Troubleshooting BitLocker Management in ConfigMgr - Part 1. Server side

[anyweb]

Introduction

Microsoft blogged about Bitlocker Management capabilities back in May, 2019. They detailed how that would impact and evolve on the following three platforms.

•     Cloud-based BitLocker management using Microsoft Intune
•     On-premises BitLocker management using System Center Configuration Manager
•     Microsoft BitLocker Administration and Monitoring (MBAM)

And recently they've posted an updated blog post here where they go into detail about how BitLocker Management in Microsoft Endpoint Manager has evolved (both in Intune and ConfigMgr). This purpose of this mini series is to help you troubleshoot problems related to the installation, configuration and usage of the new BitLocker Management capabilities in ConfigMgr and will be broken down into the following 3 parts.

• Troubleshooting BitLocker Management in ConfigMgr - Part 1. Server side (this part)
• Troubleshooting BitLocker Management in ConfigMgr - Part 2. Client side
• Troubleshooting BitLocker Management in ConfigMgr - Part 3. Common issues

But first let's take a quick trip down memory lane. Microsoft initially released Bitlocker Management capabilities in the 1905 version (Technical Preview) of Configuration Manager, and expanded upon the abilities up to the release of the BitLocker Management feature contained within Configuration Manager version 1910 (Current Branch).

After 1910 was released they have continued to improve and add new features as you can see by checking out any of the newer Technical Preview releases from Technical Preview version 2002 on wards where many GPO settings were added to the Bitlocker management UI. In addition new capabilities came in TP2005 (set BitLocker Encryption type during the Enable BitLocker and Pre-Provision BitLocker steps in an OSD task sequence that later made their way into Configuration Manager Current Branch version 2006, so it pays to look at the technical preview releases every month.

Note: The screenshot below is taken from Technical Preview version 2008

I have created many blog posts and videos on the subject, so if you are interested then please take a look at the videos linked below.

Installation and troubleshooting on the server

When you use the BitLocker Management feature in ConfigMgr 1910 or later you can create BitLocker Management policy and deploy that to your clients, they will get the policy and process it, and the MDOP client agent will get installed (if not already installed) and then it will take action based on the settings it finds in the registry and based on the policy settings and the client settings compliance will be set. But, it's important to understand the flow of how it all works together and to do that you need to understand that things will change based on whether you've created BitLocker Management policy or not.

In this post I assume you've met the prereqs and enabled the BitLocker Management feature as shown here.

 

Before creating policy

First of all, let's look at a ConfigMgr 2002 Current Branch server where no BitLocker Policy has yet been created. You can think of this as a server that has been recently upgraded from 1910 or one where no one has configured anything related to Bitlocker Management yet. In this blog post the primary server in my lab is not using co-Management but if it was, you'd need to ensure that the Endpoint Protection workload was managed by ConfigMgr if you want ConfigMgr to manage BitLocker Management.

The Configuration Manager client handler for BitLocker is co-management aware. If the device is co-managed, and you switch the Endpoint Protection workload to Intune, then the Configuration Manager client ignores its BitLocker policy. The device gets Windows encryption policy from Intune.

When you switch encryption management authorities and the desired encryption algorithm also changes, you will need to plan for re-encryption .

In the console, expand Endpoint Protection in Assets and Compliance and you'll see BitLocker Management. Select it, there will be no items found as no policy has yet been created.

In addition, if you open Internet Information Services (IIS) Manager, you will not see any MBAM related applications in there.

and there will be no MBAM related logs in Windows Event Viewer

After creating policy

When you create your first BitLocker Management policy you'll see MBAM related activity revealed in the mpcontrol.log on the ConfigMgr server. This is your first step to look in case of problems on your server.

So let's create our first BitLocker Management policy.

On the setup window, don't select the first option, it's only applicable to old operating systems such as Windows 7 and that's not supported any more. Instead, use the drop down underneath that for Windows 10.

Configure your Operating System drive settings.

And decide what Encryption enforcement you require. Setting it to zero will mean that the MDOP agent will not notify the end user and instead, will begin encryption silently (as long as everything is configured correctly and the client is not already encrypted).

Don't forget to enable Client Management otherwise the registry keys necessary for the recovery service will never get populated on the client and as a result, BitLocker Management will not work.

 

After creating policy

After you've created the policy, open mpcontrol.log and look for a line which reads Verify that MBAM Recovery and Hardware service is installed.

shortly after that it starts installing the MBAM Recovery Service

And you should confirm that the PowerShell script (mbamrecoveryserviceinstaller.ps1) used to install the MBAM Recovery Service successfully completed.

To see what a failed MBAM Recovery service installation looks like take a look at the mpcontrol.log below from an older lab. This is just for comparison purposes, notice how it states MBAM recovery service installation failed.

After the script has run successfully, you can refresh Internet Information Services (IIS) Manager, and you should see the SMS_MP_MBAM application is now listed.

In addition, in Event Viewer, you will now see MBAM specific logging areas added. These will populate with info if there are problems detected on your MBAM Recovery Service.

 

Installation of the web portals

The BitLocker Management web portals (helpdesk and self service) may or may not be installed on the same site server as the MBAM Recovery Service, in my lab, they will be installed on the same server (ConfigMgr Primary site). To install the portals you need to run a PowerShell script included with ConfigMgr version 1910 or later, it's in the bin\x64 folder of the installation source. Below is the command line I used to install the portals on my Primary.

After pressing enter, it start's copying files, settings acl's and so forth.

However mine bombed out with some red errors which hinted towards the problem being SSRS reporting related. This could be trued if you either have not installed or configured SSRS or SSRS itself has a problem.

After some troubleshooting I determined that my SSRS instance had expired (it was evaluation media), so I fixed it by doing as follows.

After resolving the SSRS issue, the web portals installed just fine. You can scroll back up to see all the text output to see if there was any problem reported.

If you'd like to compare my successful output with yours then you can download the output here.web portals setup text.txt

After you have successfully installed the web portals, you can browse to the InetPub root folder on your ConfigMgr server, and you'll see a new folder called Microsoft BitLocker Management Solution. This folder did not exist until you attempted to install the web portals.

That folder in turn contains more folders, which have config files that can be edited as described in the blogs below.

• How can you use the Self Service feature when BitLocker Management is enabled within ConfigMgr ?
• How can you use the Help Desk feature when BitLocker Management is enabled within ConfigMgr ?

What about log traces ?

If you need to enable tracing on the server, use the SvcTraceViewer.exe tool to review those traces as described here.

What about the database ?

After successfully creating BitLocker Management policy, you'll notice new tables are present in ConfigMgr's database. Below you can see them in my lab, note that they are not yet populated as it's a new installation.

Obviously if those tables are not present then you have a big problem. That's if for this part, join me in Part 2 where we'll look at the Client side troubleshooting.

Recommended reading

https://www.niallbrady.com/2019/11/13/want-to-learn-about-the-new-bitlocker-management-in-microsoft-endpoint-manager-configuration-manager/

Until next time, adios !

cheers

niall