Overblog Tous les blogs Top blogs Technologie & Science Tous les blogs Technologie & Science
Editer l'article Suivre ce blog Administration + Créer mon blog
MENU

[Bitlocker] SCCM MBAM

Publié le par damcuvelier

Prerequisites:

1. Administrator rights on SCCM and SQL
2. Configuration Manager build 1910 installed or more
3. Microsoft ASP.NET MVC 4.0
4. Certificate Authority PKI*
5. SQL reporting services
6. Three security groups:
    o BitLocker Helpdesk Admins
    o BitLocker Reporting Users
    o BitLocker Admin Users
7. MBAM Deployment Script

1-Upgrading SCCM

Check if you SCCM version equals or more 1910, if not update it and enable Bitlocker Management.

After update, check your version

Check also if Bitlocker Management features status is on status.

 

2-Create Certificate

On the Certification Authority, duplicate Web Server template. Change the name of the template and publish certificate in Active Directory.

 

 

3- Enable HTTPS on IIS

Open MMC console and add Certificates snap-in. Request a new certificate and choose Web Server Template. Click on More information is required to enroll.

On Subject Name select Common Name and enter the FQDN Name of the SCCM server. Click on Add for validate operation. Repeat the same operation with DNS.

 

Click on OK and Enroll. The certificate has been issued. On the SCCM Server, open IIS console and right click on Default web site and select Edit Bindings.

Now attach your certificate on IIS, open your IIS and select Edit Bindings then select your new certificate on https section.

 

4-Enabling HTTPS on SCCM

In Configuration Manager current branch version 1910, to integrate the BitLocker recovery service you had to HTTPS-enable a management point. The HTTPS connection is necessary to encrypt the recovery keys across the network from the Configuration Manager client to the management point. Configuring the management point and all clients for HTTPS can be challenging for many customers.

 

Starting in version 2002, the HTTPS requirement is for the IIS website that hosts the recovery service, not the entire management point role. This change relaxes the certificate requirements, and still encrypts the recovery keys in transit.

On the SCCM console, go to Administration tab and click on Site Configuration / Sites configuration. Open properties. And go to Communication Security.

Check HTTPS ONLY if your version is 1910.

You can Check HTTPS or HTTP if your version equals 2002 or more. Check Use PKI client Certificate.

Click Set, a new windows appear, click button and Import your Certificate Root.

Go to management point, and check HTTPS on new Windows.

Open Distribution point, and check HTTPS, then select browse and add the certificate web server created already. USE THE Same certificate for your IIS server, do not use the auto-sign certificate the communication will be aborted between client and agent.

 

Go after to your client, refresh in Action tab, and check if HTTPS has been configured.

 

5- Configure Bitlocker Management Policy

 

Open Assets  and  Compliance tab.  Expand Endpoint  Protection node  and  click on BitLocker  Management.  Right  click  and  chose  Create  Bitlocker  Management Control Policy.

 

Enter Name for policy. Check Enable: client management and Operating System Drive.

 

Enable drive encrypting, and chose your method encrypting.

 

Enable Configure service, and select Recovery password and key package.

By default the policy refreshes every 90 min. In our case or in your lab test, you can change the value to 5 minutes.

 

Enable Bitlocker on Operating System Drive.

You can choose if you want to allow Bitlocker on computer without TPM. Click next, and close.

Deploy the policy on a device collection.

6-Deploy and check client agent MDOP

A new log file will be created on %WINDIR%\CCM\Logs:

          BitlockerMangementHandler.log

 

Open BitlockerMangementHandler.log, and check installation.

 

Check if the MDOP agent is installed on the client.

NOTE: the agent MDOP is present only on client which the policy is deployed. Not all SCCM clients

 

Check the registry if the information and key will be created in:

HKLM:\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement.

 

Try to connect to keyrecovery point with account have right to test if every things work well, if you can not connect, bitlocker will not be launched.

 

Open configuration manager in control panel, and check if the policy is present, you can test it.

The report show more details when there is an error

 

 

After retrieving the BitLocker policy, the wizard is displayed on the Windows 10 workstation. Click on Start.

Choose a Pin code, if you have defined a pin code on policy.

Encrypting begins.

You can find the bitlocker key in SQL server:

 

7-Create and assign groups

 

To facilitate management task for your users or IT, it is recommended to create three different groups in your AD.

 

HelpdeskUsers : A domain user group whose members have access to the Manage TPM and Drive Recovery areas of the administration and monitoring website. When using these options, this role needs to fill in all fields, including the user's domain and account name.

 

HelpdeskAdmin : A domain user group whose members have access to all recovery areas of the administration and monitoring website. When helping users recover their drives, this role only has to enter the recovery key.

 

MbamReportUser : A domain user group whose members have read-only access to the Reports area of the administration and monitoring website.

 

Don’t forget to be member of these groups.

 

 

 

8- Set up BitLocker portals

 

This process uses a PowerShell script, MBAMWebSiteInstaller.ps1, to install these components on the web server. It accepts the following parameters:

-SqlInstanceName <InstanceName>: The SQL Server instance name for the primary site database. If SQL uses the default instance, don't include this parameter.

-SqlDatabaseName <DatabaseName> (required): The name of the primary site database, for example CM_ABC.

-ReportWebServiceUrl <ReportWebServiceUrl>: The web service URL of the primary site's reporting service point. It's the Web Service URL value in Reporting Services Configuration Manager.

-IISWebSite: The website where the script installs the MBAM web applications. By default, it uses the IIS default website. Create the custom website before using this parameter.

First we need ASP MVC 4, Download the setup file from Here.

 

 

After navigate to the folder SMSSETUP\BIN\X64  on the site server and copy the following files to a local folder on the target server:

- MBAMWebSite.cab

- MBAMWebSiteInstaller.ps1

Open PowerShell as an administrator, and run the script similar to the following command line:

.\MBAMWebSiteInstaller.ps1 -SqlServerName <ServerName> -SqlDatabaseName

<DatabaseName> -ReportWebServiceUrl <ReportWebServiceUrl>

-HelpdeskUsersGroupName <DomainUserGroup> -HelpdeskAdminsGroupName

<DomainUserGroup> -MbamReportUsersGroupName <DomainUserGroup>

-SiteInstall Both

Note: if you don’t have sqlreporting server, you can remove these parameters. Example:

C:\Users\mehdi\Desktop\mbam\MBAMWebSiteInstaller.ps1 -SqlServerName sccm1.info.prive -SqlDatabaseName CM_MAR -ReportWebServiceUrl https://sccm1/Reportserver -HelpdeskUsersGroupName "info\Bitlocker Helpdesk Admins" -HelpdeskAdminsGroupName "info\Bitlocker Helpdesk Admins" - MbamReportUsersGroupName "info\Bitlocker Reporting Users" -SiteInstall Both

 

Run the script.

Go after into IIS Manager, we can see creating two virtual directories.

Connect to the web site:

 

 

9-Customize the self-service portal

 

We can customize self-service portal, for own organization. Add a custom notice, organization name, and other organization-specific information.

Expand Sites, expand Default Web Site, and select the SelfService node. In the details pane, ASP.NET group, open Application Settings.

Enter your company name

 

 

10-Get the recovery key

Restart computer, and press esc.

 

In helpdesk portal, enter the first 8 characters, and click submit, you can get the recovery key.

 

 

11-Use BitLocker self-service portal

After you install the BitLocker self-service portal, if BitLocker locks a user's device, they can independently get access to their computers. The self-service portal requires no assistance from help desk staff.

BitLocker can lock the device in the following situations:

- The user forgets their BitLocker password or PIN

- There's a change to the device's OS files, BIOS, or Trusted Platform Module

(TPM)

 

To request the BitLocker recovery key from the self-service portal:

1.  When BitLocker locks a device, it displays the BitLocker recovery screen during startup. Write down the 32-digit BitLocker recovery key ID.

2.  On another computer, go to the self-service portal in the web browser, for example https://webserver.contoso.com/SelfService.

3.  In the Recovery Key ID field, enter the first eight digits of the BitLocker

4.  Select Get Key. The self-service portal displays the 48-digit BitLocker recovery key.

 

12-BitLocker reports

 

The reports show BitLocker compliance for the enterprise and for individual devices. They provide tabular information and charts, and have filters that let you view data from different perspectives.

In the Configuration Manager console, go to the Monitoring workspace, expand Reporting, and select the Reports node.

Chose the reports you want to view.

 

Commenter cet article