How to use SCCM Task Sequence to enable, configure and monitor Bitlocker
MBAM is out of support soon (09/07/2019) and right now they are two options to manage Bitlocker with Azure on cloud or on prem with SCCM, AD and PowerShell.
In this article I will cover the second scenario, pre Provision Bitlocker with SCCM, store the recovery key in AD, Bitlocker Group Policy for more settings, PowerShell for status and reports, SCCM for Reports.
Microsoft links with details for each step
More details about Task Sequnce pre-provision Bitlocker:
More details about Task Sequnce enable Bitlocker:
More details about manage Bitlocker with Group Policy Object:
More details about manage Bitlocker with PowerShell:
First let’s review the disk partition, ned’s to be done in UEFI schema
Add a step in Task Sequence for Pre-provision BitLocker right after disk partition.
At the end of you TS add Enable Bitlocker step. In my example I have used to store the key only in TPM chipset. Also very important is to store the key in Active Directory Domain Services. A big disadvantage of store the key in AD is that each time the encryption key it will be renewed it will be store in AD without to remove the old one. I will end with a lot of keys for each computer, you can still sort to see which is the newest to be used for unblock the computer. I have also chose to encrypt only the used space to be more faster.
After computer is joined in domain you can check the logs and AD to ensure that everything is ok and the key is stored in ad.
A very easy way to test the recovery key is to change the BIOS, disable Secure boot for example, it will triggered immediately the recovery mode and you can test the Bitlocker key
1. with PowerShell command check the status , manage-bde -status
PS C:\WINDOWS\system32> manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
Size: 471.56 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
2. Check the logs on client going to Event Viewer à Applications and Services à Microsoft à Windows à BitLocker-API à Management
3. Check the key in AD, you have two option, in computer object properties or right click on domain tree and from the menu select find BitLocker Key
4. Reports, you can still use SCCM with MBAM integration for reports or you can use PowerShell commands
A few examples of reports using MBAM integration. You don’t need MBAM server just MBAM integration with .mof file modified see the Microsoft link https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology
This are two examples of reporting using PowerShell scripts from Microsoft
Was easy no, happy SSCM-ing :)