Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, namely Self Service and Help Desk abilities. In this blog post we’ll look at the Self Service feature for end users.
Self Service
What is the Self Service feature ? well to put it quite simply, it allows the end user (that has the BitLocker Recovery prompt) to solve the problem by them selves without having to involve anyone else to support them.
To use the Self Service feature, let’s first take a look at an MBAM managed Windows 10 computer. If we open control panel and look at the Configuration Manager agent, we can see that a Configuration Item for MBAM is installed and that this computer is compliant.
And if we check the BitLocker settings, we can see it it encrypted as per the MBAM policy. And we can even query the Recovery key as shown below with
manage-bde -protectors -get c:
BitLocker Recovery
But what if this computer had an issue, such as a change to the BIOS settings causing a BitLocker Recovery prompt at boot up. Well, because this computer is managed by MBAM and the key is stored in ConfigMgrs’ database, this is no problem.
So let’s see how that plays out.
As you can see from the screen above, the Windows 10 computer is prompting the end user for a BitLocker Recovery key as something (bios change etc) has prompted it to do so.
The end user has two choices here, call their internal help desk or solve it themselves using self service.
After logging in with their company credentials, they’ll be prompted with a notice which they need to read and accept.
Customizing the Self Service Portal
Notice how the page and notice text are customized for the organization. To make those changes simply locate the Notice.txt file in your MBAM self service installation folder, in this technical preview release it's located here.
C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website
and edit the notice.txt as Administrator (you may have to open the file via an administrative command prompt to save the changes).
I added the following text:
Welcome to the windowsnoob Microsoft BitLocker Management Solution !
By using this web site you agree that all your actions are logged, do not use this service for gaining access to computers encrypted file system without proper authorization.
Save the file and then open Internet Information Services (IIS), and expand the Self Service app. Click on Application Settings.
In Applications Settings, modify CompanyName from Contoso IT to your company name.
The Self Service experience
Once the user accepts the notice they can click on Continue. They are then presented with recovery options.
Here (1), the user can insert the first 8 characters of their Recovery Key ID displayed on their boot up screen and select a reason from one of three options:
BIOS/TPM changed
OS Files modified
Lost PIN-Passphrase
And then click on Get Key. The Recovery Key is displayed in (2).
That’s all you need, there is a third optional option to change your BitLocker credentials via control panel after unlocking the device.
Once entered, the user can boot their computer and all is fine. Job done !
For the ConfigMgr Admins out there that like to do things using SQL, you can also get that recovery key directly using queries within the ConfigMgr database as I show here.
Introduction
Microsoft recently released Configuration Manager Technical Preview version 1909 which contained updates to the integrated MBAM functionality within Configuration Manager and I blogged about that here, namely Self Service and Help Desk abilities. In this blog post we’ll look at the Self Service feature for end users.
Self Service
What is the Self Service feature ? well to put it quite simply, it allows the end user (that has the BitLocker Recovery prompt) to solve the problem by them selves without having to involve anyone else to support them.
To use the Self Service feature, let’s first take a look at an MBAM managed Windows 10 computer. If we open control panel and look at the Configuration Manager agent, we can see that a Configuration Item for MBAM is installed and that this computer is compliant.
And if we check the BitLocker settings, we can see it it encrypted as per the MBAM policy. And we can even query the Recovery key as shown below with
BitLocker Recovery
But what if this computer had an issue, such as a change to the BIOS settings causing a BitLocker Recovery prompt at boot up. Well, because this computer is managed by MBAM and the key is stored in ConfigMgrs’ database, this is no problem.
So let’s see how that plays out.
As you can see from the screen above, the Windows 10 computer is prompting the end user for a BitLocker Recovery key as something (bios change etc) has prompted it to do so.
The end user has two choices here, call their internal help desk or solve it themselves using self service.
So how does MBAM Self Service work
The user can use another Windows device (or phone) to access the self service URL located at their site, in my lab that is https://cm01.windowsnoob.lab.local/SelfService
After logging in with their company credentials, they’ll be prompted with a notice which they need to read and accept.
Customizing the Self Service Portal
Notice how the page and notice text are customized for the organization. To make those changes simply locate the Notice.txt file in your MBAM self service installation folder, in this technical preview release it's located here.
and edit the notice.txt as Administrator (you may have to open the file via an administrative command prompt to save the changes).
I added the following text:
Save the file and then open Internet Information Services (IIS), and expand the Self Service app. Click on Application Settings.
In Applications Settings, modify CompanyName from Contoso IT to your company name.
The Self Service experience
Once the user accepts the notice they can click on Continue. They are then presented with recovery options.
Here (1), the user can insert the first 8 characters of their Recovery Key ID displayed on their boot up screen and select a reason from one of three options:
And then click on Get Key. The Recovery Key is displayed in (2).
That’s all you need, there is a third optional option to change your BitLocker credentials via control panel after unlocking the device.
Once entered, the user can boot their computer and all is fine. Job done !
For the ConfigMgr Admins out there that like to do things using SQL, you can also get that recovery key directly using queries within the ConfigMgr database as I show here.
Related reading
In the next blog post I’ll show you how the Help Desk functionality works.
until next time,
cheers
niall
Share this post
Link to post
Share on other sites