BitLocker Management with MECM
In this post let's see Bitlocker Configuration with MECM. Microsoft introduced integrated Bitlocker functionality into Configmgr with version 1910.
Disks are encrypted by BitLocker need a key to unlock the disk so that the disk can be read. Key can be manually entered to gain access to the disk. The key is usually 48 characters long, doing every time the device boots is not convenient. To get automatic key retrieval and automatic unlocking of blockers disks, key protectors can be used to securely store. The Key automatically presents the key to windows boot time and automatically unlocks the disk.
The two most common types of protectors are a TPM and a Startup key Device.
TPM:- It is a security chip on the motherboard of the device that securely stores the BitLocker key. The key gets saved to the TPM chip when BitLocker is first enabled or whenever BitLocker is suspended then re-enabled.
StartUp Key:- It is stored on a removable USB flash drive. The USB flash drive has to be plugged into the device in order for the device to boot and the disk automatically unlocked.
BitLocker Configuration Steps:-
By default Bitlocker Configuration Management is not enabled in Configmgr. This allows the continued use of standalone MBAM integrated with ConfigMgr when needed. Once BitLocker management is enabled, integration with standalone MBAM is no longer possible.
Enabling BitLocker Management:-
Enabling Bitlocker management is a one-time action that is done through the Updates and Servicing node of the Configmgr Console.
Open the Configmgr Console and move to Administration --> Overview --> Updates and servicing --> Features
Look for Bitlocker Management is enabled and turned on.
In the Configmgr Console Navigate to Assets and compliance --> Overview -->Endpoint protection.
Click on Create BitLocker Management Control Policy. This should open up the Create BitLocker Management Control Policy wizard.
In the Name, field gives the Bitlocker Management policy name
Under Bitlocker Management Components select the components that you want to create policy for.
Click on Next
In the setup, the Information wizard has two different fields, top field (Drive Encryption method and cipher strength) drop down the menu, and select enabled. This setting will enable BitLocker policy on the operating system drive for Pre-windows 10.
In select encryption method, will leave it as a default of AES 128-Bit (default)
Under the Drive encryption method and cipher strength, drop the menu and select Enabled, this setting will enable BitLocker policy on Windows 10 machines
For Operating System Drive select the encryption type and strength for OS drive. Will leave it as a default. (XTS-AES 128-bit)
For Fixed Data Drive select the encryption type and strength for a fixed data drive. Will leave it as a default. (XTS-AES 128-bit)
For Removable Data Drive select the encryption type and strength for Removable Data drive. Will leave it as default (AES-CBC 128 bit)
Click on Next
In the Operating system Drive wizard is where you specify whether BitLocker will be enabled or not.
This page is also where you specify what protectors will be used. Like TPM or TPM and PIN
Under operating system Drive encryption setting and select Enabled.
Protector will be selected both TPM and PIN
If you scroll down, can see additional setting Reset platform validation after BitLocker recovery. This setting will enable the rotating recovery keys. Rotating recovery keys generate a new recovery key after a recovery key is used as a part of BitLocker recovery.
In Encryption policy enforcement setting and select enabled. Will automatically enable BitLocker encryption on the OS drive after grace is specified.
In Fixed Data Drive Wizard, will be BitLocker policies on Windows 10 Devices. This setting will apply only to Windows 10 Machines.
If we scroll down, the encryption policy enforcement setting and select Enabled. This setting automatically BitLocker encryption on fixed data drive on Windows 10 devices.
In Removable Data Drive Wizard select Enabled. This setting will cause Windows 10 clients to enable BitLocker on removable Data drivers.
In the Client Management setup information wizard, specify if you want the client to report their BitLocker Recovery Information to Configmgr. If enabled Configmgr will store the BitLocker information for clients in the database.
By default, Bitlocker Management does not encrypt the BitLocker recover keys in the ConfigMgr DB.
Check the Option Allow recovery information to be stored in plain text by checking the option, you are acknowledging that the BitLocker recovery information is stored in the Configmgr DB is not encrypted.
Click on Next --> Summary --> Close
Deploying BitLocker policy:-
Right click on MECM BitLocker Policy and select the Deploy option.
In the BitLocker Management policy windows, click on the Browse button and select device collection.
MBAM client is a client that runs hidden and no interaction is needed. In other words, the MBAM client doesn't need any separate deployment or manual installation. On policy is deployed to devices, when policy receives, automatically install the MBAM client by invoking MBAMClient.MSI located in (C:\windows\CCM).
By following, methods can be used to confirm that the MBAM client has been installed and running.
Open the service.MSC by checking service name as Bitlocker Management Client Service (MBAM Agent)
Can open task manager and check for the MBAMAgent. exe is running or not.
In C:\Programfiles\Microsoft\MDOP\MBAM directory to see if MBAM client has been installed.
BitLocker Encryption On A Device.
Once BitLocker policy is deployed to client devices and make sure that the client is set to PKI
In Action tabs, click on Machine policy Retrieval & Evaluation Cycle and click on Run Now
Wait for a few minutes, click on the refresh Button, and policy will show up
Click on Evaluate
After sometime Microsoft BitLocker Administration and Monitoring wizard should appear and click on Start.
Once Encryption is completed
To know the BitLocker encryption status. Open the command prompt as admin Mode type Manage -BDE -Status
Once encryption is completed will show it as compliant.