Jump to content


coolslim54

SCCM v2103 Enhanced HTTP with BitLocker Management

Recommended Posts

"The BitLocker recovery service requires HTTPS to encrypt the recovery keys across the network from the Configuration Manager client to the management point. Use one of the following options:

Enable the site for enhanced HTTP. This option applies to version 2103 or later.
HTTPS-enable the IIS website on the management point that hosts the recovery service. This option applies to version 2002 or later.
Configure the management point for HTTPS. This option applies to all supported Configuration Manager versions."

https://docs.microsoft.com/en-us/mem/configmgr/protect/plan-design/bitlocker-management#prerequisites

Share this post


Link to post
Share on other sites

Hi

i was wondering if its possible to enable e-http(tick the checkbox) via powershell (sccm module?) and if this could be added to the Unattended install ini file too?

thanks

 

Share this post


Link to post
Share on other sites

I'm not having much luck with enabling BitLocker with SCCM v2103, running in enhanced HTTP mode. I'm able to successfully create and deploy the Bitlocker policy to a few test machines. The MDOP MBAM agent does show up in the control panel, but for some reason, the machines remain non-complaint when the SCCM client runs the evaluation. Some of the MBAM registry keys appear to be present on the machines, but the MDOPBitLockerManagement sub registry key is not present. Under the Event Viewer\Applications and Services\Microsoft\Windows\MBAM\Admin section is giving the same warning message all the way down: Unable to connect to the MBAM Recovery and Hardware service. Error code: -2147028409. 

Lastly, I've gone thru the BitlockerManagementHandler.log file just about line-by-line and I saw nothing that indicates the machine was able to detect my enhanced http Management. I did come across the following error messages in the log file:

Error executing method ProtectKeyWithNumericalPassword. 0x8031005b

Error adding numerical password to OS volume

Unable to initialize volume state. Bitlocker enactment cancelled

Error escrowing keys. 0x8031005b

Am I missing something with my enhanced http setup? It's a pretty straight forward process. Any help would be greatly appreciated! 

Share this post


Link to post
Share on other sites

have you enabled the client management tab settings at all when you configured BitLocker Management ?

Share this post


Link to post
Share on other sites

also the 0x8031005b translates to "

The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.

Source: Windows
-----

 

"

Share this post


Link to post
Share on other sites

The client management settings are definitely enabled. My AD guys weren't aware of any active BitLocker GPOs inplace. I ran an RSOP on the machine and did find BitLocker GPOs. I'll provide an update once they've been disabled. 

Share this post


Link to post
Share on other sites

On 6/13/2021 at 12:56 PM, coolslim54 said:

The client management settings are definitely enabled. My AD guys weren't aware of any active BitLocker GPOs inplace. I ran an RSOP on the machine and did find BitLocker GPOs. I'll provide an update once they've been disabled. 

Did you manage to make it work? I'm in the same configuration than you (I'm on 2103 with http enhanced) except that I have registry keys that appears correctly but on my side, the MBAM client never shows up so clients never get notified of encryption policy even tough I putted non compliance grace period to 0 days. Even when I try to launch manually the MBAMclientUI.exe, it doesn't appear.

I get an error in the event viewer/MBAM/admin:

image.png.e58b9f56c63b87d4b91e4186eedb7759.png

Which on Microsoft website means:

image.png.8cb7b08f4729ae604b9fb3306fdabde9.png

But when I trigger the encryption manually with manage-bde c : on, the client start encrypting with the good encryption method and the recovery key appear in the database correctly.

If any of you have an idea?

Thanks in advance.

 

Edited by blop

Share this post


Link to post
Share on other sites

i mean, do the client versions correspond to the site version, if yes then let's figure out if the client is getting the policy or not,

did you check on the configmgr client agent to see if the bitlocker policy you configured is listed ?

Share this post


Link to post
Share on other sites

Yes, they match. The client version is corresponding to the 2103 sccm version. I see it appearing in the configurations tab on the CCM client. It appears as non compliant until I trigger the encryption manually. I tried to reboot several times but the MBAMclientUI.exe never appears.

I tried to do a cmd ->

bdehdcfg -driveinfo

and it tells me that everything is ok. When I do a get-tpm with Powershell, everyting is on True and seems fine even when I launch the tpm.msc everyting is good.

I also tried to reset the TPM just in case, still no luck.

Share this post


Link to post
Share on other sites

ok if the mbam client is not getting installed then there's something wrong with your policy settings, are you sure you've configured Client Management and set it to Enabled ?

image.png

Share this post


Link to post
Share on other sites

In fact the MBAM client is installed but it doesn't show the wizard asking the user to encrypt its device neither force him too. The only way to encrypt the device is to open a cmd with administrator rights and type manage-bde -on c : or do it trough the control panel.

Thanks.

Share this post


Link to post
Share on other sites

Hello,

On the first tab:

image.png.9cc896cd8acacab2b0a67aab42b088b9.png

Nothing else is configured under.

Second tab:

image.thumb.png.96b6aa16b46ad2edddbdf229b337abfa.png

Third tab:

image.thumb.png.9aa025c383c5b274c4716769ec2946b8.png

Nothing else is configured on the two last tabs.

I tried to do exactly the same configuration on a lab with https on the management point and it works as intended. I'm starting to believe that it does not play well with http enhanced.

Thanks!

Edited by blop

Share this post


Link to post
Share on other sites

good info, can you show me your Configurations tab in the configmgr client agent...

Share this post


Link to post
Share on other sites

and what does it report when you evaluate the compliance of that configuration ?

Share this post


Link to post
Share on other sites

Hi,

Well guess what, it finally appeared after 5 days, I did not change anything since and this morning that appeared on the computer:

image.png.dc7c2c075d5d0582e5128fab76af0004.png

Thanks to both of you for you answers and help!

Have a nice day!

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...