BitLocker Integration - ConfigMgr current branch

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi my name is Steve rahi I am a premier field engineer focused on management technologies today's discussion will be detailing the bitlocker integration that has been introduced into Microsoft endpoint manager config manager this was something that was first introduced in 1910 of this release and will detail the requirements a little bit later but wanted to call that out up front in terms of our agenda what is BitLocker management and what is specifically BitLocker and config manager integration why BitLocker management matters and again why BitLocker and config manager integration then will actually walk through that integration we'll talk about the requirements we'll see how it works we'll talk about configuring actually see it in action and then we'll end up with some troubleshooting tips and tricks ok so what is BitLocker management well specifically and notice I didn't ask the question what is BitLocker and BitLocker is disk encryption all right so that's that's kind of there but what is a BitLocker management well in order to encrypt the disks in order to do this well at scale there needs to be some way to be able to manage this in in a broad way so managing at enterprise scale so BitLocker management designed for the enterprise right again management at scale that Locker management will introduce things like helpdesk capabilities being able to enable the helpdesk to support BitLocker key management key retrieval things of that nature offering the user some self-service capabilities letting them go out and recover their own key if if needed reducing the requirement even though we do have the help desk they're reducing the requirement for calls to the help desk right BitLocker management will by a necessity manage key escrow key storage in case something is needed for recovery right key he asked your key management kind of go hand in hand the traditional way historically that this has been handled is through M BAM right and so that is a technology that is targeted for deprecation it still got at least as of this recording it still got a good runway on it but wanting to have an alternative for that and so config manager and BitLocker management integration is it is alive now and and you can start to think about how you might want to do that especially if you have a an extensive and then deployment already so again what is BitLocker an config manager management integrated right so specifically the idea here is that the capabilities of em BAM are now integrated into config manager I'll show you how how that's represented in 1910 being able to reduce your infrastructure so no need to have config manager infrastructure and a separate in man infrastructure you can leverage the config manager infrastructure you have for being able to to handle your BitLocker management needs being able to have the config manage of database instead of having to maintain one again for for EM BAM right all of its kind of in the config manager database the portals the help desk and the self-service portal that are popular with em BAM are in fact retained and key encryption is supported so you can absolutely store your keys in the config manager database and to do that with plaintext that's an option the other way is to enable support for encryption in the config manager database and I'll show you that as well so why BitLocker management right well kind of talk about a little bit automation right and this is again BitLocker management just kind of in generic terms your automation being able to automate the process of encrypting volumes on client computers across the enterprise security being able to allow security offers to quickly identify and determine the compliance state of individual computers or even the total enterprise itself in terms of disk encryption the same security operatives being able to easily audit access to recovery key information but the help desk being able to reduce the workload on the help and to still be able to assist with BitLocker pin and recovery key requests that users might make right this empowers the users to do a lot of self-service stuff themselves right so why then integrate this into config manager again some of the same things automation we already have config manager in the environment that is built for automation so by integrating in BAM into config manager it kind of affords the best and most robust management solution that there is existing infrastructure many cases config managers already deployed and so plugging into that infrastructure for BitLocker management makes a whole lot a whole lot of sense reporting all right being able to leverage config manager reports and retain some of the reports that are in mmm already is is important and then finally a path forward so standalone NPM BAM I mentioned has been deprecated the data set for that it's a ways off still as of this recording but it has been been slated for that so being able to move there to integration now or to plan that integration to be able to test that integration is is important that you have enough time for that right ok so what are the requirements of integrating BitLocker with config manager well a few so config managed in 1910 is where we introduced this right so you do need to be on a minimum of 1910 and as of this recording 1910 is the latest version that is available all right in 1910 we require an SSL enabled management point in order to do BitLocker management now this one's interesting because there are some I'll just go ahead and mention this there are some discussions don't know for sure what it's going to look like until it shows up in the product but this is kind of a starting point there will be enhancements as the plan to this right and so right now for example we don't support enhanced HTTP but that may happen over time right so right now as a starting block we are requiring SSL enabled management points in order for this to work so one really important thing along those lines is before you go forward and test BitLocker policy and go down that route make sure that your MP and client are configured and communicating by SSL so that you know that that has a good chance of working right so one other thing bit luck there's a BitLocker component that's actually added to the management point I'll show that to you and and so in Milan so the other thing too I'll just mentioned as well you see down the fourth bullet for an iis server so there is an iis server required to host the portals the helpdesk portal the self-service portal in my lab in my demo I've separated that I a server for the help desk and the self-service portals from my management point you don't have to do that you can plug them all into one right the reason I did that is my management point is an SSL my help desk and self-service portals in my lab are not running an SSL we recommend that they do but they work fine without it right so I point that out reporting services right we need a reporting services point in order to stage the BitLocker reports and and have them out there and then I already mention the is server elements and this again though there's one component that we do document it's in the documentation that we require that's asp.net 4.2 install these portals make sure you have it there because if you don't you're gonna have challenges and it might not look familiar at first once you look at the air it actually is but in the indicative that you need asp.net 4.0 but make sure you have that on ahead of time and then finally permissions you do need to be a full config manager admin to create and manage BitLocker policy and you need sequences admin rights for running the portal installation scripts which will reference more in a minute okay so so how does this all work so just a quick diagram to kind of give you an idea right number one the config manager admin is going to create the bit this assumes that the infrastructure is ready right which we'll get into but the config manager admin creates your BitLocker policy and deploys it and then step number two the policy is deployed to the SSL and they will management point if this is the first BitLocker policy deployment the MP and bam components are installed step number four the client is going to retrieve and implement the policy if this is the first time that the policy is retrieved BitLocker policy is retrieved by a client then the mm agent will be installed automatically behind the scenes on to the client step number five the drive encryption is going to happen the recovery keys will be stored off to the config manager database and then down here I have just some graphics representing help desk user the self-service portal users whatever that are working with is directly to access the inbound portals which will let them do the things that they might want to do alright and then I have another graphic you know just how it works in terms of the BitLocker management lifecycle and this is from our Doc's alright it's kind of an ongoing process where we will deploy our BitLocker keys we'll have compliance and reporting we'll have recovery key management and so on right so this is part of it as well okay so let's get to the fun stuff let's give them to configuring this and how it works so we're gonna break this down into into the various phases so the first thing is to make sure that you have your management point configured for SSL now in order to do that in order to configure iis itself to support SSL which is where the MP lives so the MP has to have the iis server set for SSL first in order to do that you need a certificate it's a very easy certificate to get based on the web server certificate template but I'm not gonna go into the details of that here I've actually gone through that in several other sessions so I won't belabor the point here the docks are pretty clear about that I will show you where you have that certificate configured in iis so let me pull in my MP right now and and take a look at that okay yes administrator if I can't I log in to that and we will go into the is portal as soon as this comes up so watch that Administrative Tools and then is okay cool alright so here's my is portal this is already installed so if I go down to default website right here right so I'm gonna right click and edit bindings so 443 is what I care about so I'm going to edit that I've already chosen my cert again the process for that creating the cert enrolling desert I'm not demonstrating here but I do have the cert visible the way I know that this cert and I have several right how do I know which one is correct it's by viewing the cert and confirming what certificate template issued the cert I can go down and look right here so this is config manager web server for my lab so I know that I had the right template there so I'm good right and then I also have to go into the config manager console and shift this server into SSL mode let me pull in the config manager console real quick and we will we will show where this management point is shifted into SSL mode do that real quick here and as soon as the console comes up here let me get all this junk out of the way cool all right all right so let me go down here to administration make the console bigger and then site configuration and then site system roles here is my MP right there and so I have the management point installed right here right here I'll double click on it you'll see that I haven't configured for HTTP mode right there right so this is setup it is communicating in SSL mode one thing that I want to do mention at the beginning is to confirm that all of this is communicating correctly and the client can get to it so it haven't gotten to the client yet but that the client can get to it one of the ways that I can do that is by looking at the MP control log and so the MP control log oops that's the older one that matter really let me get the the current one come on close the current one so I'm gonna go down to the bottom just to see what's happening right now HTTP test request succeeded basically you can see that I'm selecting insert so it says HTTP it's interesting so wait a minute this actually is not working installation is still in progress that's interesting I wonder if the fact that I had it shut down for a while this didn't run and so I need to make sure that's good let me pause the video and I'll fix that and come back okay apologies excited she found out what it was it helps if you have an IP address actually assigned to your machine but that's neither here nor there anyway so this is the log that I just did and so you can see that I'm selecting a cert here I actually did change the search as part of my troubleshooting but that wasn't the issue waited for insert selected the cert so I don't know if that's a different time frame probably is I think it was because I deleted all of the Workstation off search but let's either hear their because the issue was I didn't have an IP address but either way so we are going through and in checking the SSL is enabled call to HTTP succeeded for port 443 status 200 so I know that my MP is in fact communicating with SSL so let me relaunch the iis page and so I'm gonna go ahead and proactively show you this because I've already got it configured I do have policy deployed something go ahead and show you this I mentioned that the in-band component is added to the site management point whatever you deploy policy here is that in banned virtual directory right there all right so that's on the MP so we've got the MP in SSL Mobe we've confirmed that it is actually communicating in SSL mode no problem one of the other things I mentioned is wanting to make sure that your client is successfully configured into SSL communications with your MP so this is my Windows 10 test client just log in to it and confirm it has an IP address real fast because it should I know what I did I mind that either way let me confirm that it has an IP address as soon as the desktop comes up okay there's the rest there's the desktop so let's open up command prompt you're ipconfig and Wow look it doesn't have one either so let me go ahead and just statically assign the IP address so full disclosure one of the reasons why is that I have had a little bit of issues with the server hosting my DHCP and I've got it turned off right now so it makes sense I thought we still had one assigned that we don't simply get one assigned real quick and I will be right back okay so I'm back and I have everything with an IP address I'm just going to ping my management point because I need to make sure I can communicate toys ok BAM and so I have good communication here so I know that I can talk to my mp no problem so I'll just leave that up and I'm gonna go to the control panel and we'll look real quick if we config manage your applets and be able to see that it is in fact communicating in PKI mode that's that's important right to make sure that it's created communicating in PKI mode now how do you how do you install the client using PKI mode well if it's a brand new client there's a switch you can use which I'll show you in a second if it's an existing client then during its normal location requests and in cycles it should learn about your SSL enabled MPs and because our selection criteria we prefer SSL enabled MPs if we have the client client cert or a workstation officer on the machine that we can use to communicate with that SSL MP then we will do that right another way to say that let me just kind of go through this because it was a question that I was asked about this will existing clients be able to switch and use the SSL enabled MP the answer is yes if they have been provisioned with the appropriate certificate if they have not then they are not capable of SSL and they will continue to use non SSL so that leads to the other question that kind of started that discussion can you have both an SSL enabled MP and a non SSL enabled MP in the same site and the answer's yes you can absolutely do that right so this is there now I want to make sure that I'm able to communicate with my SSL enabled MP and so the log on the clashes before I do that let me show you how how would I install this as a client if in fact it was not installed with the client software so my I'm not in the directory for CCM setup so I'll just type CCM setup use PK I search and then SMS site code equals you know X Y Z whatever yours is and then SMS M P equals HTTP s : whack-whack and then fqdn of your NP so that will tell it to go talk to that NP immediately for install so it'll go ahead and connect to it right okay so the other thing I want to make sure of is that this client is in fact communicating successfully with the SSL enabled in P so the way I'm going to do that is going to my logs directory so I'm in the log structure I'm going to look at CCM messaging right here so I'm gonna pull that up and scroll down to the bottom and we will check so let's see sending outgoing message successfully submitted requires delivered to endpoint look around here okay so if I scroll up a little bit I can check even further in the log I see that I'm using my SSL MP trying to anyway and I can see some different things going on with it in terms of compressed size whatever so it looks like it should be okay we'll know in a minute whenever we actually try to do this live with some import protection policy so I'll go ahead and minimize that out of the way so that's setting up the MP setting it the client right now let's move to the next step be portals so you do need to install the weather you have to you know you don't really have to but in practical purposes you want to install the portals that would be the helpdesk portal this will install the self-service portal as well so the first thing you need to do right is identify which server is going to host these portals this does not have to be on a config manager server in my lab I am using a just stand alone is server let's go ahead and bring that into the picture so that we can play around with it so here is my iis server here okay so I'm glad to log in cool and so some of the prerequisites that we need need dotnet 3.5 dotnet 4.5 we also need that ASP 4.0 right installed on the machine in order for this portal setup to work so I've already got these on here I've actually also got ASP 4.0 the link for the download for ASP standalone installer is in our documentation you can describe that and install it now I need to grab the software to install the the portals so this portion of it was just to identify the iis server just to get all the prereqs installed make sure we have ASP 4.0 on there we do also I would recommend having this SVC trace viewer so SVC trace viewer will allow you to look at some of the logs that are produced by the portals and do so on troubleshooting we'll get back to that a bit later but this is what I need to get now so I'm gonna jump a little bit ahead let me pull this back out just shift the slide and we'll move right back on in so we're gonna prepare for portal installation but we need to then install the portals so how do we do that well we're gonna first copy the installation files from the config manager site server I've got them here right it's two files let me show you where I got them so I'm gonna go ahead and log on to the config out of your site server or map a drive to that server CMS a one dollar great and so let's go down to the config manager install directory config manager and then bin and then x64 and I'm gonna search for in BAM right there right so there's a couple of files there's the in BAM sorry the in BAM website and web and then website installer those are the two files you need the em BAM website installer is actually a PowerShell script so I have those here and so we're gonna go and demonstrate I've already got them right but I want to go and demonstrate how to actually install these portals okay so to do that I'm just going to open up ISEE PowerShell ISE I'm gonna do it and I see you don't have to if you don't want to but I'm going to ISE great and I'm gonna run that as administrator cool and so I have the script on my clipboard I'm going to just paste in or the command line for the script I'm gonna paste in the command line all right now this formatting and to tie up loose ends a little bit cuz it has some odd Spacey in it but let me just use that as an opportunity to tell you about it so this is the PowerShell script I'm referencing I haven't this would fail right now because I haven't navigated to the directory but then the next thing I'm going to do is pass in my sequel server name so this is my sequel server name and then I'm going to give it the date of another another switch here that I'm not using would be to specify the instance name for sequel I'm using the default instance if you're using the default instance you don't need to supply the instance name in fact one individual I know I'm not trying it really but one individual I know has said if you put the instance name in here it will air out the script don't know haven't tried it but don't need it because I'm using the default instance so here's my sequel database name so that's where my might configure manage your database name here's my reporting web service URL right here all right so this is the fqdn to my reporting server and then my help desk users group name so let me clear that up a little bit get spacing issues here where'd my cursor go there it goes okay so what one word about the help desk users group name and the other two group names that I want to specify here you can put in whatever group name you like you can call it whatever you want just know that this script does not validate the existence of that group or the proper spelling of that group it just goes with what you put in so make absolutely sure your group name is correct and accurate it accurately spelled when you put it in here so this is the N BAM help desk group name and bam help desk that's what I'm using could be whatever you want the help desk admins group name so again clear up a space here so I'm calling this in bam help desk admins and then this one as well so the report user's name right here and and then finally cite install both so what you're saying here is what is what do you want install do you want to install the help desk portal do you want to install the self-service portal do you want to install both right and so if you want both and it's both if you want the individuals then it's the individuals and actually let me go back and edit this script because I know I changed the name of these groups so I just spelled that out so it's obvious but I'm calling my groups in practice my reporting users as in bam are you my Help Desk Edmonds is mm HDA again doesn't validate the name of the script or the name of the group so you want to make sure and then the help desk is simply HD em damn HD alright okay so I I'm gonna test run this just to show it to you hang on just a second alright so I think the script is right let me just go ahead and run this again it's already installed not a big deal oops yeah I told you I didn't change directory to that so uh change to the desktop there we go and then run that again make sure it's alright yeah so I'm gonna run that so it's gonna execute and now I think it's going to execute you guys the spacing wrong let me just go back here oh there it goes okay if I think of saying so it's just running it's unpacking some different things it's gonna give you an air or two because it's already got some things in here right but it's continuing on and it will finish up here okay so it's finished right now again I've already got it installed which is why you saw some of the the warnings here let me just show you so here's where it's unpacking everything and then it's trying to move my tenth folder where I unpacked everything into a net Pub I can't because I've already got this directory and it's in use and so that's what's what's happening but then we go through and and reset the ACLs on the folders and we're done right so that will in fact install the portals all right now again specify your own information and the command lines make sure that your user groups are named correctly before you run them through the portal and so now that we have this installed let's go back in and I'll show you in is here on this server I had two web portals I had the helpdesk web portal and I had the self-service web portal under default website right here and right here right so let's start with the well let me start by showing you the application pool as well so there is an imbalance that is here now a couple of things so if you look at the EM bam at pool and you edit the the settings for the EM BAM at pool let me go here and you scroll down you'll notice that the user account is network service typically I'm not really much to stand on in BAM but typically as I understand it was standalone in bam you have an actual service account assigned here as a way to run this this portal and then you have to make sure that you have the SPN for that registered here it's network service and there's nothing in the docs to say go register an SP n for this right you will talk about that one a minute they just want to call that out so let's let's go try to access this portal will start with helpdesk I'm here and I I guess I'll just say go browse it from here and so we have the I is portal for the help desk now I'm not gonna go through each item in great detail I just called them out here's the overview page here's the reports page where we will actually see the recovery audit report the other reports are in config manager so I don't forget to talk about those let me pull in config manager and show those to you real quick so here's config managers let's go look at monitoring and look at reporting and then reports and then I will look at BitLocker there we go and so I do have some BitLocker management reports up here that I can go look at let's get that out of the way so here's also where you go in for drive recovery and fill in some different detail and then for the TPM recovery as well oops let me get that back up on the screen there okay so over here move that over so managing my TPM right there right so those are the things you can do through the through the help desk portal they get rid of all of those and then the self-service portal is where the user wouldn't be able to go and access various things that they they might care about so this is actually the default portal now in order to use the at least one time but while I'm here you most likely you don't want to leave this as the default contoso IT so while I'm in here and I if you do have the ability to customize that so you can go into your application settings right here and customize any of these so for example mine now be careful don't change anything in the name column that will break things but you can come over here to edit right oops I said that let me click on it so mine is not my lab is tell spend toys so I'm going to edit this setting and call it tells Ben toys right and chance hit okay now this this change goes into the fact immediately so if I then go back to the default website or to that the portal and browse and bring it back up then this time it's gonna come up and say tell spin toys there it is alright so there are some properties there that you can edit if you if you like now while we're here let me take you through a little bit of just understanding where things are so if we saw through the install of these portals that have added some information to inet pub if we go look at Annette pub you will see that we have a BitLocker section and there's a folder for the help desk website a folder for the self-service website there's logs for both now if you don't have any logs created yet then you won't have these folders I do let me minimize this in the background I do have some law of log or two each one right there very small and dated right but but I do and so I can bring this log in to see what's going on so here's what I see see trace fear this is an SVC log it contains one line but this log viewer helps you remove some of the formatting the XML formatting and actually see what's going on so this is an error that's actually calling out that it can't find its compliance database I've looked at this with a few colleagues just to make absolutely sure and this log plus or this error errors and this log related to the clients database it's just we it's an artifact there's nothing wrong here that we can find anywhere and even talking yeah I said I'm talking with some colleagues there's nothing they can find they get it to but yet everything works fine for them so I believe this is a holdover a kind of artifact error message from in BAM standalone right and you'll see some similar kind of things with the self-service portal right here and then also in terms of logging we can go into the event log let me go in and run Event Viewer right there we go and watch that oh come on I don't know why it does that sometimes that that'll launch it for sure and go down to applications and services and then under there after it comes up Microsoft thank you just a second to get past it there we go and Microsoft and then Windows and then there's em BAM under here all right so in BAM web so these are for your web consoles and we have admin and we have operational right so operationally you don't see any challenges admin you do and this is another example where it's talking about the need to register an SP n my colleagues get that too again I believe this is a holdover artifact from embed standalone there is nothing wrong here that we can find everything works fine there's no need to go manually register a spin this is what I was referring to when I showed you the network service is the account assigned to the application pool typically that's the service account and typically you would register in SPN for the service account but in this case doesn't seem like there's anything wrong at all it's just kind of logging an artifact and here is kind of another one about the database which is an artifact as well right but those Event Viewer logs will show you some good information in fact if there is if there is a problem okay now let's that's this verifying the portal all right so let's kind of move that out of the way that's that's installing the portal that's verifying the portal now let's go well we already done that - so I jumped ahead of myself exploring and customizing the portal right I showed you how you can do that for the self-service portal I showed you the section for manage TPM and the drive recovery sections for for the helpdesk portal right now in terms of the drive recovery this is where you want to have a drive that's corrupted or whatever or drive you've moved from one machine to another and you need to recover it so that's what that section is all about the way that you do that is to basically essentially take a recovery package and run it against the drive and so a little bit deeper than I want to go you know right now in this session but very very possible to do all right and I also showed you the audit reports in the helpdesk portal and also in config manager okay next so one of the things you may want to do probably want to do but it's optional is go through go through and encrypt your data as it's stored in the config manager database so this is optional right so there's going to be a choice that you'll see when we create policy for BitLocker - either in quick encrypt or not now I say there's a choice it'll be grayed out well let me sorry we say it this way there is a choice in the wizard if you have chosen to introduce an equip ssin like we're going to do here then that choice will be grayed out because there's no choice to make you've chosen already to do encryption if you've chosen not to do encryption in the database then you will have to take a box that allows storing the data in plain text format in the database right so it's really up to you right there's really three choices plaintext encrypting the recovery key information in the database or encrypting the entire config manager database if you want to do that that's fine if you equip the entire config manager database than in large environments you may see up to a 25% performance degradation but but it is possible right and the information you're encrypting is going to include recovery keys recovery packages and different things there is a certain requirement here there's a script in sequel to go create that search so there's also a specific name requirement of the search so the certain must be called BitLocker management underscore cert right and and so let me just jump to this there's some good documentation about how to do this there's also some strategy about how to do this you know for example if you're running on sequel 2016 or better than any search you create there our backwards-compatible is sequel 2014 and later so that's where you want to do it if you have sequel 2016 in the environment and you create your cert on sequel 2014 or earlier then those certs are not compatible with with sequel 2016 so you definitely want to be in creating your cert on the latest versions of sequel that you have in terms of creating or establishing the encryption that you need there's actually a few scripts demo scripts in the documentation that will show you how to do that I've already done it so let me go ahead and pull in my server and we'll pull in sequel actually for my server and see if in fact I can show you at least the sample as always sort of you're pulling out of our documentation directly or anyone's documentation where you might have different ability to have things like single quotes right single quotes tend to be interesting a lot because in regular typewritten text you will see the single quote represented as kind of an opening single quote and a closing single quote and so on the sequel won't like that at all right and so I always make sure if there's syntax errors to go through and edit the script and so this for example is an example of good opening and closing single quotes and this is your first script where you would go through and create the encryption key if you don't have one you'll need to change a few things so make sure you're changing to your database at name and so on in the script so sign for the one that actually creates the the encryption key change the site database name for example to yours if you want to change the password then to something you want then great in my case I'm just using password I think I need to put that in quotes sorry I forgot to do that right and then if you want to change the expiration date then you will change the expiration date in here as well and then you can go execute that and in fact mine's already caught one so no big deal right that will create it then there's another script kind of listed out there that will back up your certificate there's another one to modify or sorry to to restore your certificate if you would like and then there's finally one that go through and verify you your certificate is actually in place and you show you that one sort of verify I'm going to open a new query window I have the script on my clipboard so I I have this script and so basically it's just a sequel query and then an if statement at the end let me make sure it looks like there may be some things odd with syntax there here may be okay so that cleared it up so basically it checks in for the cert and there's an if statement if the count is 3 then select 1 or 0 basically what this means is the scripts going to output a 1 or 0 if it is a 1 that means that everything is in place let's execute that and we got a 1 so that is effectively verifying the certificate to prove that it's there and that it's ready to go right okay so that's setting everything up right including the optional encrypting key or encryptions certificate for recovery did it now all of that precursor work and we're down to being ready to create our encryption power ok so let me pull them the config manager console it is and so let's go create BitLocker encryption policy which now that we actually have everything set up is relatively straightforward so here's BitLocker manage but I do have you have a demo policy already created let me go as if I did not I'm just gonna right click create a new policy give it a name and then choose what areas that I want to turn on right here which adds different nodes to the the wizard then I'm gonna go into setup and then what I'm basically deciding here is do i what configurations I want for my Windows 10 systems and if you have systems prior to Windows 10 then you can turn on this section up here so now that Windows 7 all previous os's are out of support you may not need to do that but still it's here in case you okay now that I have that what kind of encryption do I want my operating system drives for my fixed data drives and that I can move on so in terms of client management here's where I'm going to enable BitLocker management services if I used to and then select my recovery information so recovery password in key package or recovery password only and then notice this this grayed out but this grayed out piece is kind of what I referred to earlier whether we said the the certificate for encrypting the key information in the database if I did not have that certificate available I would have to choose this option right but because I do have the database already encrypted then or that that encryption Sirdar the in the database then this option isn't available to me at all to store my data as as plaintext right all right and then enter the clients polling frequency if you will for for communicating forward to the database to store things out that's 90 minutes by default you can choose what you like for the operating system drive do I want to enable those settings right and then what do I want to do in terms of TPM in terms of what is our minimum pin leak that we want and then we have summary and then we will create our policy I've already got my policy created so I will just show it to you here so one one key thing is a very basic policy but one key thing that I did to make sure that I know in fact that my my policy is taking effect is that sorry I am I set up 256 bit encryption by default encryption is 128 bit so if I get to my client and I see that my encryption is 256 bits for BitLocker then I know now so right now I do not have actually I do have this deployed that's right so let me go to my client that doesn't have BitLocker enabled right now and see what we can do let me pull in my Windows 10 system so this is without BitLocker being enabled at all and so let me show you a couple of things so if I go into the control panel and look so I'll look at BitLocker Drive Encryption it is currently off I also want to look at the config Manager client applet and show that it is only got this one configuration right here which is not anything except co-management so I don't have my BitLocker settings there yet and then also for programs and features these are the okay so let me go ahead and initiate a policy cycle on this and and we will wait for things to happen go back into figuration manager I'm going to initiate a machine policy and go and so I will pause the video while that processes and we'll be right back okay so we finally have the policy applied and so just take a little tour of the system as it is so first of all on the configurations tab you will see that I have my demo BitLocker policy setup right here that has been deployed so it is coming down as a compliant setting in here that can be evaluated I set it to be every five minutes so so we'll see then also I still have I still have no BitLocker Drive Encryption at all turned off but what I do have is under programs and features I have the mm agent so I think I mentioned before that if you enable BitLocker the first time then one of the things that will happen is that the mm agent will automatically get installed so behind the scenes and you see that it did now what's interesting is that BitLocker Drive Encryption has not initiated on this system automatically why is that well there's actually a good reason this is a VM which that Locker on a VM is fine actually there's some little asterisk ease there so on 18:09 forward BitLocker on VM should be no issue at all prior to that there there were some challenges I understand I've never tried that prior to 1809 because I'm recording the video now we're we're well past 1809 but the other part of this is the MM agent the BitLocker encryption process won't start at all if you're logged in with a RDP type session so and that's what I'm connected with so in order to get this to actually start I have to do a little bit of kick-starting so I'm going to go into my command prompt and manage vbe - on c41 and so this should start to kick some things in so the BitLocker requires a a restart so I'm gonna go ahead and restart the Machine and then BitLocker encryption should begins and go ahead and restart that and I won't make you wait through the restart should happen pretty quickly actually but I won't make you break wait through the restart I'll be right back whatever it finishes okay so the VM has restarted as you see let me log into it here and hopefully encryption now is in process give it a second to log in now well we're logging in I'll just mention a couple of other bullet points more for awareness so I'm showing you the BitLocker encryption policy and sending about to the machine that is not BitLocker encrypted but what if it is alright what if you configure BitLocker policy in config manager and deploy it to a system where the drive is already encrypted or is already in the process of encrypting from some other thing right well if you do that then the encryption that is there or is in process will not be overridden it will remain intact right and also if you if you if you just accept the default settings as I showed you then you will get a ES 128 bit encryption a lot of organizations don't want that they want 256 bit and so be aware of that whenever you configure the wizard so now that the machine is back up and running let's go back in the control panel and look at BitLocker Drive Encryption and now we see that we are encrypting well how do we know that we in fact have the policy from the config manager so I'm gonna go back into the command prompt manage BTE - status all right and so now what I see is that my encryption method is 256 bit the default is 128 bit and so I know just by doing what I did that in fact my encryption is going according to policy is going according to policy that I actually can figure down okay so that's creating the encryption policy we have a lot more to talk about so let's let's keep going well actually that's funny I did both I created the encryption policy I showed it to you in action as well so we've covered this one already but anyway so let's go forward we still have a lot to to do and show you a couple of things so starting to wind down but now in the troubleshooting tips and tricks section for bits so I want to talk about things kind of broken down by the kind of system that we're looking at let's start on the server side and so on the site server we do have some interesting things that we can look at to kind of understand what's happening deadlock and so let me just pull back in the side server real quick and we will look at sequel to get started so here's the side server again and let me launch sequel all right now any time we're in sequel it's a look and understand but be very very very careful if you touch anything but specifically what I want to do here is go into the recovery tables okay and this is where all of the BitLocker key information and so on is stored the recovery information and so on so I'm going to go expand the list of tables and then go down to recovery here we go right so we have a whole bunch of recovery tables and so I have recovery in hardware core and different things that I can I can look at and we can look at all of these but the main one that I want to look at is the recovery keys table right and so now this is just showing you where it is this is not anything at all to say that you have to come in here to get your recovery information though that's what the portals are for right but this is where we store it and so this I just have one test machine but you notice that I have three three entries here because I've actually encrypted this machine three times yet if I look in the machines table you'll see that I only have one entry why don't I show you that all right so here's one entry what do I show you that because the question may come out then I did come up with one person I was talking to you about do we keep the history of the keys and the answer based on the database appears to be yes right now another thing that I'm always interested in understanding is policy right whenever a policy goes down to the Machine how does it get there where is it stored how does it make its journey right and so - this is the server discussion but - to bring it together I want to bring the client back in and show you actually let me do it this way does everything have to be logs on the desktop here which is cool I did I did right so there are logs on the client side and we'll look at those again in a minute but these logs are very interesting for a couple of reasons and first of all in the BitLocker handler you'll see the processing of the BitLocker management policy and so if you have seen other config manager logs you will see that this is pretty in there pretty good indicator that you're looking at config managers specific information and why don't even say that why do I say config manager specific because there's also a log called the group policy handler where we're managing group policy and so on but this long string of data is showing you that the policy for BitLocker is actually stored the anytime you see this format it means configuration item is how things are being being implemented for given features so configuration items would be applied to all sorts of areas of config managers such as software updates the application model some things in OSD certainly compliance settings in general here in BitLocker management so this this log this is the client side long I have it here on the server just for convenience but it's a client side log and it's showing me this entry which tells me that I'm getting my BitLocker policy through through the configuration on them well whenever I know that I can then go to the database and try to ferret out with what that looks like and so on so let me show you I'm down here in the recovery tables but what I want to do now since I'm talking about configuration is come up to my CI table and so if I if I just scroll up here for a minute I'll just show you the CI tables there's a ton of notice you've never seen them before there's a bunch at all I just will show you where I'm gonna be focused all right so CI come on there we go CI right and I'm gonna be focused in on the configuration items table right there so let me go do any query and I will do a select star from C i underscore configuration items there and so if you do this in a production environment that does software updates and so on you will end up getting millions of results right I give I did the Select star just because I want to show you what I really care about is this CI unique ID right if I scroll down you'll start to see some of the formatting we just drill down a little bit yeah so you'll start to see some of the format along here so let me just do this CI unique ID where CI underscore unique ID they're equals and I will put that long string in and then I'll execute that again right and so I execute that and I get one entry back so this entry in fact is the BitLocker policy that I've created and again what do I care about here I can look at this SDM package digest and I can see a bit more about the specific policy if I need to troubleshoot something and I wonder if the policy is correct you know what this also tells me and this is irritating me right now and what this also tells me I mentioned this is a configuration item and so whenever I look at the client I know what area of WMI that I should look in to be able to see what this configuration item looks like on the client well so far I haven't been able to find it in WMI I know it's there I'll keep looking but but this is how it gets communicated down to the client right okay so not to belabor the point just again a tour of this a little bit so on the server side that's the site server now I'm going to pull that out of the way and let's shift over and go to the management point and look at it for a minute so here's our management point and so I want to look and show you the logs first of all that are relevant here so if you go to your management point directory right here here first of all here's your SMS directory with all the things that you might care about yeah for your management point so on BMP control log and different things but if you come into specifically your your SMS underscore CCM and you go and look under Microsoft BitLocker management and then logs here you will have your recovery and hardware service logs right so that's interesting in case you have some different things you want to look at these are SVC logs and so you'll need that tool to really be able to read them if I open it now with notepad it's not gonna largely be in a friendly format in fact that one looks like it might be empty at both of them are so if you have content in this you can get your SVC trace viewer right here and throw it into it and it'll open it up and make it much more readable for you this is empty and so nothing's you really see here but there is good data there if you need it also I already talked about this whenever we installed the system but I will go back to it again in our normal SMS folder under logs I was just here showed you in peak control so MP control is a great place to go and make sure that in fact the MP is working and communicating and succeeding whatever we do the test and successfully perform the check and all of that is is working against 443 no problem right okay so that's the MP now on the portals themselves there's some logging and I believe I've already showed this to you but just to make sure so back on the portals server we do have the event logs so let's start there in fact yeah okay so already showing this but seeing it a couple of times especially if it's new to you is not a bad thing so waiting for applications and services to open up and Microsoft and then under that we have windows and so under here we have our in them right here so this in BAM web is where we will see admin and operational stuff that's happening against this now this is where I've already shown you that we're logging some things that aren't weel about having to register the SPN don't need to do that right I believe that's kind of a holdover from windless with standalone the same thing with the compliance database but still this area of the Event Viewer is is good information to review if you're having problems also the the logs themselves so I did show these to you as well here under I'm at pub you will have the BitLocker management section right here and then logs for bus the help desk and the self-service portal you'll look at leaves with the FEC trace viewer as I was referencing a minute ago just pull it in there and there will be a red herring as well here because it's also referring to the compliance database there's no issue there but still a good place to know where logs are being written so that you can kind of get a handle on things if if things aren't going exactly right okay so that's on the server side now another thing that's very useful in that event log is we log a lot of errors in there as we progress as we encounter different things this is all in the documentation of that link above I'm not going to go through it all but I just wanted to call it out and show you the error code and then the interpretation that we can give it which is very meaningful and helpful to be able to troubleshoot right so a lot of different err codes again not gonna go through it all that's not the point but but definitely wanted to show that to you now so that that was the server side let's shift over to the client side for minutes I'm going to go back to my Windows 10 client and I want to show you a few err areas that we can go and look at right now the log in so I'll show you some logs there's a couple of logs here that we can look at let's go to these folder and logs right so I have a couple so I've got the BitLocker management Handler and then I've got the BitLocker management group policy handling so I don't prefer said this earlier so let me say it now yeah if you have that locker settings implemented for group policy we can work alongside those with config manage and no problem the thing that you want to avoid is having any conflicts right so make sure things are set the same and shouldn't be an issue at all but let's start with the BitLocker management handling and also before I'll start talk about the lungs and lungs themselves are good but especially if you turn on verbose and debug logging then you'll get a little bit more in the logs that will help you along the way so let's look at bit Locker management handling all right so I'll just go down to the bottom alright this is where we see that we're processing the policy so in fact let me actually go back to the site server because I think somehow that BitLocker or the verbose and debug got turned off here let me go look at these same exact logs but now on the site server where I know that I had for both the debug logging turned on so I will start with the BitLocker management Handler right here and so here this is just kind of starting the top of the processing loop I'd edited this log so that it's starting at the top of the processing loop I'm processing my BitLocker management policy processing my rule here it's not compliant with my in-band client installation so it's gonna go ahead and do the install so I'm running the install package all that's done there right and then it's going through and processing group policy settings and just rolling on through so so get information about this process and what's going on and you'll see it roll through and you'll see it check all right you'll make sure that the MP is as I self capable yes so we can go through and continue to do some things alright so pretty easy log to read tells you where the WMI value is coming from who will come back to that here in a minute okay so that's the standard in BAM or BitLocker handle along here's the group policy log right so this will show you actually some really good information will show you processing your group policy settings it'll show you where and the registry those settings are in my case I keep getting this this error simply means I don't have anything in Group Policy so I keep giving me not found error message right but still it's good information to be able to see what's going on and to know what's going on right in the logs but we also have the event logs on the client so here's back to the Windows 10 client will run Event Viewer event either be are looking good all right so if we go to applications and services and then wait on that and we go down to Microsoft and then windows like we were come on I'm on I did click it right there we go okay get Microsoft and then Windows and then we look at in band all right so I have my in man event logs here that I can go look at and see if things are processing the way that they should I've got a warning here but still things are processing so good just good detail that I can look at through the event log now event event ID is also in the event log here very meaningful I can understand what's going on so specifically is that IB one means your policies applied successfully I'll see other ones in here like event twenty nine that will show that the BitLocker policy recovery keys been stored whatever and I'll show you also pointer to where you can see what be event ID is on the client means I hear in just about it but a lot of good information here in the event logs all right now in GPO so let's go look at GPO for a minute again I don't have anything applied in GPO but but we can go look at it so I'm going to add the GPO snap in alright and then we will go look at what policy options we have we take this figure so in terms of local policy computer configuration and then administrative templates move this over and then we have Windows components and then under windows components we want to look at bit longer so right here a bit like a drive encryption again I don't have anything configured here but this is where all of your policies look actually it is so this is enabled I didn't touch it I didn't touch that at all but whenever the encryption started happening that must have turned it on we have the other options here that are available that could be configured through group policy and we live side by side and food policy no-foam yeah these are turned on to you so I never touched these but through turning on BitLocker on the drive that must have turned this on so so good to go right we can see what's what's going on there also in the registry right so let's open that I'll close this it's open up the registry and see what we have there so regedit I'm gonna run that oh come on let's do it this way okay somebody open up the registry and browse down to local machine here software right here and then policies here and then it's not real obvious knock Microsoft it's not real obvious what we're looking at we're looking for things related to BitLocker well they're going to be under the key here so here's our in dot settings and and so on so we can see the settings and different things on the client where our key recovery server is so we're pointing to the management point which is then going to shuttle it to the database and different things and so on alright so there's some good detail under fve there's some more detail so it's a good stuff and then finally two more places in our tour here so I'm going to go back to the root of the drive system configuration files for MDOT so under Program Files we have Microsoft and then we have this as the installation location for in dot M BAM agent and so if we look through here we just sort by file type scroll on down we'll have a couple of config files now I show these to you just so you know where they are no real reason to change anything like this and I'm not going to go into what the details inside them mean but basically it's XML that will allow you to have configurations over the client UI and and different things that are better here okay but largely the inbound agent should be totally invisible in the in the Microsoft integration world okay let me go get I thought I had it let me go get WMI explorer and i want to show you a couple places in w mine go okay what I wanted was WI explore so I just went and got it from my other system and pasted to them so I'm going to run this as administrator and I want to show you a couple of places really just one in WMI and I mentioned I was hunting for the location of the in ban policy on the client and so it came it is a compliance setting and so I still believe that it's under the compliance settings namespace nwi on the client but it may just be in here so under Microsoft we have our embalm entry right and so we have different settings that we have for our volume information and so on here that we can look at right in in volume settings and so on so this is where we do store some of the policy I do still believe that it's probably in the config manager namespace somewhere but I haven't found it yet so maybe it's not but it is definitely there NW mine so that that is kind of a look at the way things or the components the pieces that the different things you can look at on the server side on the client side that I wanted to talk to you about okay now here are the client event log entries and what they mean here's the path to where you can find this information and then finally some tips triggers so just a few things here right first item in the list is in them documentation I give that to you because in BAM documentation is pretty robust out there and while this is integrated to config manager and a lot of that may not be necessarily applicable it's really good information to understand the concepts and the components and how the ambam setup works and so on I also mentioned the inbound groups whenever I did show you the script for setting at the end BAM portals and mentioned that you to make sure that the group names are accurate we don't validate those through the script I mention it again here because it's so important right if you don't have one telltale sign that you don't have the group information correct is that you won't be able to authenticate to the helpdesk portal right in my case I have a domain controller that's kind of a little bit flaky and whenever I created my group names there I couldn't authenticate to the Indian portal so I ended up having to turn that domain controller off and use my secondary domain controller to create the groups and then it worked just fine right in terms of this whole discussion around config manager and BitLocker integration and so on right 19:10 is the first place where the BitLocker integration has shown that that's what you're seeing now right we are at a place when this recording is happening we're 19 10 is the latest so I I'll say the next few things but just understand that I don't have any particular knowledge or insight into what's what's planned or what's coming just some guesses you know based on history and the way things look right now and so on so BitLocker integration whenever it was released it was released in config managed we had the concept of pre-release items that come into the console that you can play with and they're not fully finished yet right and then eventually they move into a release status well the BitLocker management piece had was was immediately released as a released item it wasn't pre-release right looking at you know how this thing works and some things that aren't there today I kind of do expect there to be some further development on this a couple of examples that the install experience isn't terrible but having to run manual scripts is not the cleanest experience so hopefully there will be some cleanup there to make the install experience a little bit more seamless you know right now we do not support enhanced HTTP SSL is required SSL is not something that's in the vast majority or the vast majority of config management environments I've come across use ssl they use standard HTTP so I wouldn't be surprised to see enhanced HTTP come through at some point also we have this cloud management gateway thing out there that right now isn't integrated but would be probably something that will happen over time I would guess right now in terms of in terms of migration from M ban if you have invented a and you want to move to config manager then that migration is pretty darn seamless right re encryption if you have your drives encrypted already then we're not going to re-encrypt those drives whenever you move to config names you will leave those drives as they are right and and so on if you deploy BitLocker management policy that is different than what your drives current protection is then we'll report non-compliance that will leave the drives protected right we don't want to remove the protection that is there because it doesn't exactly match what we have in terms of the TPM password hash this is interesting because the TPM password hash is actually presented forward one time so if you have a previous in BAM client that's already there and has already reported the TPM password hash at that stage it's not going to re report it to config manager unless you in fact clear the TPM and and remove it and then re encrypt it and so on and I've mentioned group policy that we will live right alongside can group policy no problem fully compatible just make sure that if the device receives both the GPL and config manager settings that there's no conflict right one thing also to note is config manager doesn't implement all of the in band group policy settings if you want to add those group policy settings then use GPO for that and it's absolutely no problem at all and so with that we have reached the end of our discussion and so we'll wrap things here and we'll see you next time
Info
Channel: ConfigurationManagerTeam
Views: 9,155
Rating: undefined out of 5
Keywords:
Id: nRflpFf8s1c
Channel Id: undefined
Length: 81min 3sec (4863 seconds)
Published: Wed Feb 12 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.