Posted in: All Posts, MEMCM/SCCM, Windows 10

Bitlocker with MEMCM Integration Part 2: Deploying Bitlocker

In part 1, we went through configuring PKI and enabling HTTPS mode on your primary site. This was in preparation for Bitlocker deployment to your workstations. I’m not going to go over the Helpdesk and Self Service website configurations. There’s plenty of good resources out there regarding customization (which I will link below). This post, being part 2, assumes that you have already configured your infrastructure for HTTPS. That was the hard part. This is a relatively straight forward process of configuring rulesets for your Bitlocker deployment and actually deploying it. One thing of note, is this “deployment” is actually a configuration item with remediation attached. All of the Bitlocker settings are contained in the registry. Now on to the good stuff.

The first thing you need to do is ensure that Bitlocker management, as an Configuration Manager feature, is enabled. you can do this by going to Administration > Updates and Servicing > Features and right-clicking on Bitlocker Management and selecting Turn On. If you run into issues with not having permissions to enable the feature, make sure your user account security scope is set to “All”.

You’ll then want to navigate to Assets and Compliance > Endpoint Protection > BitLocker Management. Right-click on Bitlocker Management and select Create Bitlocker Management Control Policy.

Now, all the settings you choose herein are going to be specific to your organization. My selections are for reference only. You’ll want to name your policy and select the Bitlocker Management components to enable.

The initial setup screen will do over encryption method and cipher strength for all PC’s and then a section will be Windows 10 specific. You can hover your mouse over any of the sections for detailed descriptions of what each setting does. On this page you can set an unique organizational identifier so as to determine any outside organization or delineation within your own organization, should you have the need. You can also prevent memory overwrite on restart. If you enable this setting, your boot performance will be faster, but there is a potential for exposing the Bitlocker drive secrets this way. Something to consider when deploying Bitlocker policy.

One of the challenges with Bitlocker deployment is ensuring your devices not only have a TPM, but that they’re active and ready as well. You can script various solutions for this as well as using tools like Dell’s CCTK and HP’s BIOS Configuration Tool. However, you do have an option to encrypt devices without an active, ready TPM or no TPM at all by selecting “Allow Bitlocker without a compatible TPM (requires a password)”. As it says in the description, this will require pre-boot authentication with a password or PIN. You can also enable a PIN for an additional layer of protection and configure enhanced PIN’s.

One of my favourite features of MBAM integration with Configuration Manager is the ability to manage encryption of removable drives. You can automate the entire process to take any end user effort out of the equation. Again, the settings I have selected are for reference only. You can decide what works best for your organization.

Finally, you will configure the client management portion of the policy. This allows you to select what specific information to store and how you store it, be it encrypted or plain text. You can also configure exemption policies and contact methods for end users.

Review your summary screen and click next.

From here you can deploy your policies. However, if you are running Configuration Manager 2002 and below, you will notice that Bitlocker prompts the user to encrypt the drive. This can be problematic as users can defer the encryption indefinitely. However, there is a solution to make the drive encryption silent with no user interaction. There are two registry keys that need to be set for this.

HKLM:\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement 
OSEnforcePolicyPeriod = 0
HKLM:\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement
UseOSEnforcePolicy=1

This can be set with a quick script, as detailed below.

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement" -Name "OSEnforcePolicyPeriod" -Value "0" -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement" -Name "UseOSEnforcePolicy" -Value "1" -PropertyType DWORD -Force

Once that is deployed to your target devices, you can then deploy the Bitlocker policy. You can watch the policy execution in C:\Windows\CCM\Logs under the BitlockerManagement_GroupPolicyHandler.log and BitlockerManagementHandler.log

Below is a screenshot of the BitlockerManagementHandler log.

You can also check the status of encryption on the device with the following:

manage-bde -status

Prior to encryption, the device will show as Fully Decrypted.

You can then see, after it has taken the policy and begins encryption, that the Conversion Status will show Encryption in Progress.

And, finally, you will see the device as fully encrypted.

Hopefully this post series has provided some insight into the process of setting up and configuring Bitlocker encryption with MBAM and Configuration Manager integration. This presents a great “single pane of glass” view into your devices in the enterprise. Thanks for reading!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.