Jump to content


anyweb

How can you use the Self Service feature when MBAM is integrated within SCCM?

Recommended Posts

Introduction

Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, namely Self Service and Help Desk abilities. In this blog post we’ll look at the Self Service feature for end users.

Self Service

What is the Self Service feature ?  well to put it quite simply, it allows the end user (that has the BitLocker Recovery prompt) to solve the problem by them selves without having to involve anyone else to support them.

To use the Self Service feature, let’s first take a look at an MBAM managed Windows 10 computer. If we open control panel and look at the Configuration Manager agent, we can see that a Configuration Item for MBAM is installed and that this computer is compliant.

ci.png

And if we check the BitLocker settings, we can see it it encrypted as per the MBAM policy. And we can even query the Recovery key as shown below with

manage-bde -protectors -get c:

encrypted.png

BitLocker Recovery

But what if this computer had an issue, such as a change to the BIOS settings causing a BitLocker Recovery prompt at boot up. Well, because this computer is managed by MBAM and the key is stored in ConfigMgrs’ database, this is no problem.

So let’s see how that plays out.

bitlocker-recovery.png

As you can see from the screen above, the Windows 10 computer is prompting the end user for a BitLocker Recovery key as something  (bios change etc) has prompted it to do so.

The end user has two choices here, call their internal help desk or solve it themselves using self service.

So how does MBAM Self Service work

The user can use another Windows device (or phone) to access the self service URL located at their site, in my lab that is https://cm01.windowsnoob.lab.local/SelfService

After logging in with their company credentials, they’ll be prompted with a notice which they need to read and accept.

 

self-service.png

 

Customizing the Self Service Portal

Notice how the page and notice text are customized for the organization. To make those changes simply locate the Notice.txt file in your MBAM self service installation folder, in this technical preview release it's located here.

C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website

image.png

and edit the notice.txt as Administrator (you may have to open the file via an administrative command prompt to save the changes).

image.png

I added the following text:
 

Welcome to the windowsnoob Microsoft BitLocker Management Solution !

By using this web site you agree that all your actions are logged, do not use this service for gaining access to computers encrypted file system without proper authorization.

Save the file and then open Internet Information Services (IIS), and expand the Self Service app. Click on Application Settings.

image.png

In Applications Settings, modify CompanyName from Contoso IT to your company name.

image.png

The Self Service experience

Once the user accepts the notice they can click on Continue. They are then presented with recovery options.

get-a-bitlocker-recovery-key.png

Here (1), the user can insert the first 8 characters of their Recovery Key ID displayed on their boot up screen and select a reason from one of three options:

  • BIOS/TPM changed
  • OS Files modified
  • Lost PIN-Passphrase

And then click on Get Key. The Recovery Key is displayed in (2).

 

recovery-key-displayed.png

That’s all you need, there is a third optional option to change your BitLocker credentials via control panel after unlocking the device.

Once entered, the user can boot their computer and all is fine. Job done !

computer-booted.png

For the ConfigMgr Admins out there that like to do things using SQL, you can also get that recovery key directly using queries within the ConfigMgr database as I show here.

admin-view-2.png

Related reading

In the next blog post I’ll show you how the Help Desk functionality works.

until next time,

cheers

niall

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.