and the ConfigMgr client agent switched over to a connection type property of Currently Internet as shown here.
This particular computer was not managed in relation to BitLocker Management as no policy was deployed to it. So I went ahead and created some new policy in the TP2102 console.
This computer has a removable drive attached (sd hc card). Within literally seconds the device got policy and the BitLockerManagmentHandler.log started reporting about recovery keys being escrowed to the management point (via the CMG). Notice the:
Starting one shot task
I haven’t seen that one before.
After inserting a usb key I got the following popup
I chose to encrypt and then it asked me for a password. I entered one and then it asked me where to store the keys, which was odd as I assumed they would be stored in the MP (via the CMG).
But, I selected Save to a file and then encryption started and the keys were escrowed to the MP via the CMG. Job done !
After encrypting the disc I ejected it, reinserted it and was informed to enter my password. I entered my password and I could freely browse the disc. I then tried to write to it and got the following message.
Nice work Microsoft !