Uncategorized

Managing BitLocker with Configuration Manager: Administration

April 28, 2020

This guide is broken into five parts:

  1. Preparation Part 1 – Get your Certificate
  2. Preparation Part 2 – Configure IIS and SQL
  3. Deployment
  4. Administration
  5. Reporting

Setting up BitLocker Portals:

Once again, I am going to do abbreviated directions of the installs as you can read the full documentation for yourself.

Before we install the actual portals, we need to have three AD groups for the different access levels. These groups can be groups you already have for other functions or you can create fresh groups and populate appropriately.

  1. Help Desk Users – members have access to the Manage TPM and Drive Recovery areas of the administration and monitoring website. When using these options, this role needs to fill in all fields, including the user’s domain and account name
  2. Help Desk Admins – members have access to all recovery areas of the administration and monitoring website. When helping users recover their drives, this role only has to enter the recovery key.
  3. Report Users – members have read-only access to the Reports area of the administration and monitoring website

Verify you meet the Prerequisites for the portals. I overlooked the requirement for Microsoft ASP.NET MVC 4.0 on the IIS server, so I now find myself wanting to call that one out specifically.

Now you need to copy the files MBAMWebSite.cab and MBAMWebSiteInstaller.ps1 from your ConfigMgr server install directory under SMSSETUP\BIN\X64 to a location on the server you are installing the portal(s) on. You can install the portals on different servers.

In my case, the command line for the install was:

.\MBAMWebSiteInstaller.ps1 -SqlServerName CM1.corp.cmpfe.local -SqlDatabaseName CM_PFE -ReportWebServiceUrl https://CM1.corp.cmpfe.local/ReportServer -HelpdeskUsersGroupName "corp\BitLockerUsers" -HelpdeskAdminsGroupName "corp\BitLockerAdmins" -MbamReportUsersGroupName "corp\BitLockerReportViewers" -SiteInstall Both

Open a PowerShell window and navigate to the directory you saved the files above in. Run your command and you will see the install progress.

Once Install completes, it is time to customize your self-service portal.

1. Open IIS Management console
2. Expand Sites, expand Default Web Site, and select the SelfService node. In the details pane, ASP.NET group, open Application Settings.

3. Change the values as desired. You can get descriptions of the values as well as information on localization in the official documentation

4. Open File Explorer and browse to the install directory of the self-service portal. Default is C:\inetpub\Microsoft BitLocker Management Solution\Self Service Website
5. Edit the notice.txt file to your desired notice.

Using the BitLocker Portals:

Self-service Portal

To access the self-service portal go to https:.//<server you installed portal on>/selfservice.

Check the box to agree to the notice and then click continue.

Now you can enter your Key ID, you need at least 8 characters, then click Get Key. if you have signed into the computer at least once and are in a local session on the device, you will be rewarded with your recovery key. Considering you would not access the site if you could log in to the device to begin with, the self-service portal is of little use.

HelpDesk Portal:

To access the self-service portal go to https:.//<server you installed portal on>/helpdesk.


The HelpDesk Portal allows you to recover keys for others, how much information you need to enter to get a key depends on if you are in the users or admins groups we created earlier.

I was not able to get the audit report to load in the HelpDesk Portal, so I headed over to SSRS. Which means this is a good time to head over to the next installment on reporting.

Continue to Reporting