Bitlocker Management using SCCM and MBAM
Purpose of this Document
Please note that discussions are ongoing regarding if/how device encryption will be handled in a more centralized fashion at UF. Neither this document, nor any of the examples that it references are intended to be taken as policy. The intent of this document is to provide a basic introduction for units on how to begin managing Bitlocker encryption on their own machines using SCCM and MBAM. Should a decision be made in the future to centralize encryption management, the implications of this decision will be reflected in this document.
MBAM Endpoint Requirements
- Endpoint must be on the UFAD domain. MBAM relies on use of group policy to manage Bitlocker on Windows endpoints.
- Off-campus machines must be on VPN. As endpoints must be on domain for MBAM to function, it follows that they will need to be on the UF VPN when off-campus.
MBAM Client Install
The MBAM client installer can be found at: \\ad.ufl.edu\ufad\SCCM\UF2-MBAM-Client
UFIT has provided an example client install GPO that will install the proper client based on CPU architecture (32/64 bit):
- UFIT-UFEM-MBAM-ClientInstall-EXAMPLE
Please make a copy of this GPO for your unit’s use. Do not link directly. This GPO is provided only as a guide and could change without notice.
Group Policy Objects
MBAM Bitlocker management and reporting is based on GPOs. Even if an endpoint has the MBAM client installed, there will be no escrowing of keys, encryption enforcement, or reporting unless the endpoint has MBAM settings applied via GPOs.
Administrative Templates
MBAM introduces a new set of administrative templates. Within the Group Policy Management tool, you can find these new templates under:
Computer configuration > Policies > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management)
The policy settings in these templates are broken up into four sections:
- Client Management - Configure MBAM Services
- Operating System Drive - Operating system drive encryption settings
- Removable Drive - Control use of BitLocker on removable drives
- Fixed Drive - Control use of BitLocker on fixed drives
You can find detailed descriptions of each setting in these groups on Microsoft’s Docs Site.
Important : Do not change the Group Policy settings in the BitLocker Drive Encryption node, or MBAM will not work correctly. When you configure the Group Policy settings in the MDOP MBAM (BitLocker Management) node, MBAM automatically configures the BitLocker Drive Encryption settings for you.
GPO Examples
UFIT has provided the following example GPOs to illustrate MBAM client setup basics:
- UFIT-UFEM-MBAM-BaselineClientConfig-EXAMPLE
contains the bare minimum
Ensures that the client can communicate with the status and recovery services of the UF MBAM server
Needed for key escrow and recovery - UFIT-UFEM-MBAM-OsDriveSettings-EXAMPLE
Contains a basic configuration for the OS Drive of an endpoint
Although the “Settings” tab will show settings from “Computer configuration > Policies > Windows Components > BitLocker Drive Encryption”, these legacy settings are not set by hand. They are automatically configured by MBAM. Only the settings in the “Computer configuration > Policies > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management)” section are manually set in the GPO.
Configures the grace period for policy enforcement
Configures whether or not TPM and PIN is required
Deploying Compliance Baselines
Once GPOs have been deployed to endpoints, we can then deploy the configuration baselines in SCCM that will monitor the endpoints for compliance to the settings set forth by the GPOs. In the SCCM console, navigate to “Assets and Compliance > Compliance Settings > Configuration Baselines”. You should see the following two Configuration Baselines (BIs):
- Bitlocker Protection – Built-in MBAM BI from Microsoft. Microsoft does not recommend or support modification of this BI or its constituent Configuration Items (CIs)
- UFIT – Bitlocker Conversion Status – UFIT-provided BI. Utilizes the output of manage-bde.exe to determine if Whole Disk Encryption (WDE) is being used.
If you would like to get reporting on WDE, you will need to deploy both BIs, otherwise, you can just deploy the “Bitlocker Protection” BI to get MBAM GPO compliance reporting.
To deploy a BI, right –click on it and select “Deploy”. There are a number of options in the “Deploy Configuration Baselines” window that pops up. At minimum, you will need to select a device collection to deploy to. You can also adjust the evaluation schedule (default is every 7 days). Once you are satisfied with the set options, click OK to deploy the baseline to your collection.
Compliance Reporting
Once your BIs have run their first cycle of evaluations, you can call up reports on the resulting compliance info. First navigate to “Monitoring > Reporting > Reports” in the SCCM console. We are interested in the following two subfolders:
- MBAM – Contains the built-in MBAM compliance reports from Microsoft
- UF – Contains UFIT-modified versions of MB MBAM compliance reports
The UFIT-modified versions located in the UF folder take the built-in MS MBAM compliance reports and add in reporting on WDE (based on data from the “UFIT – Bitlocker Conversion Status “ BI):
- UFIT - MBAM - BitLocker Enterprise Compliance Details
- UFIT - MBAM - BitLocker Computer Compliance
The “UFIT - MBAM - BitLocker Enterprise Compliance Details” has only one input. That is the name of the device collection that you want to run the report against.
While you can manually enter the name of a specific endpoint in the “UFIT - MBAM - BitLocker Computer Compliance” report, to get details on a particular machine, you can also click on the name of the endpoints in the output of the “UFIT - MBAM - BitLocker Enterprise Compliance Details” report to go to the details for that endpoint, rather than entering it manually.
Key Recovery
MBAM provides a self service portal that users can use to get a BitLocker key for their system should they get locked out. The self service portal can be found at:
https://ufit-cm-p-08.ad.ufl.edu/SelfService/Recovery/Index
As mentioned in the Microsoft documentation... “An end user must have physically logged on to the computer (not remotely) at least one time successfully to be able to recover their key using the Self-Service Portal.”
After logging in to the portal with the same domain account used to login to the device, the user will need to perform the following steps to regain access:
- In the Recovery KeyId field, enter a minimum of eight of the 32-digit BitLocker Key ID that is displayed on the BitLocker recovery screen of your computer. If the first eight digits match multiple keys, a message displays that requires you to enter all 32 digits of the recovery key ID.
- In the Reason field, select a reason for your request for the recovery key.
- Click Get Key. Your BitLocker recovery key is displayed in the Your BitLocker Recovery Keyfield.
- Enter the 48-digit code into the BitLocker recovery screen on your computer to regain access to the computer.