anyweb

Introduction In this video I show you how you use the built in reports from the BitLocker Management feature that was released in Microsoft Endpoint Configuration Manager version 1910. I explain what each of the 5 built in reports offer and take a look at compliance both on the server and on the client including deciphering the statemessage.log. Note: You do not need SSRS to be in HTTPS mode for rendering or using reports about BitLocker Management in Configuration Manager 1910. I also wrote a detailed blog about Bitlocker Management reporting earlier here. This is part 7 from a 10 part video series on youtube. BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting Take a look !

Introduction In this video (linked at the bottom of this post) I show you how you can migrate existing MBAM managed clients to Configuration Manager using the new BitLocker Management feature that was released in Microsoft Endpoint Configuration Manager version 1910. In order for this to work you’ll need an existing MBAM standalone server(s) that is managing one or more clients. The recovery keys (and associated data) will be stored on that MBAM server as defined by the Group Policy settings you’ve configured for MDOP. Before the MBAM Migration scenario The screenshot below shows the MBAM GPO which is linked to the MBAM Clients OU. From there MBAM managed clients get group policy telling them to report to the MBAM server and upload compliance data and recovery keys. The Configuration Manager server is only used at this point to deploy the MBAM client agent to resources in the MBAM Clients collection (which has a membership query to look for resources in the MBAM Clients OU). After the MBAM Migration scenario In the below screenshot you can see the ConfigMgr database on the left, and the MBAM database on the right, the client that was managed by MBAM is now managed by ConfigMgr and the key and it’s associated data is migrated over to ConfigMgr. When you migrate clients from MBAM to Bitlocker Management within Configuration Manager, the recovery key and more data will be migrated and automatically populated in ConfigMgr’s database without you needing to do anything other than pre-configure BitLocker Management policy and target the desired computers to be migrated with that policy. As a rule, keep the settings in the MBAM GPO the same as in your ConfigMgr Bitlocker policy otherwise you may get conflicts and as a result, unexpected results. The following links should help you get MBAM setup in a lab so you can practice the migration yourself. https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/evaluating-mbam-25-in-a-test-environment https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/solutions/how-to-download-and-deploy-mdop-group-policy–admx–templates https://www.microsoft.com/en-us/download/details.aspx?id=55531 also to note that setting up MBAM from scratch is covered in a book i wrote here https://www.niallbrady.com/book/ This is part 8 from a 10 part video series on youtube. BitLocker management – Part 1 Initial setup BitLocker management – Part 2 Deploy portals BitLocker management – Part 3 Customize portals BitLocker management – Part 4 Force encryption with no user action BitLocker management – Part 5 key rotation BitLocker management – Part 6 Force decryption with no user action BitLocker management – Part 7 Reporting and compliance BitLocker management – Part 8 Migration BitLocker management – Part 9 Group Policy settings BitLocker management – Part 10 Troubleshooting Take a look !

ok i missed the 'internet' part, i haven't tested this for IBCM clients yet, have you configured your certs to work with internet based clients ?

thanks for posting the solution to your problem !

well how are you setting it now, can you show your configured settings ?

take a look at this post it should help https://sccmxpert.com/2016/09/09/infoblox-settings-for-uefi-based-os-deployment/

they need to configure infloblox using the IPv4 DHCP options node, something like this

if it's already created then leave it there, it's safe to delete the contents inside as the they will get repopulated (if everything is working correctly)

hi Shaq, the reason I stated that HTTPS was required was because it was in TP1905, but then it wasn't in TP1909, but in ConfigMgr 1910 Current Branch it is again, required. but... going forward I think that a future release of ConfigMgr (maybe 2002) will allow you to use eHTTP or HTTPS, that would make it much easier to use the MBAM capabilities but remember HTTPS is more secure regardless. cheers niall

i think you need to look at the steps in the guide again as i just quickly looked at part 3, step 1, where i show you how to manually install roles and features, In this step you can see the BITS components that are required, did you miss it ? I've updated the original post to make it clear that both Background Intelligent Transfer Service (BITS) and IIS Server Extension need to be selected

Unable to find suitable Recovery Service MP usually means that it cannot communicate with the https enabled management point, are you using pki on your clients and sccm server(s) ?

Following the guide manually, I get the following errors on SCCM install: are you sure you followed my guide 100% or did you change anything ? if so what ? please do tell us more about how you did this

hi @CellFreak so to be clear, are you saying you upgraded to ConfigMgr 1910 and enabled the MBAM feature, and then you could see some domain joined clients storing the keys in ConfigMGr's database in the MBAM tables, but it's not working for workgroup joined computers ? please clarify this

no reply yet, i've emailed again...

Thanks so much for what you've done for the SCCM community anyweb... these guides are great! thanks ! can you please attach your smsts.log so i can take a look, it will explain why it's continuing for you (perhaps, continue on error is selected ?)

i've emailed them, let's see if they reply

I can check with the product group if you can wait on their reply ?

no you don't but you do need the serviceui,exe from mdt, can you post your smsts.log so i can see what's going wrong ? and a view of your actual step in the task sequence

it's still here, just click on the download (it's only available to logged in registered members)

ok good info, i'll try my best to verify this when I have time...

everything inside the LAB should be on a private network, that way everything in the lab can talk to itself without interference from the outside, if you map a switch to a network card then that effectively gives your lab access to anything on that network and vice versa, so if your network card is connected say to your internal company network, and you set your switch to External, using your onboard NIC, then your dhcp server could start handing out ip's on your company network, and you don't want that. so keep your lab private, and only share internet into the lab using a smoothwall or similar. if you want to 'test' deploying things (like operating systems or otherwise) to computers outside of the lab, then follow my guide here

hi, if you are planning on doing this on a Surface that's fine as long as it has at least 16GB of ram (minimum) for all the virtual machines, and lots of storage. for both #1 and #2 configure the switch as PRIVATE that way it won't matter that you are running DHCP as it will be self contained in it's own private network

also can you modify your cmdline to correctly specify the reportserver via the -ReportWebServiceUrl switch, yours is currently pointing to Reports and it should point to Reportserver here's a sample .\MBAMWebSiteInstaller.ps1 -SqlServerName cm01.windowsnoob.lab.local -SqlInstanceName MSSQLSERVER -SqlDatabaseName CM_P01 -ReportWebServiceUrl http://cm01.windowsnoob.lab.local/Reportserver -HelpdeskUsersGroupName "windowsnoob\MBAM_HD" -HelpdeskAdminsGroupName "windowsnoob\MBAM_HD_Adv" -MbamReportUsersGroupName "windowsnoob\MBAM_HD_Report" -SiteInstall

ok got them, when you created the certs did you get any errors during that process or did it all proceed happily ? did you verify that it met all these requirements ? The name of the BitLocker management encryption certificate must be BitLockerManagement_CERT. Encrypt this certificate with a database master key. The following SQL users need Control permissions on the certificate: RecoveryAndHardwareCore RecoveryAndHardwareRead RecoveryAndHardwareWrite Deploy the same certificate at every site database in your hierarchy. Create the certificate with the latest version of SQL Server in your environment. For example: Certificates created with SQL Server 2016 or later are compatible with SQL Server 2014 or earlier. Certificates created with SQL Server 2014 or earlier aren't compatible with SQL Server 2016 or later. and lastly, did you verify the certificate creation using the Verify certificate SQL script ? please confirm, what i can try and do (in my lab) is to revert it and go through this process, see how it works for me, but... it is dependent on time,

thanks for the feedback, but no it's not missing, that is why we do cd \ in step 5, it moves us from c:\windows\system32 to c:\ before running the command, which in turn, creates the cert in that location, if you want to specify the location of it go ahead and it's possible, but it's not 'missing' if you follow the steps above exactly, it will work 100% this command retrieves the CA certificate from the issuingca and places (recreates it) using the name you specify in the folder you are currently in see docs: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil -ca.cert CertUtil [Options] -ca.cert OutCACertFile [Index] Retrieve the CA's certificate OutCACertFile: output file Index: CA certificate renewal index (defaults to most recent) [-f] [-split] [-config Machine\CAName] cheers niall