Jump to content


Recommended Posts

Hi Niall, I would like to thank you for making such detailed documents and videos. But I have a question. I have looked at your videos and your documents and I am a bit confused.  Even in this document you mentioned 

"Update: Initially PKI/HTTPS was required (in TP1905) for BitLocker Management in SCCM, however from Technical version 1909 it was no longer required, and became optional (but recommended). For more info see this blog post. I'm including the important note from that text below.

Note: Microsoft recommends but doesn't require the use of HTTPS. For more information, see How to Set Up SSL on IIS (or see my two links below)."

But in the video as well as the comments you said SCCM should be in HTTPS mode. 

Could you please clarify? Thanks again for your detailed documentations. 

Edited by Shaq
Typo
  • Like 1

Share this post


Link to post
Share on other sites

hi Shaq,

the reason I stated that HTTPS was required was because it was in TP1905, but then it wasn't in TP1909, but in ConfigMgr 1910 Current Branch it is again, required.

but... going forward I think that a future release of ConfigMgr (maybe 2002) will allow you to use eHTTP or HTTPS, that would make it much easier to use the MBAM capabilities but remember HTTPS is more secure regardless.

 

cheers

niall

  • Thanks 1

Share this post


Link to post
Share on other sites

Quote

...so to be clear, are you saying you upgraded to ConfigMgr 1910 and enabled the MBAM feature, and then you could see some domain joined clients storing the keys in ConfigMGr's database in the MBAM tables, but it's not working for workgroup joined computers ?

Hi @anyweb

yes, exactly.

Keys of workgroup clients are not stored in the MBAM tables.

As far as I know, MBAM does not work with workgroup clients, but now that it is integrated in SCCM or MEM, i thought it might work.

Edited by CellFreak

Share this post


Link to post
Share on other sites

Thanks for the video you posted on Youtube! I really like that you didn’t edit out your troubleshooting. Seeing you troubleshoot gives the video a higher value then simply showing a 100% working environment!    
 

We have created our own version of Anders Rodland’s “ConfigMgr Client Health” that also deal with Bitlocker issues. This runs completely silent. Logs are gathered with Splunk.

1. MDOP seems like a “user-driven” experience?  We want the entire process to run without any user interaction. If something fails, we analyse the logs with Splunk, update our “Client Health” and fix the problem without ever notifying the user.

2. Will MDOP automatically fix issues that prevents Bitlocker from functioning?

-          We already have a fully working AD environment and documented routines to recover keys etc

-          Preferable, don’t want yet another agent installed in our environment

-          Our Bitlocker compliance is at 99.5% (With yearly audits)

-          Bitlocker all machines new machines during setup.  

What are we missing out, by not using MBAM?

Share this post


Link to post
Share on other sites

Thanks for the video you posted on Youtube! I really like that you didn’t edit out your troubleshooting. Seeing you troubleshoot gives the video a higher value then simply showing a 100% working environment!    

 

thank you !

1. it can be completely silent see >

 

2. MDOP is not a self healing product, but you can use CI/CB's in ConfigMgr to achieve this (via compliance),

MDOP offers the helpdesk and self service portals, encryption of the database and traffic between client and the database.

Share this post


Link to post
Share on other sites

Hi

Thanks for your guide it was very helpful!

I have installed the BitLocker extension on 1910 and have currently deployed it to one newly built machine as a test. This was all successful however is the only was to view the key to query the database directly as this seems a bit clunky, also when setting it up I selected 'Recovery password and Key Package' how do I download the key package or am i misunderstanding this bit? We currently use McAfee to mange our Bitlocker Encryption which works well but we are moving away from ePO so would like to use this SCCM solution.

One last question if currently all our machines have bit locker on and I add them to this new policy will it be able to pull the current in use recovery Keys or would I have to decrypt then re-encrypt? 

Thanks in advance

Neil

Share this post


Link to post
Share on other sites

hi Neil

Thanks for your guide it was very helpful! 

you are welcome.

I have installed the BitLocker extension on 1910 and have currently deployed it to one newly built machine as a test. This was all successful however is the only was to view the key to query the database directly as this seems a bit clunky, 

i'm not really following what you are saying there but if you are asking how to review the recovery key, normally you'd use the Helpdesk feature as described in the part 2 and part 3 videos here

 

Share this post


Link to post
Share on other sites

I have tried to follow the video however I get a slightly different error. I am getting a permissions error when rung the powershell command I am a domain admin and have db_owner access to the database any ideas.

1867534079_2020-02-1015_12_21-EMEAUKWIMVPAP02(PRTGNetworkMonitoring).png.9cae2ea27593d6024a7fa90547be5ec3.png

Sorry to be a pain do you not what other access I need?

 

 

*JUST WATCHED MORE OF VIDEO AND SAW I NEED TO BE SYSADMIN*

Edited by NeilGarry91
Correction

Share this post


Link to post
Share on other sites

And to answer your last question:

One last question if currently all our machines have bit locker on and I add them to this new policy will it be able to pull the current in use recovery Keys or would I have to decrypt then re-encrypt?  

If you have a computer that is already encrypted with Bitlocker, let's say with AES 128 (or some other encryption algorithm), and you later add this computer to your Bitlocker Management collection that has a policy targeted to it, the computer will get the Bitlocker management policy and then decide whether it is compliant or not based on the settings of that policy, it will NOT re-encrypt the already encrypted drive (if for example the algorithm doesn't match your configured Bitlocker Management policy).

In addition on that already encrypted drive, regardless of whether or not it is compliant with your bitlocker management policy, the MDOP agent will rotate the existing bitlocker recovery key and store the newly rotated recovery key in the ConfigMgr database.

In the screenshot below you can see the recovery key has rotated on the already encrypted (with Bitlocker) client, and the new key is now stored in ConfigMgr's database, this computer was previously encrypted with Bitlocker using GPO settings from AD but it doesn't matter how it was encrypted with Bitlocker, the fact is it was already encrypted.

image.png

Side note #1: if you were saving the key to your on-premises Active Directory prior to using the Bitlocker Management features in ConfigMgr, then the newly rotated recovery key will also be stored in Active Directory

image.png

Side note #2: Those same keys will also be stored in the cloud (if you have Azure AD connect setup) as shown below:

Starting Windows 10 v1903 the keys are now backed up to On-Prem AD and to Azure AD on Hybrid Joined machines provided the machine has line of sight to On-Prem DCs and Internet connectivity to reach Azure AD for backing up keys. Source: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/34015732-bitlocker-recovery-keys-in-a-hybrid-aad-joined-dev

image.png

What about compliance of your Bitlocker Management policy ?

if you look closely at the first screenshot, you can also see that the client is non-compliant for the 'enable bitlocker encryption' Bitlocker Management policy i created, and that is because this client computer only has AES-128 as the algorithm and the policy requires AES-256,

to resolve the compliance problem, you'd have to decrypt the drive and then re-encrypt with the correct algorithm as defined in your Bitlocker Management policy in ConfigMgr,

only after doing that would it register as compliant

cheers

niall

 

Share this post


Link to post
Share on other sites

Following off of HermanB's comment.

We didn't do MBAM and just managed the keys (tediously) in AD and enabled Bitlocker via the OSD with tasks setting registry values.  Also, not enabling full disk encryption, just used space.
All of it it working fine, but I was just thinking of having that management done by Config Mgr.  

My questions:
-do we need to enable full disk encryption during the OSD for this to work?
-do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online?

I see you stated that current machines protected with bitlocker will keep their keys in AD as well as their encryption levels.  
I'm more worried about new machines deployed and the OSD changes needed.

Share this post


Link to post
Share on other sites

hi, see below

  • do we need to enable full disk encryption during the OSD for this to work?

 the following docs explain that you can do this during OSD

By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps - Enable BitLocker.

  • -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online?

it's up to you which way works better, do you want to control bitlocker (keys) during OSD or after, that's entirely up to you, the easiest way is to simply target the policy after it's imaged, but the safest way is to configure it during OSD.

  • Like 1

Share this post


Link to post
Share on other sites

7 hours ago, anyweb said:

hi, see below

  • do we need to enable full disk encryption during the OSD for this to work?

 the following docs explain that you can do this during OSD

By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps - Enable BitLocker.

  • -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online?

it's up to you which way works better, do you want to control bitlocker (keys) during OSD or after, that's entirely up to you, the easiest way is to simply target the policy after it's imaged, but the safest way is to configure it during OSD.

Thanks for your quick response and all your work.  

Share this post


Link to post
Share on other sites

@anyweb, amazing post, thank you.  We are very similar to one of the posts above, currently on McAfee ePO but wanting to move to Azure AD based key escrow.  I can see (also above) where you can set up MBAM with ConfigMgr and if you have On-Prem AD escrow it will also sync to the Azure AD (if you are using AD Connect).

Is there a way to skip the On-Prem escrow and go straight to Azure AD, if the devices are Hybrid Azure AD joined?  Everything I see points to yes, but I cannot find anywhere to indicate it has been successful.  Or are we resigned to use AD Connect until we are full Azure AD Joined only?

Share this post


Link to post
Share on other sites

hi MrBigTed, thanks for the thanks :)

i'm not following exactly what you are saying, are you saying you've already setup azure ad connect and are also hybrid azure ad joined ?

Share this post


Link to post
Share on other sites

Hello,

When deploying self service portals, i got such error when running PS script.

Unable to export ConfigMgr SQL Server Identification Certificate: Unable to find tpye [X509Certificate].

But i got certificate etc.
 

Untitled.png

Edited by Eduards

Share this post


Link to post
Share on other sites

what command line did you use to install the portals ? if you specified -SqlInstanceName MSSQLSERVER then this error is expected...

if you are using the default instance then leave out that switch

Share this post


Link to post
Share on other sites

On 4/8/2020 at 9:29 AM, Eduards said:

Hello,

When deploying self service portals, i got such error when running PS script.

Unable to export ConfigMgr SQL Server Identification Certificate: Unable to find tpye [X509Certificate].

But i got certificate etc.
 

Untitled.png

I was able to fix the problem by editing the installer script. Just added a session variable to avoid the proxy.

https://social.technet.microsoft.com/Forums/en-US/1ff999c3-f8d2-4dd2-bd17-df9fc79b8ec2/1910-setting-up-mbam-issues?forum=ConfigMgrCBGeneral

 

function Get-CertificateFromSqlServer
{
    param(
        [Parameter(Mandatory=$true)]
        [string]$sqlServer
    )

    $option = New-PSSessionOption -ProxyAccessType NoProxyServer ### added fix for WinRm error

    [array]$encodedCerts = Invoke-Command -ComputerName $sqlServer -ScriptBlock { 
        Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { ($_.FriendlyName -eq "ConfigMgr SQL Server Identification Certificate") -and ($_.NotBefore -lt (Get-Date)) -and ($_.NotAfter -gt (Get-Date)) } | ForEach-Object {
            $bytes = $_.Export("cert"); 
            [Convert]::ToBase64String($bytes) 
        }
    } -SessionOption $option ### added fix for WinRm error

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...