How to manage MBAM (bitlocker) with SCCM, best practices
MBAM was a good option to manage bitlocker and computer disk encryption in general. I have been lately in many Windows 10 migrations projects and I’ve seen many companies moving to MBAM, the main reason was that this is the most easy and stable encryption method to support the fast pace windows 10 releases. Unfortunate MBAM is close to end of support in June 2019. But even so we still continue to use MBAM in many projects.
In this article I will give you the best practices to work with MBAM and SCCM. Actually where I go to design MBAM I always use the MBAM sccm integration if SCCM is already in use. This is from far the easiest way to manage the computer fleet with just one product, the mighty SCCM 😊.
I will not cover MBAM installation here , if you need a guide just go to Microsoft official MBAM with SCCM topology link https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology
Very important in prerequisites is to modify .mof configuration and add new classes for HW scan https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology
Once you finished to install MBAM server and on SCCM server the MBAM integration (it will create out of box reports, bitlocker compliance, MBAM ready computer collection, etc) you need to create the GPO to manage MBAM, please note you need to import MBAM ADMX GPO to cover MBAM settings, don’t use default Bitlocker settings from GPO. More about MBAM GPO here: https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-group-policy-requirements
Now, you have MBAM environment ready, deploy MBAM client (MDOP MBAM) trough SCCM Task Sequence.
After MBAM client in task sequence add a reg key to force MBAM client to encrypt fastest possible and not waiting 90 min.
Script, save as bat file, create a package in sccm and invoke the .bat file:
Windows Registry Editor Version 5.00
For test only:
On the new computer force group policy to be applied, to take MBAM settings gpupdate /force than go to services and restart bitlocker Management services. This it will force MBAM agent to contact MBAM server, check the compliance settings, report and start encryption.
For more information check the logs, Event Viewer --> Applictions and Services Logs --> Microsoft --> Windows --> MBAM
After encryption is finished go to control panel, system and security, open Configuration manager agent properties and run Hardware Scan. The hardware scan it will capture the MBAM (bitlocker) status and store in SCCM DB.
Quick BitLocker status with PowerShell
PS C:\WINDOWS\system32> manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
Size: 471.56 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 256
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Now you can see the status in sccm report for this computer :Monitoring --> Overview --> Reporting -->Reports --> MBAM -->en-US
Was easy, no, happy SCCM-ing :)