Using MBAM with SCCM

Using MBAM with SCCM

SCCM 1910 provides full BitLocker lifecycle management. He replace MBAM(Microsoft BitLocker Administration and Monitoring). Configuration Manager provides these capabilities for BitLocker Drive Encryption:

  • Client deployment : It’s possible to deploy the BitLocker client for manage Windows devices (Windows 10, Windows 8.1, or Windows 7).
  • Manage encryption : Determine the Policy for BitLocker. It’s possible to determine the algorithms with which to encrypt the device, force users to get compliant, …
  • Compliance reports : Create report for Encryption status, compliance status, reasons for non-compliance, …

Prerequisites

In order to implement BitLocker management with SCCM, it is necessary to have full administrator rights in SCCM. BitLocker recovery service equires a HTTPS-enabled management point. The use of BitLocker management reports requires the installation of reporting services point site system role. IIS Server must be used for self-service portal.

Download and install on SCCM Server (sevrer who MBAM is installed) Microsoft ASP.NET MVC 4.0 on this Website.

Configuring HTTPS support

For deliver certificate, you must install a certification authority. When the installation has completed, open console and right click on Certificate Templates. On the menu, select Manage.

Using MBAM with SCCM - Manage Template certificate

Right click on Workstation Authentification Template and select Duplicate template.

Using MBAM with SCCM - Manage Template certificate - Duplicate Template

A new Windows appear, select General tab and modify the name of the Template. Check Publish certificate in Active Directory.

Using MBAM with SCCM - Manage Template certificate - Name of Template

Select Security tab and select Domain Computers groups. Give Read, Enroll and Autoenroll permissions at this group.

Using MBAM with SCCM - Manage Template certificate - Configure security

Click OK and close Certificate Templates Console. Right click on Certificate Templates and select New Certificate Template to Issue.

Using MBAM with SCCM - Manage Template certificate - Add template

Select the Template SCCM Client Certificate and click OK. The Template has been Added.

Using MBAM with SCCM - Manage Template certificate - Add template

Configure Group Policy for AutoEnrollment
On your domain controller, create a Policy and open Certificate Services Client – Auto-Enrollment present on Computer configuration / Policies / Windows Settings / Security Settings / Public Key Policies

Using MBAM with SCCM - Manage Template certificate -Configure Auto-Enrollment

Select Enabled on Configuration Model and check the two options. Click on OK and close Group Policy console.

Using MBAM with SCCM - Manage Template certificate - Configure Auto-Enrollment

On the SCCM server, execute gpupdate /force command. A new certificate has been present issued.

Using MBAM with SCCM - Manage Template certificate - Configure Auto-Enrollment

Select Trusted Root Certification Authorities then Certificates.

Using MBAM with SCCM - Select Root CA Certificate

Right click on Root CA Certificates and click on All Tasks / Export. A new Windows appear, using the Browse button, select the desired path for the export.

Using MBAM with SCCM - export Root CA Certificate

Click on Next then on Finish.

SCCM Web Certificate
Web certificate must be used for identify and authentificate all HTTPS connection with the SCCM MP. On the Certificattion Authority, duplicate Web Server template. Change the name of the template and publish certificate in Active Directory.

Using MBAM with SCCM - Manage Template certificate - Create Template

Select Security tab and add security groups group containing the SCCM server (I have created one groups with all of my MP and SUP server).

Using MBAM with SCCM - Manage Template certificate - Configure Security

Click OK and add right click on Certificate Templates and select New Certificate Template to Issue. Select the Template SCCM Web Server and click OK. The Template has been Added.

Using MBAM with SCCM - Manage Template certificate - Add template

Restart SCCM Server. When the SCCM server has been restarted, open MMC console and add Certificates snap-in. Request a new certificate and choose Web Server Template. Click on More information is required to enroll.

Using MBAM with SCCM - Manage Template certificate - Configure Security

On Subject Name select Common Name and enter the FQDN Name of the SCCM server. Click on Add for validate operation. Repeat the same operation with Netbios Name.

Using MBAM with SCCM - Manage Template certificate - Name of Server

On Alternative Name select DNS and enter the FQDN Name of the SCCM server. Click on Add for validate operation. Repeat the same operation with Netbios Name.

Using MBAM with SCCM - Manage Template certificate - Name of Server

Click on OK and Enroll. The certificate has been issued. On the SCCM Server, open IIS console and right click on Default web site and select Edit Bindings.

Using MBAM with SCCM - Manage Template certificate - Name of Server

Select https and click on Edit.

Configure bindings

Select certificate and click on OK.

Select certificate

Configure SCCM for use HTTPS

On the SCCM console, open Administration tab and click on Site Configuration / Sites configuration / Sites. Right click on the site and select properties. A new Windows appear, select Communication Security

Configure sccm

A new Windows appear, select Communication Security and check HTTPS or HTTP. Check Use PKI client certificate and click Set for select Root CA certificate.

Configure https

Click the button to add a new certificate and select the desired certificate. Click OK for validate the modification.

Select root ca

SCCM has been configured

HTTPS has been configured on SCCM client.

HTTPS has been configured

From the SCCM console, open Administration tab. Expand Site Configuration / Servers and Site System Roles and select Management Point.

Configure Management Point

Right click on Management Point and click on Properties. Check HTTPS on new Windows. Click OK, HTTPS has been configured.

Configure Management Point

Configure Bitlocker Management

From the SCCM Console, open Assets and Compliance tab. Expand Endpoint Protection node and click on BitLocker Management.

Create BitLocker policy

In the ribbon, click on Create BitLocker Management Control Policy. A wizard appear, click enter the name and enable BitLocker Management components that you want.

  • Client Management : manage backup of BitLocker Drive Encryption recovery information.
  • Operating System Drive : Manage if Operating system drive is encrypted.

Select components and enter name that you want

Configure Policy as you want

Configure BitLocker Policy as you want

Enable BitLocker Management Services and select BitLocker recovery information. Configure the frequency of customer verification status. By default is 90.

Configure Client information

Configure OS Drive Management Settings and click on Next.

Configure OS drive information

The Policy was indeed created. Deploy Policy on a device collection.

Deploy BitLocker policy

The Policy was indeed created. Deploy Policy on a device collection.

Deploy BitLocker policy

You can use log for manage BitLocker on computer. The log is present %WINDIR%\CCM\Logs

  • BitlockerMangementHandler.log

Log on computer

You can use event viewer on the Windows 10 computer.

Event log

Configure BitLocker on Windows 10 computer

After retrieving the BitLocker policy, the wizard is displayed on the Windows 10 workstation. Click on Start.

Start Bitlocker

Enter Pin and click on Create PIN.

Create PIN

Encryption started.

Encryption started

Configure BitLocker portal

On the SCCMInstallFolder\cd.latest\SMSSETUP\BIN\X64 folder and copy the two files on local folder.

  • MBAMWebSite.cab
  • MBAMWebSiteInstaller.ps1

Script for install folder

Script for install folder

Create two Active Directory groups.

Open PowerShell command and execute .\MBAMWebSiteInstaller.ps1 -SqlServerName <ServerName> -SqlInstanceName <InstanceName> -SqlDatabaseName <DatabaseName> -ReportWebServiceUrl <ReportWebServiceUrl> -HelpdeskUsersGroupName <DomainUserGroup> -HelpdeskAdminsGroupName <DomainUserGroup> -MbamReportUsersGroupName <DomainUserGroup> -SiteInstall Both

Install MBAM Portal

Portal has been available. Self Service portal

Portal Self Service

Portal HelpDesk

Personalize the SelfService portal

From the Internet Information Service console, expand Sites and Default Web Site. Select SelfService and double click on Application Settings.

IIS Console

Select CompanyName and click on Edit.

IIS Console

Modify properties as you want.

Modification has been applied

Retrieve the recovery key

Restart the computer in Recovery mode by pressing Esc.

Recovery mode

Recovery key ID appear. Copy the first eight characters.

Recovery mode

Access to the Self Service portal (https://ServerName/HelpDesk). Click on Drive Recovery.

Access to selfservice portal

Enter the the Active Directory domain name on User Domain field and username in User ID field. Enter the first eight characters in Key Id field. Select the Reason and click on Submit button.

Access to selfservice portal

Recovery key appear, you can Copy, save recovery key or save package.

Recovery key

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.