How to manage MBAM (bitlocker) with SCCM, best practices

MBAM was a good option to manage bitlocker and computer disk encryption in general. I have been lately in many Windows 10 migrations projects and I’ve seen many companies moving to MBAM, the main reason was that this is the most easy and stable encryption method to support the fast pace windows 10 releases. Unfortunate MBAM is close to end of support in June 2019. But even so we still continue to use MBAM in many projects.

In this article I will give you the best practices to work with MBAM and SCCM. Actually where I go to design MBAM I always use the MBAM sccm integration if SCCM is already in use. This is from far the easiest way to manage the computer fleet with just one product, the mighty SCCM 😊.

I will not cover MBAM installation here , if you need a guide just go to Microsoft official  MBAM with SCCM topology link https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology MBAM integrate with SCCM

Very important in prerequisites is to modify .mof configuration and add new classes for HW scan https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology

Once you finished to install MBAM server and on SCCM server the MBAM integration (it will create out of box reports, bitlocker compliance, MBAM ready computer collection, etc) you need to create the GPO to manage MBAM, please note you need to import MBAM ADMX GPO to cover MBAM settings, don’t use default Bitlocker settings  from GPO. More about MBAM GPO here: https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-group-policy-requirements MBAM Group Ploicy configuration

Now, you have MBAM environment ready, deploy MBAM client (MDOP MBAM) trough SCCM Task Sequence. MBAM Application

After MBAM client in task sequence add a reg key to force MBAM client to encrypt fastest possible and not waiting 90 min. 

Script, save as bat file, create a package in sccm and invoke the .bat file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]

"NoStartupDelay"=dword:00000001

 

For test only:

On the new computer force group policy to be applied, to take MBAM settings gpupdate /force than go to services and restart bitlocker Management services. This it will force MBAM agent to contact MBAM server, check the compliance settings, report and start encryption. mbam-service

For more information check the logs, Event Viewer --> Applictions and Services Logs --> Microsoft --> Windows --> MBAM

mbam-bitlocker-start and logs

 mbam-bitlocker-start

After encryption is finished  go to control panel, system and security, open Configuration manager agent properties and run Hardware Scan. The hardware scan it will capture the MBAM (bitlocker) status and store in SCCM DB.

mbam-bitlocker-finish

Quick BitLocker status with PowerShell

PS C:\WINDOWS\system32> manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]

    Size:                 471.56 GB
    BitLocker Version:    2.0
    Conversion Status:    Fully Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    XTS-AES 256
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Key Protectors:
        Numerical Password
        TPM 

Now you can see the status in sccm report for this computer :Monitoring --> Overview --> Reporting -->Reports --> MBAM -->en-US 

mbam-SCCM-report

Was easy, no, happy SCCM-ing :)