Using MBAM with SCCM
SCCM 1910 provides full BitLocker lifecycle management. He replace MBAM(Microsoft BitLocker Administration and Monitoring). Configuration Manager provides these capabilities for BitLocker Drive Encryption:
- Client deployment : It’s possible to deploy the BitLocker client for manage Windows devices (Windows 10, Windows 8.1, or Windows 7).
- Manage encryption : Determine the Policy for BitLocker. It’s possible to determine the algorithms with which to encrypt the device, force users to get compliant, …
- Compliance reports : Create report for Encryption status, compliance status, reasons for non-compliance, …
In order to implement BitLocker management with SCCM, it is necessary to have full administrator rights in SCCM. BitLocker recovery service equires a HTTPS-enabled management point. The use of BitLocker management reports requires the installation of reporting services point site system role. IIS Server must be used for self-service portal.
Download and install on SCCM Server (sevrer who MBAM is installed) Microsoft ASP.NET MVC 4.0 on this Website.
Configuring HTTPS support
For deliver certificate, you must install a certification authority. When the installation has completed, open console and right click on Certificate Templates. On the menu, select Manage.
Right click on Workstation Authentification Template and select Duplicate template.
A new Windows appear, select General tab and modify the name of the Template. Check Publish certificate in Active Directory.
Select Security tab and select Domain Computers groups. Give Read, Enroll and Autoenroll permissions at this group.
Click OK and close Certificate Templates Console. Right click on Certificate Templates and select New Certificate Template to Issue.
Select the Template SCCM Client Certificate and click OK. The Template has been Added.
Configure Group Policy for AutoEnrollment
On your domain controller, create a Policy and open Certificate Services Client – Auto-Enrollment present on Computer configuration / Policies / Windows Settings / Security Settings / Public Key Policies
Select Enabled on Configuration Model and check the two options. Click on OK and close Group Policy console.
On the SCCM server, execute gpupdate /force command. A new certificate has been present issued.
Select Trusted Root Certification Authorities then Certificates.
Right click on Root CA Certificates and click on All Tasks / Export. A new Windows appear, using the Browse button, select the desired path for the export.
Click on Next then on Finish.
SCCM Web Certificate
Web certificate must be used for identify and authentificate all HTTPS connection with the SCCM MP. On the Certificattion Authority, duplicate Web Server template. Change the name of the template and publish certificate in Active Directory.
Select Security tab and add security groups group containing the SCCM server (I have created one groups with all of my MP and SUP server).
Click OK and add right click on Certificate Templates and select New Certificate Template to Issue. Select the Template SCCM Web Server and click OK. The Template has been Added.
Restart SCCM Server. When the SCCM server has been restarted, open MMC console and add Certificates snap-in. Request a new certificate and choose Web Server Template. Click on More information is required to enroll.
On Subject Name select Common Name and enter the FQDN Name of the SCCM server. Click on Add for validate operation. Repeat the same operation with Netbios Name.
On Alternative Name select DNS and enter the FQDN Name of the SCCM server. Click on Add for validate operation. Repeat the same operation with Netbios Name.
Click on OK and Enroll. The certificate has been issued. On the SCCM Server, open IIS console and right click on Default web site and select Edit Bindings.
Select https and click on Edit.
Select certificate and click on OK.
Configure SCCM for use HTTPS
On the SCCM console, open Administration tab and click on Site Configuration / Sites configuration / Sites. Right click on the site and select properties. A new Windows appear, select Communication Security
A new Windows appear, select Communication Security and check HTTPS or HTTP. Check Use PKI client certificate and click Set for select Root CA certificate.
Click the button to add a new certificate and select the desired certificate. Click OK for validate the modification.
HTTPS has been configured on SCCM client.
From the SCCM console, open Administration tab. Expand Site Configuration / Servers and Site System Roles and select Management Point.
Right click on Management Point and click on Properties. Check HTTPS on new Windows. Click OK, HTTPS has been configured.
Configure Bitlocker Management
From the SCCM Console, open Administration and expand Updates and Servicing. Select Features then Bitlocker Management. On the ribbon, click on Turn On. Open Assets and Compliance tab. Expand Endpoint Protection node and click on BitLocker Management.
In the ribbon, click on Create BitLocker Management Control Policy. A wizard appear, click enter the name and enable BitLocker Management components that you want.
- Client Management : manage backup of BitLocker Drive Encryption recovery information.
- Operating System Drive : Manage if Operating system drive is encrypted.
Configure Policy as you want
Enable BitLocker Management Services and select BitLocker recovery information. Configure the frequency of customer verification status. By default is 90.
Configure OS Drive Management Settings and click on Next.
The Policy was indeed created. Deploy Policy on a device collection.
The Policy was indeed created. Deploy Policy on a device collection.
You can use log for manage BitLocker on computer. The log is present %WINDIR%\CCM\Logs
You can use event viewer on the Windows 10 computer.
Configure BitLocker on Windows 10 computer
After retrieving the BitLocker policy, the wizard is displayed on the Windows 10 workstation. Click on Start.
Enter Pin and click on Create PIN.
Configure BitLocker portal
On the SCCMInstallFolder\cd.latest\SMSSETUP\BIN\X64 folder and copy the two files on local folder.
Create three Active Directory groups (Groups for HelpdeskUsers, one for HelpdeskAdmin and one for MbamReportUser.
Open PowerShell command and execute the following command. If SQL Server Standard is user, not use -SqlInstanceName. When i use this parameter, command finish with error : Provider : SQL Network Interfaces, error 25 – Connection string is not valid.. User FQDN of the server on the Following command.
<b>.\MBAMWebSiteInstaller.ps1 -SqlServerName <ServerName> -SqlInstanceName <InstanceName> -SqlDatabaseName <DatabaseName> -ReportWebServiceUrl <ReportWebServiceUrl> -HelpdeskUsersGroupName <DomainUserGroup> -HelpdeskAdminsGroupName <DomainUserGroup> -MbamReportUsersGroupName <DomainUserGroup> -SiteInstall Both</b>
Portal has been available. Self Service portal
Personalize the SelfService portal
From the Internet Information Service console, expand Sites and Default Web Site. Select SelfService and double click on Application Settings.
Select CompanyName and click on Edit.
Modify properties as you want.
Retrieve the recovery key
Restart the computer in Recovery mode by pressing Esc.
Recovery key ID appear. Copy the first eight characters.
Access to the Self Service portal (https://ServerName/HelpDesk). Click on Drive Recovery.
Enter the the Active Directory domain name on User Domain field and username in User ID field. Enter the first eight characters in Key Id field. Select the Reason and click on Submit button.
Recovery key appear, you can Copy, save recovery key or save package.