Jump to content


Recommended Posts

Hi

Thanks for your guide it was very helpful!

I have installed the BitLocker extension on 1910 and have currently deployed it to one newly built machine as a test. This was all successful however is the only was to view the key to query the database directly as this seems a bit clunky, also when setting it up I selected 'Recovery password and Key Package' how do I download the key package or am i misunderstanding this bit? We currently use McAfee to mange our Bitlocker Encryption which works well but we are moving away from ePO so would like to use this SCCM solution.

One last question if currently all our machines have bit locker on and I add them to this new policy will it be able to pull the current in use recovery Keys or would I have to decrypt then re-encrypt? 

Thanks in advance

Neil

Share this post


Link to post
Share on other sites

hi Neil

Thanks for your guide it was very helpful! 

you are welcome.

I have installed the BitLocker extension on 1910 and have currently deployed it to one newly built machine as a test. This was all successful however is the only was to view the key to query the database directly as this seems a bit clunky, 

i'm not really following what you are saying there but if you are asking how to review the recovery key, normally you'd use the Helpdesk feature as described in the part 2 and part 3 videos here

 

Share this post


Link to post
Share on other sites

I have tried to follow the video however I get a slightly different error. I am getting a permissions error when rung the powershell command I am a domain admin and have db_owner access to the database any ideas.

1867534079_2020-02-1015_12_21-EMEAUKWIMVPAP02(PRTGNetworkMonitoring).png.9cae2ea27593d6024a7fa90547be5ec3.png

Sorry to be a pain do you not what other access I need?

 

 

*JUST WATCHED MORE OF VIDEO AND SAW I NEED TO BE SYSADMIN*

Edited by NeilGarry91
Correction

Share this post


Link to post
Share on other sites

And to answer your last question:

One last question if currently all our machines have bit locker on and I add them to this new policy will it be able to pull the current in use recovery Keys or would I have to decrypt then re-encrypt?  

If you have a computer that is already encrypted with Bitlocker, let's say with AES 128 (or some other encryption algorithm), and you later add this computer to your Bitlocker Management collection that has a policy targeted to it, the computer will get the Bitlocker management policy and then decide whether it is compliant or not based on the settings of that policy, it will NOT re-encrypt the already encrypted drive (if for example the algorithm doesn't match your configured Bitlocker Management policy).

In addition on that already encrypted drive, regardless of whether or not it is compliant with your bitlocker management policy, the MDOP agent will rotate the existing bitlocker recovery key and store the newly rotated recovery key in the ConfigMgr database.

In the screenshot below you can see the recovery key has rotated on the already encrypted (with Bitlocker) client, and the new key is now stored in ConfigMgr's database, this computer was previously encrypted with Bitlocker using GPO settings from AD but it doesn't matter how it was encrypted with Bitlocker, the fact is it was already encrypted.

image.png

Side note #1: if you were saving the key to your on-premises Active Directory prior to using the Bitlocker Management features in ConfigMgr, then the newly rotated recovery key will also be stored in Active Directory

image.png

Side note #2: Those same keys will also be stored in the cloud (if you have Azure AD connect setup) as shown below:

Starting Windows 10 v1903 the keys are now backed up to On-Prem AD and to Azure AD on Hybrid Joined machines provided the machine has line of sight to On-Prem DCs and Internet connectivity to reach Azure AD for backing up keys. Source: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/34015732-bitlocker-recovery-keys-in-a-hybrid-aad-joined-dev

image.png

What about compliance of your Bitlocker Management policy ?

if you look closely at the first screenshot, you can also see that the client is non-compliant for the 'enable bitlocker encryption' Bitlocker Management policy i created, and that is because this client computer only has AES-128 as the algorithm and the policy requires AES-256,

to resolve the compliance problem, you'd have to decrypt the drive and then re-encrypt with the correct algorithm as defined in your Bitlocker Management policy in ConfigMgr,

only after doing that would it register as compliant

cheers

niall

 

Share this post


Link to post
Share on other sites

Following off of HermanB's comment.

We didn't do MBAM and just managed the keys (tediously) in AD and enabled Bitlocker via the OSD with tasks setting registry values.  Also, not enabling full disk encryption, just used space.
All of it it working fine, but I was just thinking of having that management done by Config Mgr.  

My questions:
-do we need to enable full disk encryption during the OSD for this to work?
-do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online?

I see you stated that current machines protected with bitlocker will keep their keys in AD as well as their encryption levels.  
I'm more worried about new machines deployed and the OSD changes needed.

Share this post


Link to post
Share on other sites

hi, see below

  • do we need to enable full disk encryption during the OSD for this to work?

 the following docs explain that you can do this during OSD

By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps - Enable BitLocker.

  • -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online?

it's up to you which way works better, do you want to control bitlocker (keys) during OSD or after, that's entirely up to you, the easiest way is to simply target the policy after it's imaged, but the safest way is to configure it during OSD.

  • Like 1

Share this post


Link to post
Share on other sites

7 hours ago, anyweb said:

hi, see below

  • do we need to enable full disk encryption during the OSD for this to work?

 the following docs explain that you can do this during OSD

By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps - Enable BitLocker.

  • -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online?

it's up to you which way works better, do you want to control bitlocker (keys) during OSD or after, that's entirely up to you, the easiest way is to simply target the policy after it's imaged, but the safest way is to configure it during OSD.

Thanks for your quick response and all your work.  

Share this post


Link to post
Share on other sites

@anyweb, amazing post, thank you.  We are very similar to one of the posts above, currently on McAfee ePO but wanting to move to Azure AD based key escrow.  I can see (also above) where you can set up MBAM with ConfigMgr and if you have On-Prem AD escrow it will also sync to the Azure AD (if you are using AD Connect).

Is there a way to skip the On-Prem escrow and go straight to Azure AD, if the devices are Hybrid Azure AD joined?  Everything I see points to yes, but I cannot find anywhere to indicate it has been successful.  Or are we resigned to use AD Connect until we are full Azure AD Joined only?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.