BitLocker Management with SCCM

We have got lot query for Bitlocker management (MBAM). Most of the companies are opting for bitlocker manager for their security purpose so its inevitable to learn more about how to Manage Bitlocker. This artcle is written behalf of our contributer Mr. Parag Morye. So let’s have some interesting info about bitlocker integration or management with SCCM/MEMCM.


1      Overview
2      Prerequisites
3      How to Create BitLocker Management Policy
3.1       Enable BitLocker Management Feature
3.2       Create BitLocker Management Policy
3.3       Deploy BitLocker Management Policy
4      How Encryption Works
5      Monitoring
5.1       Deployment Status
5.2       Event Logs
5.3       Registry Keys
6      Create Helpdesk & Self-Service Portal
6.1       IIS Customization
7      How to Get Recovery Key
7.1       Using Helpdesk Portal
7.2       Using Self-Service Portal
7.3       Using SQL Table

1. Overview

Starting in version 1910, Configuration Manager introduces BitLocker Drive Encryption (BDE) for on-premises Windows clients, which are joined to Active Directory. It provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM).

2. Prerequisites

  1. SCCM CB 1910 or later version
  2. Microsoft ASP.NET MVC 4
  3. Create following AD groups for MBAM portal management-
    • AG-CM-BitLocker-Helpdesk-Admins – A domain user group whose members have access to all recovery areas of the administration and monitoring website.
    • AG-CM-BitLocker-Helpdesk-Users – A domain user group whose members have access to the Manage TPM and Drive Recovery areas of the administration and monitoring website.
    • AG-CM-BitLocker-Reporting-Users – A domain user group whose members have read-only access to the Reports area of the administration and monitoring website.
  4. All remote console connections must be closed before BitLocker Drive Encryption begins.
  5. Remove existing BitLocker related GPO deployed if any to avoid conflict.

3. How to Create BitLocker Management Policy

3.1      Enable BitLocker Management Feature

Before we start working on BitLocker, we need to make sure BitLocker Management feature is enabled in SCCM.

Go to Administration -> Overview -> Update & Servicing -> Features.

Select the BitLocker Management feature and click Turn on.

Click Yes.

Make sure BitLocker Management feature in ON.

Bitlocker Management SCCM

3.2 Create BitLocker Management Policy

Follow the below steps to create basic BitLocker Management Policy.

Go to Asset and Compliance -> Overview ->Endpoint Protection -> BitLocker Management tab.

Click on Create BitLocker Management Control Policy.

Specify below information –

Name – BitLocker Encryption Policy

Description – This policy will be used to define BitLocker Management Encryption settings.

Enable below BitLocker Management components:

  • Operating System
  • Client Management

Click Next.

On Specify setup information page, specify the following settings.

  • Drive encryption method and cipher strength (Windows 10) – Enabled
    • Operating System Drives – XTS-AES 256 bit
    • Fixed data drives – XTS-AES 128-bit (default)
    • Removable data drives – XTS-AES 128-bit (default)

Click Next.

On Operating System Drive page, specify the following settings –

  • Operating System Drive Encryption Settings – Enabled
    • Allow BitLocker without a compatible TPM (requires a password) – Allow
    • Select protector for operating system drive – TPM only
    • Configure minimum PIN length for startup – 4
  • Encryption policy enforcement settings – Enabled
  • Noncompliance grace period (days) – 0

This setting is optional but if you enable it then policy will enforce on endpoint asap.

Click Next.

On the Client Management page, specify the following settings:

  • BitLocker Management Services – Enabled
    • Select BitLocker recovery information to store – Recovery password and key packages
    • Allow recovery information to be stored in plain text – Check it.
    • Client checking status frequency (minutes) – 90

Click Next.

Verify settings on summary page and click Next.

Policy will be successfully created. Click Close.

Once policy is created, it will look like as below.

3.3 Deploy BitLocker Management Policy

Before you deploy BitLocker policy, make sure you have collection created with list of machines to which BitLocker policy will be deployed.

Once collection is created, go to Asset and Compliance -> Overview -> Endpoint Protection -> BitLocker Management.

Right click on BitLocker Encryption Policy and select Deploy.

Click on Browse -> Select desired collection -> Click Ok. You can change compliance evaluation schedule if required.

You can change compliance evaluation schedule if required.

Once you deploy the BitLocker policy then it will look like as below.

4. How Encryption Works

Once BitLocker policy get deployed on machine, it will reflect in Configuration tab in configuration manager applet in Control Panel.

MDOP MBAM client installation start as per the policy evaluation cycle of BitLocker policy. You can verify the same using C:\Windows\CCM\Logs\BITLOCKERClientMSI.log and from Program and Feature in Control Panel as shown below.

As per the defined policy settings encryption will start on client machine. Check the C:\Windows\CCM\Logs\BitLockerManagementHandler.log for more details.

Run the below PowerShell command as admin to see encryption status.

Manage-bde -status

Encryption will start once policy triggered on the machine.

Note – BitLocker drive encryption will not start if RDP connection is active.

Once encryption is completed, you can verify using same PowerShell command mentioned before.

Open the Configuration Manager applet and check status of deployed BitLocker policy. It should show complaint in Configuration Manager applet.

Open Control Panel -> All Control Panel Items -> BitLocker Drive Encryption and make sure BitLocker ON for OS drive.

5. Monitoring

5.1 Deployement Status

You can check the BitLocker policy deployment status using Monitoring -> Deployments status as below.

5.2 Event Logs

There are two types of event logs for BitLocker management i.e. Admin & Operation

You can see at Event Viewer ->Application and Services logs ->Microsoft -> Windows -> MBAM. All the BitLocker operation logs will be available in MBAM-Operation and in case of failure logs will updated in MBAM-Admin.

5.3 Registry Keys

Below are registry keys related BitLocker. You can see at HKLM\Software\Policies\Microsoft\FVE and HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement

6 . Create Helpdesk & Self-Service Portal

Download Microsoft ASP.NET MVC 4 from below link.

Double click on AspNetMVC4Setup.exe

Click on I agree to the license terms and conditions and then click Install.

Click Close.

Copy locally the BitLockerWebSite & BitLockerWebSiteInstaller files on the machine where you will be going to install management portal from SMS_Sitecode\cd.latest\SMSSETUP\BIN\x64 folder.

Note – Before you execute below PowerShell Command, make sure IIS role is installed and default web site is created.

Open the PowerShell as administrator and run the below command.

.\MBAMWebSiteInstaller.ps1 -SqlServerName <ServerName> -SqlInstanceName <InstanceName> -SqlDatabaseName <DatabaseName> -ReportWebServiceUrl <ReportWebServiceUrl> -HelpdeskUsersGroupName <DomainUserGroup> -HelpdeskAdminsGroupName <DomainUserGroup> -MbamReportUsersGroupName <DomainUserGroup> -SiteInstall Both

Specify here the name of AD groups created earlier.

Installation is in progress.

BitLocker portals will be successfully installed.

Open IIS and verify the HelpDesk & SelfService websites under Default Web Site.

Browse HelpDesk portal from IIS.

Browse SelfService portal from IIS.

6.1 IIS Customization

Open IIS and go to Default Web Site ->SelfService -> Application Settings.

Double click on CompanyName attribute and provide value as IT Company.

7. How to Get Recovery Key

Run the below command as admin and copy first eight character of recovery id.

Manage-bde -protectors -get c:

There are three methods to get recovery key –

7.1 Using Helpdesk Portal

Browse below helpdesk portal –

Drive Recovery,

  • Enter first eight characters of recovery key id shown above
  • Select appropriate reason
  • Hit Submit

You will able to see the Drive recovery key as below.

7.2 Using Self-Service Portal

Browse below self-service portal –

Select the check mark for I have read and understand the above notice and click Continue.

Enter first eight character of recovery key id with appropriate reason and click on Get Key.

You will able to see recovery key as below.

7.3 Using SQL Table

There are default SQL tables are created for BitLocker management. Below are highlighted tables and information related to that tables for ref.

You need to create custom SQL query to get recovery key using above tables.

Leave a Comment