Starting with Microsoft Endpoint Manager Configuration Manager 1910, Microsoft has integrated their MBAM (Microsoft Bitlocker Administration and Management) product from the MDOP (Microsoft Desktop Optimization Pack) suite into MEMCM. This is a huge step forward into presenting a single pane of glass for endpoint management. The components of the integration include a management portal, reporting capabilities, and policies around MBAM and encryption methods, which we will explore in a later post.
One of the biggest challenges in deploying MBAM with MEMCM integration is the PKI (Public Key Infrastructure) requirements in the infrastructure. It requires certificates for your management points and clients in place as well as converting the site over to HTTPS. This post will detail the certificate creation and deployment process to prepare the infrastructure for MBAM deployment. For the purposes of this post (and to keep things simple), I have DC01 (a Windows Server 2019 DC functioning as a CA) and CM01 (a Windows Server 2019 MEMCM primary server, MP, DP and reporting services point).
Microsoft provides information on planning and deployment of Bitlocker/MBAM, as well as standing up PKI for HTTPS here:
You must be an administrator in Configuration Manager. You must also be able to create certificates in your Certificate Authority and create/edit Group Policy.
To start off, you will need to open your Certification Authority console, right click Certificate Templates and select Manage.
Right-click on the Workstation Authentication template and select Duplicate Template.
Click on the General tab and change the template display name to “SCCM Client Certificate”.
Click on the Security tab and select Domain Computers. Select Enroll and Autoenroll.
Back at the Certification Authority console, right click Certificate Templates and select New > Certificate Template to Issue.
Select the SCCM Client Certificate.
You will now see the SCCM Client Certificate listed in the Certificate Templates.
You will now want to open you Group Policy Management console and create a new Group Policy. It will be under Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrollment.
Right-click Certificate Services Client – Auto-Enrollment and select Properties. Select the below configuration.
Looking in Certificate Manager on your CA device, you will see the RootCA in the Trusted Certificates. Export this certificate, DER-encoded, for later use.
Now you will go back into your Certification Authority, select Manage and create a duplicate of the Web Server Certificate, as we did with the SCCM Client Certificate. Again, click on the General tab and change the Template Display Name to “SCCM Web Server”.
Then, click on the Security tab and add either your Configuration Manager or the Configuration Manager servers group and allow the group to Enroll/Autoenroll.
In the Certification Authority console, again right click Certificate Templates and select New > Certificate Template to Issue.
Select SCCM Web Server.
Now, on your Configuration Manager server, open certmgr.msc. Right click on the Personal container, select All Tasks > Request New Certificate…
Click the blue link for More information required.
Select Common Name under Subject Name. Enter the NETBIOS name of your Certification Authority server and click Add. Then enter the FQDN of your Certification Authority server and click Add. Under Alternative Name, select DNS and enter the FQDN of your Certification Authority server and click Add. Then click Apply and OK.
Then select the SCCM Web Server certificate and select Enroll.
Open IIS Manager on the Configuration Manager server. Expand the server name and Sites. Right click on the Default Website and Edit Bindings…
Select the SSL certificate from your Certification Authority.
Now, we need to enable HTTPS communication on the Configuration Manager server. Navigate to the Administration node > Site Configuration > Sites. Right click on your primary site and select Properties.
Click on the communication Security tab and select HTTPS or HTTP. Down toward the bottom under Trusted Root Certification Authorities click Set…
Click the new button and this is where you will import the certificate that was exported earlier in this guide.
Still under the Site Configuration Node, click on Servers and Site System Roles. Select the server(s) with your Management Point role installed. Right click on Management Point in the bottom window and select Properties. Select HTTPS under Client Connections.
Once this is configured, your site should be running in HTTPS mode. In the next post, we will go through the configuration of the MBAM client settings and the actual deployment of the policy.
And for any of those curious, SCCM Skin is the name of my oldddd systems management blog that didn’t go very far. I kept the name, but ditched the blog. 🙂