Jump to content


anyweb

Escrow BitLocker recovery password to the site during a task sequence in Configuration Manager 2203

Recommended Posts

Introduction

Microsoft released Technical Preview Configuration Manager version 2203 and it contains some cool new features, one of which is the ability to Escrow Bitlocker recovery info to your Configuration Manager database.  This is a much debated, sought after ability, and now you can test it. I have tested and verified that it works !

So what’s new about this ability ? previously to escrow BitLocker recovery password  info to your configuration manager site during a task sequence you would have used a Powershell script.

That powershell script is no longer supported (even though it actually works again with TP 2203, I’ve verified it). The Powershell script method caused a stir when Configuration Manager 2103 was released as you can read about in the below two blogs:

 

Now however, you no longer need the powershell script as the feature is a simple checkbox. So now we know what’s changed, let’s take a look.

Prerequisites

Keep in mind the following prereqs before trying this out. Either of the following options will do:

  • Create an Encryption Certificate in the site database (see here)
  • Create a Bitlocker Management policy and opt-in to plaintext key storage on the Client Management tab.

Enabling the ability

In a task sequence locate the Enable BitLocker step, you’ll see a new setting to allow you to escrow the key to your configuration manager database highlighted in the screenshot below.

escrow-keys.png

By placing a check mark in Automatically store the recovery key in:

  • The Configuration Manager Database

Like so..

the-configuration-manager-database.png

This setting will force the task sequence process to store the Bitlocker recovery info in your CM database DURING OSD(operating system deployment) before the Windows login screen. This is the security feature that many companies have been asking for !

Note: You do NOT need to install the MDOP Agent as part of the task sequence and you do NOT need to run any PowerShell script for this functionality to work.

Seeing the ability in action

After PXE booting the device, the task sequence formats the hdd…

osd-in-progress.png

And shortly after the Pre-Provision Bitlocker step takes place…

preprovision-bitlocker.png

After laying down the Operating System the task sequence reboots into Windows Setup, and after that it installs the Configuration Manager client.

At this point I’ve manually created a txt file to pause the task sequence BEFORE logging on to the desktop.

Note: You do not need this step, this is done to prove that the key is uploaded to Configuration Managers database during OSD.

manual-pause.png

and here’s the proof ! The recovery info in the right screenshot (during OSD) is now present in Configuration Managers database !

proof-1024x429.png

And as we also selected to store the key in Active Directory domain services, here it is.

key-added-to-ADDS.png

Troubleshooting

Close analysis of the SMSTS.log file reveals the following key moments in the Enable Bitlocker step,

notice pwd:AD_CM shown below…this confirms that you’ve selected both Active Directory and Configuration Manager to store the recovery info.

pwd-ad_cm.png

Note: If you did not select to upload to Configuration Manager database, but upload to Active Directory domain services, then you’d see the following, pwd:AD

only-upload-to-AD.png

Note: If you only select to upload to Configuration Manager database,then you’d see the following, pwd:ConfigMgr

pwd-configmgr.png

Next you can see it reveal that current BitLocker protection is detected as Off and that it’s setting registry keys for escrowing the key to AD and more…

protection-is-off-and-escrowing-to-ad.pn

and it adds the volume to the payload

adding-one-volume-to-payload.png

it will verify the info returned from the server, in the case below it didn’t find the key escrowed yet so waits 5 minutes before checking again

key-not-escrowed-yet-checking-again-in-5

and after some time… it detects the key is escrowed !

escrowed-equals-true.png

 

Job done !

Want more ? check out my video on the subject here

well done Microsoft and well done @frederic

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...