On-premises BitLocker management using System Center Configuration Manager

[Shaq]

Hi Niall, I would like to thank you for making such detailed documents and videos. But I have a question. I have looked at your videos and your documents and I am a bit confused.  Even in this document you mentioned 

"Update: Initially PKI/HTTPS was required (in TP1905) for BitLocker Management in SCCM, however from Technical version 1909 it was no longer required, and became optional (but recommended). For more info see this blog post. I'm including the important note from that text below.

Note: Microsoft recommends but doesn't require the use of HTTPS. For more information, see How to Set Up SSL on IIS (or see my two links below)."

But in the video as well as the comments you said SCCM should be in HTTPS mode. 

Could you please clarify? Thanks again for your detailed documentations. 

Edited January 15, 2020 by Shaq
Typo

[anyweb]

hi Shaq,

the reason I stated that HTTPS was required was because it was in TP1905, but then it wasn't in TP1909, but in ConfigMgr 1910 Current Branch it is again, required.

but... going forward I think that a future release of ConfigMgr (maybe 2002) will allow you to use eHTTP or HTTPS, that would make it much easier to use the MBAM capabilities but remember HTTPS is more secure regardless.

 

cheers

niall

[CellFreak]

Quote

...so to be clear, are you saying you upgraded to ConfigMgr 1910 and enabled the MBAM feature, and then you could see some domain joined clients storing the keys in ConfigMGr's database in the MBAM tables, but it's not working for workgroup joined computers ?

Hi @anyweb

yes, exactly.

Keys of workgroup clients are not stored in the MBAM tables.

As far as I know, MBAM does not work with workgroup clients, but now that it is integrated in SCCM or MEM, i thought it might work.

Edited January 18, 2020 by CellFreak

[HermanB]

Thanks for the video you posted on Youtube! I really like that you didn’t edit out your troubleshooting. Seeing you troubleshoot gives the video a higher value then simply showing a 100% working environment!    
 

We have created our own version of Anders Rodland’s “ConfigMgr Client Health” that also deal with Bitlocker issues. This runs completely silent. Logs are gathered with Splunk.

1. MDOP seems like a “user-driven” experience?  We want the entire process to run without any user interaction. If something fails, we analyse the logs with Splunk, update our “Client Health” and fix the problem without ever notifying the user.

2. Will MDOP automatically fix issues that prevents Bitlocker from functioning?

-          We already have a fully working AD environment and documented routines to recover keys etc

-          Preferable, don’t want yet another agent installed in our environment

-          Our Bitlocker compliance is at 99.5% (With yearly audits)

-          Bitlocker all machines new machines during setup.  

What are we missing out, by not using MBAM?

[anyweb]

Thanks for the video you posted on Youtube! I really like that you didn’t edit out your troubleshooting. Seeing you troubleshoot gives the video a higher value then simply showing a 100% working environment!    

 

thank you !

1. it can be completely silent see >

 

2. MDOP is not a self healing product, but you can use CI/CB's in ConfigMgr to achieve this (via compliance),

MDOP offers the helpdesk and self service portals, encryption of the database and traffic between client and the database.

[NeilGarry91]

Hi

Thanks for your guide it was very helpful!

I have installed the BitLocker extension on 1910 and have currently deployed it to one newly built machine as a test. This was all successful however is the only was to view the key to query the database directly as this seems a bit clunky, also when setting it up I selected 'Recovery password and Key Package' how do I download the key package or am i misunderstanding this bit? We currently use McAfee to mange our Bitlocker Encryption which works well but we are moving away from ePO so would like to use this SCCM solution.

One last question if currently all our machines have bit locker on and I add them to this new policy will it be able to pull the current in use recovery Keys or would I have to decrypt then re-encrypt? 

Thanks in advance

Neil

[anyweb]

hi Neil

Thanks for your guide it was very helpful! 

you are welcome.

I have installed the BitLocker extension on 1910 and have currently deployed it to one newly built machine as a test. This was all successful however is the only was to view the key to query the database directly as this seems a bit clunky, 

i'm not really following what you are saying there but if you are asking how to review the recovery key, normally you'd use the Helpdesk feature as described in the part 2 and part 3 videos here

 

[NeilGarry91]

Thanks for the quick reply I had missed that.

 

I will take a look now

[NeilGarry91]

I have tried to follow the video however I get a slightly different error. I am getting a permissions error when rung the powershell command I am a domain admin and have db_owner access to the database any ideas.

Sorry to be a pain do you not what other access I need?

 

 

*JUST WATCHED MORE OF VIDEO AND SAW I NEED TO BE SYSADMIN*

Edited February 10, 2020 by NeilGarry91
Correction

[anyweb]

And to answer your last question:

One last question if currently all our machines have bit locker on and I add them to this new policy will it be able to pull the current in use recovery Keys or would I have to decrypt then re-encrypt?  

If you have a computer that is already encrypted with Bitlocker, let's say with AES 128 (or some other encryption algorithm), and you later add this computer to your Bitlocker Management collection that has a policy targeted to it, the computer will get the Bitlocker management policy and then decide whether it is compliant or not based on the settings of that policy, it will NOT re-encrypt the already encrypted drive (if for example the algorithm doesn't match your configured Bitlocker Management policy).

In addition on that already encrypted drive, regardless of whether or not it is compliant with your bitlocker management policy, the MDOP agent will rotate the existing bitlocker recovery key and store the newly rotated recovery key in the ConfigMgr database.

In the screenshot below you can see the recovery key has rotated on the already encrypted (with Bitlocker) client, and the new key is now stored in ConfigMgr's database, this computer was previously encrypted with Bitlocker using GPO settings from AD but it doesn't matter how it was encrypted with Bitlocker, the fact is it was already encrypted.

Side note #1: if you were saving the key to your on-premises Active Directory prior to using the Bitlocker Management features in ConfigMgr, then the newly rotated recovery key will also be stored in Active Directory

Side note #2: Those same keys will also be stored in the cloud (if you have Azure AD connect setup) as shown below:

Starting Windows 10 v1903 the keys are now backed up to On-Prem AD and to Azure AD on Hybrid Joined machines provided the machine has line of sight to On-Prem DCs and Internet connectivity to reach Azure AD for backing up keys. Source: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/34015732-bitlocker-recovery-keys-in-a-hybrid-aad-joined-dev

What about compliance of your Bitlocker Management policy ?

if you look closely at the first screenshot, you can also see that the client is non-compliant for the 'enable bitlocker encryption' Bitlocker Management policy i created, and that is because this client computer only has AES-128 as the algorithm and the policy requires AES-256,

to resolve the compliance problem, you'd have to decrypt the drive and then re-encrypt with the correct algorithm as defined in your Bitlocker Management policy in ConfigMgr,

only after doing that would it register as compliant

cheers

niall

 

[NeilGarry91]

 

That's Excellent thanks

[policeman5151]

Following off of HermanB's comment.

We didn't do MBAM and just managed the keys (tediously) in AD and enabled Bitlocker via the OSD with tasks setting registry values.  Also, not enabling full disk encryption, just used space.
All of it it working fine, but I was just thinking of having that management done by Config Mgr.  

My questions:
-do we need to enable full disk encryption during the OSD for this to work?
-do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online?

I see you stated that current machines protected with bitlocker will keep their keys in AD as well as their encryption levels.  
I'm more worried about new machines deployed and the OSD changes needed.

[anyweb]

hi, see below

• do we need to enable full disk encryption during the OSD for this to work?

 the following docs explain that you can do this during OSD

By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps - Enable BitLocker.

• -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online?

it's up to you which way works better, do you want to control bitlocker (keys) during OSD or after, that's entirely up to you, the easiest way is to simply target the policy after it's imaged, but the safest way is to configure it during OSD.

[policeman5151]

7 hours ago, anyweb said:

hi, see below

• do we need to enable full disk encryption during the OSD for this to work?

 the following docs explain that you can do this during OSD

By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps - Enable BitLocker.

• -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online?

it's up to you which way works better, do you want to control bitlocker (keys) during OSD or after, that's entirely up to you, the easiest way is to simply target the policy after it's imaged, but the safest way is to configure it during OSD.

Thanks for your quick response and all your work.  

[MrBigTed]

@anyweb, amazing post, thank you.  We are very similar to one of the posts above, currently on McAfee ePO but wanting to move to Azure AD based key escrow.  I can see (also above) where you can set up MBAM with ConfigMgr and if you have On-Prem AD escrow it will also sync to the Azure AD (if you are using AD Connect).

Is there a way to skip the On-Prem escrow and go straight to Azure AD, if the devices are Hybrid Azure AD joined?  Everything I see points to yes, but I cannot find anywhere to indicate it has been successful.  Or are we resigned to use AD Connect until we are full Azure AD Joined only?

[anyweb]

hi MrBigTed, thanks for the thanks

i'm not following exactly what you are saying, are you saying you've already setup azure ad connect and are also hybrid azure ad joined ?

[Eduards]

Hello,

When deploying self service portals, i got such error when running PS script.

Unable to export ConfigMgr SQL Server Identification Certificate: Unable to find tpye [X509Certificate].

But i got certificate etc.
 

Edited April 8, 2020 by Eduards

[anyweb]

what command line did you use to install the portals ? if you specified -SqlInstanceName MSSQLSERVER then this error is expected...

if you are using the default instance then leave out that switch

[Eduards]

I don't use -SQlInstanceName switch at all.

I open PS as admin that go to the root folder of the script and execute this:


In SQL i have Bitlockermanagement_CERT and also i have ConfigMgr cert.

[anyweb]

and did you follow the microsoft docs when creating the bitlockermanagement_cert ?

[Eduards]

Yes i created it using this information. 

https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/encrypt-recovery-data

[anyweb]

well the only thing i could suggest is to do a teamviewer session so I can see the errors live...

[Eduards]

Okey.
We could do that on thursday probably.

What is your e-mail?

[anyweb]

try niall@windowsnoob.com

[Peter33]

On 4/8/2020 at 9:29 AM, Eduards said:

Hello,

When deploying self service portals, i got such error when running PS script.

Unable to export ConfigMgr SQL Server Identification Certificate: Unable to find tpye [X509Certificate].

But i got certificate etc.
 

I was able to fix the problem by editing the installer script. Just added a session variable to avoid the proxy.

https://social.technet.microsoft.com/Forums/en-US/1ff999c3-f8d2-4dd2-bd17-df9fc79b8ec2/1910-setting-up-mbam-issues?forum=ConfigMgrCBGeneral

 

function Get-CertificateFromSqlServer
{
    param(
        [Parameter(Mandatory=$true)]
        [string]$sqlServer
    )

    $option = New-PSSessionOption -ProxyAccessType NoProxyServer ### added fix for WinRm error

    [array]$encodedCerts = Invoke-Command -ComputerName $sqlServer -ScriptBlock { 
        Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { ($_.FriendlyName -eq "ConfigMgr SQL Server Identification Certificate") -and ($_.NotBefore -lt (Get-Date)) -and ($_.NotAfter -gt (Get-Date)) } | ForEach-Object {
            $bytes = $_.Export("cert"); 
            [Convert]::ToBase64String($bytes) 
        }
    } -SessionOption $option ### added fix for WinRm error