Jump to content


Recommended Posts

Note: This blogpost is about technology that is still in development in a Technical Preview release of System Center Configuration Manager. Therefore it's quite likely that things will change in the coming months.

Microsoft released SCCM TP 1905 a few days ago and it has to be one of their finest ConfigMgr releases yet, with so many new features it was hard to decide which would get my focus, but On-premises BitLocker management with MBAM was there so I focused on that.

mbam included.png

For those that don't know Microsoft BitLocker Administration and Monitoring (MBAM) is an ability to have a client agent (the MDOP MBAM agent) on your Windows devices (7,8 10) to enforce BitLocker encryption and to store the recovery keys in your database. This is something that has been around for quite some years now and is working great, however, MBAM is currently it's own separate solution. The following blog post from Microsoft details their future direction with regard to BitLocker Management and is  a must read.

https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329

In that blog post they detail 3 options for BitLocker management based on your needs, and I'm going to focus on the second option:

Option 2 – On-premises BitLocker management using System Center Configuration Manager

And I quote...

Quote

 

For organizations currently using on-premises management, the best approach still remains getting your Windows devices to a co-managed state, to take advantage of cloud-based BitLocker management with Microsoft Intune. However to support scenarios where cloud is not an option, Microsoft is also introducing BitLocker management through Configuration Manager current branch.

Beginning in June 2019, Configuration Manager will release a product preview for BitLocker management capabilities, followed by general availability later in 2019. Similar to the Intune cloud-based approach, Configuration Manager will support BitLocker for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions. It will also support Windows 7, Windows 8, and Windows 8.1 during their respective support lifecycles.  

 

This is the new capability we now see in TP1905, native BitLocker Management within SCCM. So let's get started. But first keep in mind that this is the first instance of this capability and it will no doubt get better and with more features based on customer demand and needs.

Step 1. Enable PKI/HTTPS mode

Update: Initially PKI/HTTPS was required (in TP1905) for BitLocker Management in SCCM, however from Technical version 1909 it was no longer required, and became optional (but recommended). For more info see this blog post. I'm including the important note from that text below.

Note: Microsoft recommends but doesn't require the use of HTTPS. For more information, see How to Set Up SSL on IIS (or see my two links below).

In order to get MBAM functionality working with SCCM Technical Preview 1905, you need to be in HTTPS mode (Secure PKI) both on the client and in ConfigMgr itself. This is to ensure that  back up encryption keys which protect the data on managed workstations are sent securely to the management point.

Why is that ? well, data sent over HTTPS is secure, but data sent over HTTP can be sniffed and read, and therefore be compromised.

Converting to HTTPS (PKI) is no easy task, I won't go into details but I did as follows:

  • converted my lab from HTTP to HTTPS by first adding PKI to the lab by following this set of blog posts
  • converted SCCM TP 1905 from HTTP to HTTPS by doing this.

To add PKI and convert to HTTPS took me approx 4 hours in total but it was worth it.

My Technical Preview lab is shown below, all the computers with _TP at the end are in the TP lab, and it's got a 2 tier PKI infrastructure also. This lab is one of many hosted on my Lenovo P1.

tp lab.png

Step 2. Create an MBAM Policy

In the SCCM console, select Assets and Compliance, expand Endpoint Protection and select BitLocker Management (MBAM), right click and choose Create BitLocker Management Control Policy

create mbam policy.png

When the wizard appears, give the policy a name and select the two options if necessary

mbam policy name.png

On the next screen, you'll see two drop downs for enabling BitLocker Drive Encryption Settings, the first is for Windows 8, Windows 8.1 and the second is for Windows 10.

bitlocker drive encryption settings.png

On the next screen you have Client Management setup information settings, the client policy retrieval is set here, and the default period is every 90 minutes, in a lab you can bring that down to every minute but keep in mind that it will popup regularly until you are compliant.

Note: If you enable Configure MBAM Services, key recovery info is automatically and silently backed up to the Configuration Manager site.

Client Management setup information.png

On the OS Drive Management settings screen, configure it as appropriate for your environment.

operating system drive management settings.png

Continue through the wizard to completion.

Step 3. Deploy the policy

Right click on your newly created policy and deploy it to a collection containing your target computers.

deploy.png

Step 4. Verify things on a client

On a client computer, verify that it has received the policy, you'll know it has the policy when it generates two BitLocker related logs in the C:\Windows\CCM\Logs folder, shown below.

logs.png

 

The BitLockerManagementHandler.log will record installation of the MDOP MBAM client agent

log showing mdop client agent installation.png

and the BitLockerManageMent_GroupPolicyHandler.log records details about communication with the SCCM Management Point to retrieve policy (which it then set's on the client) as a local group policy effectively.

policy log.png

In Programs and Features you should see the client agent installed.

mdop mbam.png

 

And you can review the logs in Event Viewer in Applications and Services Logs, Microsoft, Windows, MBAM as shown below.

event viewer related logs.png

Step 5. Review the MBAM Client agent prompting for encryption

On a computer that has the policy you'll see the MBAM Client Agent popup (provided that you are NOT connected via RDP).

mbam client agent.png

Click Start to start the process, after a while you'll see the drive is getting encrypted !

surface pro.png

Step 6. Getting keys from the Database

The recovery keys are stored in the SCCM DataBase in the following location, dbo.RecoveryAndHardwareCore_Keys

keys in db.png

You can use SQL queries as i detail here to retrieve the data you need from there just as you do today with your existing MBAM infrastructure.

I've checked Reports in TP1905 and didn't see any MBAM specific reports yet.

Troubleshooting

When testing in the TP1905 release make sure your client agent is using the TP1905 version, and that it's in PKI mode. You'll be alerted to this in the log file as shown below, note that it states Unable to find suitable Recovery Service MP. Converting your Management Point to HTTPS solves that error.

need https.png

Secondly, you need to use real hardware to verify the encryption settings, it won't work on virtual machines (they'll get the policy but will not encrypt). Below is a typical error on a virtual machine after attempting to encrypt.

failed to encrypt.png

The error will be visible in the event viewer.

mbam event viewer error on virtual machine.png

Details: BitLocker Drive Encryption only supports Used Space Only Encryption on thin provisioned storage.

Verify that you have the sms_mp_mbam component installed in IIS

sms_mp_mbam.png

If it's not there, review the MPControl.log to review why...below you can see why the MBAM installer initially failed on my lab, this was due to the PowerShell script that installs the service didn't check for spaces in the path.

image.png

To resolve this I had to manually extract the files in the mbamrecoveryser.cab CAB file and keep running the mbamrecoveryserviceinstaller.ps1 PowerShell script until I got it to run without error.

mbamrecovery cab file and powershell script.png

Once successful, it should be extracted to the SMS_CCM folder as shown below.

sms_ccm.png

With the following files present in the Bin folder...

bin files.png

See it in action

Please review my video below to see MBAM in action, both on the client and server side, great job from Microsoft !

 

Recommended reading

https://docs.microsoft.com/en-us/sccm/core/get-started/2019/technical-preview-1905#bkmk_bitlocker

https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-expands-BitLocker-management-capabilities-for-the/ba-p/544329

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises

Related reading

https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/index

Share this post


Link to post
Share on other sites


Fantastic write up! When do you sleep honestly? It's very encouraging to see on prem, sccm cloud continue to developer further and further, especially when your livelihood depends on it!

  • Thanks 1

Share this post


Link to post
Share on other sites

Does using this feature require a Microsoft  EA, as MBAM did? 

Also, are the recovery keys still backed up into AD as well as the SCCM DB?

Share this post


Link to post
Share on other sites

I'm checking with Microsoft, in my lab at least there were no BitLocker keys in AD but perhaps we need to configure something in order for this to happen, let's see if i get a reply...

 

The replies I got simply reminded us that this feature in SCCM is still in preview, i.e. work in progress. Also, storing the keys in AD is not MBAM specific but via GPO's. Watch this space to learn more about when the feature goes public in the Current Branch releases.

Share this post


Link to post
Share on other sites

Hey Niall, Are you able to encrypt on machines with TPM 1.2 chips in secure boot mode with your TP managed MBAM?  Having issues on my end with it.  Setting the TPM validation profile to leave out the secure boot stuff manually via group policy hasn't worked.  This will be a problem in production if it's not possible.  BitLocker-API log stating "BitLocker determined that the TCG log is invalid for use of Secure Boot.  The filtered TCG log for PCR[7] is included in this event."  I'll keep hunting on this end!

Share this post


Link to post
Share on other sites
1 hour ago, huggans.sean said:

Hey Niall, Are you able to encrypt on machines with TPM 1.2 chips in secure boot mode with your TP managed MBAM?  Having issues on my end with it.  Setting the TPM validation profile to leave out the secure boot stuff manually via group policy hasn't worked.  This will be a problem in production if it's not possible.  BitLocker-API log stating "BitLocker determined that the TCG log is invalid for use of Secure Boot.  The filtered TCG log for PCR[7] is included in this event."  I'll keep hunting on this end!

Nevermind, 
I was using an old 8460w to test - it was in UEFI mode, which those models have a half implementation of (no secure boot) due to flash chip size limitations.  All is well testing with a newer model!

Share this post


Link to post
Share on other sites

good to hear it !

Share this post


Link to post
Share on other sites

Hello,

Thank you for sharing valuable blog.

Could you please help?

I have deploy MBAM policy as per mentioned in your blog, Policy reached on client computer but not starting Bitlocker encryption.

In Event viewer error :- detected os volume encryption policies conflict, check Bitlocker MBAM policies related to OS drive protector

and in Bitlockermanagementhandler.log :- Bitlocker Management policy is complaint

MBAM.PNG

Share this post


Link to post
Share on other sites

are you trying this in SCCM Technical Preview version 1905, 06 or 07 ? and did you look at my video ? are you trying this on a real client or a virtual client ?

Share this post


Link to post
Share on other sites

Thank you for reply,

i am using Technical preview 1907. i have seen your video also.

i am trying on Real machine as well as virtual machine.  in both machine same behavior.

In Event viewer Information tab =>  

"The MBAM policies were applied successfully.Volume ID:\\?\Volume{}\"

 message has been displayed  but unable to start encryption.

Share this post


Link to post
Share on other sites

ok so on the real computer, i assume you are not RDP'ing to it during testing ? and secondly, what settings did you pick ? what type of computer is it ?

Share this post


Link to post
Share on other sites

Hello,

For your update..

Now MBAM drive encryption message box appeared. i have start encryption. and Recovery key is stored in database also.

 

observation:- After MBAM policy applied on system, its is taking too much time to displayed MBAM drive encryption message box. Approx. 60 minute.

 

Share this post


Link to post
Share on other sites

and what have you configured your client policy to refresh at ? the default is 60 minutes for configmgr client policy, and 90 minutes for the mbam policy checks

triggering machine policy manually will check immediately

Share this post


Link to post
Share on other sites

configured client policy as 90 Minute (default).

1)triggered machine policy

2) policy applied on system immediately ==> MDOP MBAM Client installed. but encryption start taking long time.

 

For Laptop encryption is charger must to be connected ? .

 

 

 

 

 

 

 

 

Share this post


Link to post
Share on other sites

dont confuse the ConfigMgr client policy (default 60 minutes) with the MBAM client check policy (default 90 minutes). Full disk encryption always takes time, that's the way it is, the only 'fast' encryption is something called used space only, which you can do with OSD task sequences with a Pre-Provision BitLocker step during operating system deployment. And for laptops yes connect power so it doesn't power off during encryption.

Share this post


Link to post
Share on other sites
On ‎8‎/‎5‎/‎2019 at 6:46 AM, Mohsin Husen said:

Hello,

For your update..

Now MBAM drive encryption message box appeared. i have start encryption. and Recovery key is stored in database also.

 

observation:- After MBAM policy applied on system, its is taking too much time to displayed MBAM drive encryption message box. Approx. 60 minute.

 

 

You can also add a DWORD reg value in HKLM\SOFTWARE\Microsoft\MBAM called "NoStartUpDelay" and set it to 1 in the registry to disable the random delay to display the wizard.  You can just restart the BitLocker Management Service after making this change - the wizard will show in around a minute with this key set.  Remember the wizard will never show up through straight RDP (Remote Desktop) - it WILL show up via SCCM remote control though!  I would test and test again before making this setting part of your standard MBAM config.

MBAMNoStartupDelay.PNG

  • Thanks 1

Share this post


Link to post
Share on other sites

Hello, 

We currently use Sophos to manage BitLocker encryption. Is anyone familiar with making the transition from Sophos to MBAM? I need to figure out a way to export the keys and store them within SCCM. 

Thanks

Share this post


Link to post
Share on other sites

Hello, 

We currently use Sophos to manage BitLocker encryption. Is anyone familiar with making the transition from Sophos to MBAM? I need to figure out a way to export the keys and store them within SCCM. 

Thanks

Share this post


Link to post
Share on other sites

First things first. the BitLocker capability I blogged about above is not yet released, it's still in technical preview as of todays date, however it's coming soon. Secondly, you state you want to export the keys, what keys exactly ? are you referring to Sophos disk encryption ?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...