Managing BitLocker with Configuration Manager: Deployment

April 28, 2020

This guide is broken into five parts:

  1. Preparation Part 1 – Get your Certificate
  2. Preparation Part 2 – Configure IIS and SQL
  3. Deployment
  4. Administration
  5. Reporting


Updated 2/8/2021 to include error if you have not encrypted the SQL tables (or optionally the entire DB) and do not select allowing plain text storage.

Create a policy

NOTE: I will step through the basic steps from the official documentation, but I am going to skip most of setting descriptions as you can easily reference the original as my intent is not to duplicate the work of the docs team.

1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand Endpoint Protection, and select the BitLocker Management node.
2. In the ribbon, select Create BitLocker Management Control Policy.

3. On the General page, specify a name and optional description. Select the components to enable on clients with this policy

4. On the Setup page, configure the settings for BitLocker Drive Encryption.

Opinion: Although the default cipher is XTS-AES 128, I always change it to XTS-AES 256. While there are benchmarks showing there is a very slight speed penalty (I don’t think you would notice it without benchmarking software), I am willing to make that trade for stronger encryption.

5. On the Operating System Drive page, specify settings

Opinion: I tend to follow the Security Technical Implementation Guides (STIGs) from the Department of Defense. There are a few settings for BitLocker on Windows 10.

SV-77827r4_rule: Full disk encryption via BitLocker is required on all disks
SV-104689r1_rule: TPM & PIN required (network unlock is allowed)
SV-104691r1_rule: BitLocker PIN must me 6+ characters

6. On the Fixed Drive page, specify settings

7. On the Removable Drive page, specify settings.

8. On the Client Management page, specify settings.

NOTE: If you opted not to encrypt SQL you must specifically choose to allow key storage in plain text. In the screenshot above, you can see the option is grayed out as the SQL tables are encrypted. If you skipped this the check box is available and attempting to get past this page without checking the box will result in an error.

9. Complete the wizard

Deploy a policy

1. Choose an existing policy in the BitLocker Management node. In the ribbon, select Deploy.

2. Select a device collection as the target of the deployment.
3. If you want the device to potentially encrypt or decrypt its drives at any time, select the option to Allow remediation outside the maintenance window. If the collection has any maintenance windows, it still remediates this BitLocker policy
4. Configure a Simple or Custom schedule. By default, the client evaluates its compliance with this policy every 12 hours.
5.Select OK to deploy the policy

Once the clients receive the policy, you will notice they have a new baseline on the Configurations tab of the ConfigMgr Control Panel Applet (or the Configurations tab of the Windows Admin Center Configuration Manager extension)

Shortly thereafter the MBAM client (it may be from ConfigMgr, but it is still branded MBAM) will be installed in C:\Program Files\Microsoft\MDOP MBAM.

The MBAM client runs its cycle every 90 minutes by default, although that can be changed (see step 8 above).

NOTE: You can check the timing of the MDOP cycle in event viewer under Applicaitons and Services Logs > Microsoft > Windows > MBAM > Operational.

The UI to encrypt will open when MDOP runs its check and a user is logged in to the console session.

Note: If you are deploying to VM’s, the disks must be fixed size. Since this encrypts the full disk (vs used space), that full disk must be available. In addition, you must me running Windows 10 1809 or later to use full disk encryption on Hyper-V.

Note: The UI to encrypt would not pop up when connected via RDP or Hyper-V “enhanced session”, I had to be logged in to the console.

Continue to Administration