MSEndpointMgr

Step by Step: Microsoft BitLocker Administration and Monitoring – Part 3

In parts 1 & 2 of this series of posts on installing and configuring Microsoft Bitlocker Administration and Monitoring (MBAM) we ran through the installation, validation and customisation options available. In this the third part, we will look at how client GPO policies are configured and how to push out the MBAM Client Agent via Systems Center Configuration Manager (ConfigMgr)

Part 1: Installation of MBAM components
Part 2: Validating IIS sites and customisation
Part 3: Configuration of GPO policies and client agent deployment
Part 4: Validation of key storage and recovery tests

Group Policy Configuration

All settings for MBAM client deployments are configured through Group Policy. The first thing you will need to do is to update your policy central store with the MBAM ADMX group policy files which can be downloaded from Microsoft – https://www.microsoft.com/en-us/download/details.aspx?id=55531

Now let us step through creating a new GPO for the Windows clients

  • Open Group Policy Management Editor or the Advanced Group Policy Management console (depending on your environment)
  • Create a new Group Policy object and name it according to your naming convention
  • Open the newly created GPO and expand to Computer Configuration\Policies\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management);

Configuring the GPO is going to depend on your requirements, whether or not you are going to apply BitLocker to encrypt removable drives and so on. For this example I am going to require the following settings;

  • All fixed disks are encrypted
  • AES XTS 256 bit encryption is required
  • TPM only authentication is used
  • The use of passwords (non-TPM) is blocked
  • The BitLocker recovery page provides Helpdesk contact information

Below are all of the settings contained within my demo example;

GPO Path – MDOP MBAM (BitLocker Management)

SettingValues
Choose drive encryption method and cipher strength.
(Windows 10 [Version 1511] and later)
Enabled
Select the encryption method for operating system drives: XTS-AES 256-bit
Select the encryption method for fixed data drives: XTS-AES 256-bit
Select the encryption method for removable data drives: XTS-AES 256-bit
Choose drive encryption method and cipher strength.Select the encryption method: AES 256-bit

GPO Path – MDOP MBAM (BitLocker Management)/BitLocker Drive Encryption/Client Management

Configure MBAM servicesMBAM Recovery service endpoint: https://YOURSERVER/MBAMRecoveryAndHardwareService/CoreService.svc
Select BitLocker recovery information to store: Recovery password and key package
Enter client checking status frequency in (minutes): 90
Configure MBAM Status reporting service: Enabled
MBAM Status reporting service endpoint: https://YOURSERVER/MBAMComplianceStatusService/StatusReportingService.svc
Enter status report frequency in (minutes): 720

GPO Path – MDOP MBAM (BitLocker Management)/BitLocker Drive Encryption/Fixed Drives

Choose how BitLocker-protected fixed drives can be recoveredEnabled
Allow data recovery agent Enabled
Omit recovery options from the BitLocker setup wizard Enabled
Save BitLocker recovery information to AD DS for fixed data drives Enabled
Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives Disabled

GPO Path – MDOP MBAM (BitLocker Management)/Fixed Drive

Choose how BitLocker-protected fixed drives can be recoveredEnabled
Allow data recovery agent Enabled
Omit recovery options from the BitLocker setup wizard Enabled
Save BitLocker recovery information to AD DS for fixed data drives Enabled
Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives Disabled
Configure use of passwords for fixed data drivesDisabled
Encryption Policy Enforcement SettingsEnabled
Configure the number of noncompliance grace period days for fixed drives. This grace period begins only after the operating system drive compliance is detected: 0
Fixed data drive encryption settingsEnabled
This policy setting allows you to manage whether the fixed data drive must be encrypted or not.
Configure Auto-Unlock for fixed data drive: Allow Auto-Unlock

GPO Path – MDOP MBAM (BitLocker Management)/Operating System Drive

Choose how BitLocker-protected operating system drives can be recoveredEnabled
Allow data recovery agent: Enabled
When using ‘BitLocker Management Solution’, the “Save BitLocker recovery information to AD DS for operating system drive” option should be unchecked
Omit recovery options from the BitLocker setup wizard: Disabled
Save BitLocker recovery information to AD DS for operating system drives: Enabled
Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives: Disabled
Configure pre-boot recovery message and URLEnabled
Select an option for the pre-boot recovery message: Use custom recovery message
Custom recovery message option: SCConfigMgr Lab Disk Encryption – Contact the IT Helpdesk on +x xxx xxxx
Custom recovery URL option:

At this point you should now have a functional GPO for deployment, simple link this to the computers you wish to receive the policy.

MBAM Client Agent Deployment

Here I am going to focus on deployment of the MBAM client via Configuration Manager in the form of an application. For a successful installation both the base client installation and the July 2018 hotfix will be required, without the hotfix you would receive compliance issues when using the AES-XTS cipher specified in the GPO created earlier.

The EXE provided can be pushed out using the following: MBAMClientSetup.exe /acceptEula=Yes

For this example however I am going to extract the MSI contained within the MBAMClientSetup.exe using the following command: MBAMClientSetup.exe /extract <path to extract MSI> /acceptEula=Yes

Now that the MSI is available I am going to bundle this along with the hotfix and deploy to clients using the following process;

  • Copy both the MSI and MSP into a source directory
  • Launch the ConfigMgr Administration Console
  • Click on Software Library and expand the Application Management\Applications node
  • Right click on the Applications node and click on Create Application
  • Select the type as “Windows Installer (*.msi file)” then click on Browse to locate the installer;

  • Click on the next button and you should arrive at the following screen;

  • Now fill in any additional package information you wish;

  • Click on Next and you will be presented with a summary screen;

  • Click on Next to and you should then get a package created completion screen;

The next step is to bundle the MSP and include detection logic for the installation

  • Right click on the MBAM MDOP application you just created and click on Properties
  • Click on the Deployment Types tab and you should have a screen similar to the below;

  • Click on the “Add” button
  • Select “Manually specify the deployment type information“:

  • Provide a name for the hotfix, in this example I’ll use “MBAM Hotfix KB4340040”, click Next
  • Enter the following content information;

    Installation Program : msiexec.exe /p MBAM2.5_Client_x64_KB4340040.msp /quiet /norestart
    Uninstall Program : msiexec.exe /X {AEC5BCA3-A2C5-46D7-9873-7698E6D3CAA4}

  • Click Next and Add Clause on the Detection Method tab
  • Enter the following details;


    Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AEC5BCA3-A2C5-46D7-9873-7698E6D3CAA4}
    Value: DisplayVersion
    Value: 2.5.1143.0

  • On the User Experience tab use the following settings;

  • Add a new dependency, selecting the MSI file previously added;

  • Complete the Deployment Wizard
  • Edit the Application and change the order of the Deployment Types so that the HotFix is first in the list;

  • Click OK and deploy your application;

Next Step

In the next part of the series we will look at validating key storage, recovery and troubleshooting.

Continue to Part 4

(38340)

Maurice Daly

Maurice has been working in the IT industry for the past 20 years and currently working in the role of Senior Cloud Architect with CloudWay. With a focus on OS deployment through SCCM/MDT, group policies, active directory, virtualisation and office 365, Maurice has been a Windows Server MCSE since 2008 and was awarded Enterprise Mobility MVP in March 2017. Most recently his focus has been on automation of deployment tasks, creating and sharing PowerShell scripts and other content to help others streamline their deployment processes.

Add comment

Sponsors