MSEndpointMgr

Step by Step: Microsoft BitLocker Administration and Monitoring – Part 2

Having installed the MBAM components in the first part of this series of posts it is now time to validate that the IIS components are in place and also to be aware of what each of them do.

Part 1: Installation of MBAM components
Part 2: Validating IIS sites and customisation
Part 3: Configuration of GPO policies and client agent deployment
Part 4: Validation of key storage and recovery tests

The Self Service Portal

The self-service portal provides end-users with a quick means of recovering their BitLocker recovery password in the event of a recovery event being triggered. Let us go ahead and validate that the component was successfully installed;

  • Launch a web browser and browse to the following URL – http;//MBAMServer.YourDomain.Suffix/SelfService

  • If you can see a page similar to the one above, the SeflService page is ready to use (we will test SQL access later)

Customising The Self Service Portal

Should you want to create a branded self service portal like the above, you will need to edit the site master layout and the CSS file for the site. To do so, simply follow the below;

SITE Style Sheet
  • Browse to the following location – C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website\Content
  • Create a backup of the Site.CSS style sheet
  • Open the Site.CSS style sheet
  • Now you can remove the gradient background by changing the following;body
    {
    font-family: “Segoe UI”, Verdana, sans-serif;
    font-size: 14px;
    color: #333;
    background: #DFF2F9 url(images/BrowsersBkgd_repeat-x.jpg) top left repeat-x;
    margin: 0px;
    }
  • Next update the background colour with your preferred colour in hexadecimal format
  • In this example #DFF2F9 is replaced with #FFFFFF for a white background;body{
    font-family: “Segoe UI”, Verdana, sans-serif;
    font-size: 14px;
    color: #333;
    background: #FFFFFF ;
    margin: 0px;
    }
  • In order to give the header block a contrasting background, locate the following section of code;#header
    {
    display: block;
    }
  • Add a background entry with your background colour again in hexadecimal format, you should then have a section like the below#header
    {
    display: block;
    background: #454442;
    }
Adding A Custom Logo

In order to add an image with your organisations logo you will need obviously first of all to create and size your logo. In the example shown below I have used a pixel height of 120 and colour matched the background;

Now to insert the logo;

  • Save the image file to the following location;
    C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website\Content\Images
  • Browse to the following location and create a backup of the Site.Master filer;
    C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website\Views\Shared
  • Open the Site.Master in a text editor
  • Scroll down to the following section;<div id=”header”>
    <div class=”content”>
    <% Html.RenderPartial(“UserIdentityControl”); %>
    <br/>
    <% Html.RenderPartial(“UserLogoutControl”); %>
    <h1>
    <asp:Literal runat=”server” Mode=”Encode” Text=”<%$appSettings:CompanyName %>” />
    </h1>
    </div>
    </div>
  • Add the HTML image tags and comment out the text company name as per the below;<div id=”header”>
    <div class=”content”>
    <% Html.RenderPartial(“UserIdentityControl”); %>
    <br/>
    <% Html.RenderPartial(“UserLogoutControl”); %>
    <img src=”<%= Url.Content(“https://lab-mbam.scconfigmgrlab.local/SelfService/Content/Images/SCConfigMgrBackgroundLarge.png”) %>” alt=”SCConfigrMgr Lab Environment”>
    <!–
    <h1>
    <asp:Literal runat=”server” Mode=”Encode” Text=”<%$appSettings:CompanyName %>” />
    </h1>
    –>
    </div>
    </div>

The Helpdesk Portal

Self-explanatory in its naming, the Helpdesk portal provides helpdesk staff with a means of recovering keys and managing TPM states. Let’s go ahead and validate access;

  • Launch a web browser and browse to the following URL – http;//MBAMServer.YourDomain.Suffix/Helpdesk

  • If you can see a page similar to the one above, the SeflService page is ready to use (we will test SQL access later)

Recovery & Status Service Endpoints

In order for the MBAM client agent to escrow the recovery key and provide status/compliance messages to the MBAM database, two IIS service points are used. You can test these by running through the following;

  • Launch a web browser and browse to either or both of the following URLs –
    http;//MBAMServer.YourDomain.Suffix/MBAMRecoveryAndHardwareService/CoreService.svc,
    http;//MBAMServer.YourDomain.Suffix/MBAMComplianceStatusService/StatusReportingService.svc
  • You now see a page similar to the below;

Next Step

In the next part of the series we will look at configuration of the MBAM group policy settings and deploying the MBAM client.

Continue to Part 3

(22643)

Maurice Daly

Maurice has been working in the IT industry for the past 20 years and currently working in the role of Senior Cloud Architect with CloudWay. With a focus on OS deployment through SCCM/MDT, group policies, active directory, virtualisation and office 365, Maurice has been a Windows Server MCSE since 2008 and was awarded Enterprise Mobility MVP in March 2017. Most recently his focus has been on automation of deployment tasks, creating and sharing PowerShell scripts and other content to help others streamline their deployment processes.

Add comment

Sponsors