Monitoring Microsoft’s BitLocker Compliance Data in System Center

MBAM is the best way to implement Bitlocker in an enterprise however, SCCM is needed to drive the process such as decrypting a disk encrypted with McAfee or Symantec, updating BIOS, enabling TPM, installing MBAM Agent, etc.

MBAM Stand-alone Givens:

  • MBAM allows for BitLocker settings to be controlled by Group Policy, which are enforced
  • TPM and BitLocker recovery passwords are stored in the SQL database
  • BitLocker compliance is monitored in MBAM and audit reports are available
  • MBAM provides a web portal and role-based security for end users and helpdesk staff to recover keys
  • Laptops can have PIN boot
  • Clients send compliance and recovery data to the MBAM Administration and Monitoring server.

ConfigMgr Integrated MBAM Givens:

  • ConfigMgr Current Branch build 1711
  • Clients send recovery data to MBAM and compliance data to SCCM.
  • Inactive SCCM clients or deleted clients will create unacceptable legal compliance issues.
  • Hardware inventory history in SCCM is not deep which is also legally unacceptable for compliance data.

Assumption:

The best method is to have MBAM monitor and control while passively collecting inventory data with SCCM.

Process:

Extend ConfigMgr Hardware inventory

Add the classes to configuration.mof following the instructions provided by Microsoft

https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v2/edit-the-configurationmof-file

The step we skipped was “installing MBAM with ConfigMgr” so we do not have the BitLocker Enterprise Compliance Dashboard in SCCM nor the reports. Our use of ConfigMgr however with MBAM really isn’t focused on reports therefore this is hardly worthwhile. We just want to create collections and deploy task sequences. We now have this ability.

Here are the hardware inventory classes for BitLocker & TPM

Installing a client

On my laptop I had to remove the existing disk encryption then clear the TPM using tpm.msc.

Next I rebooted the laptop and during the reboot I had to click F12 to confirm that I wanted to modify the TPM.

Then I moved my laptop AD account to the correct OU for the Bitlocker GPO to apply the encryption policy. Once the policy was applied I could then install the MBAM agent to start the Bitlocker process.

The MBAM administrator provided the MbamClientSetup.exe and MBAM2.5_Client_x64_KB4014009.msp. From the EXE I extracted MbamClientSetup-2.5.1100.0.msi. Then I created an SCCM Task Sequence to run the MSI then the MSP and I ran the task sequence on my computer. It installed the MBAM agent as expected but nothing seemed to happen for about an hour.

About an hour later I found this waiting for me to create a PIN. Once I did the encryption began.

To enable the TPM on models where it is disabled see this document: https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker