BitLocker management – Part 1 Initial setup

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone this is nyle from windows neucom and today I want to talk a bit about M bomb or BitLocker management within Microsoft endpoint manager configuration manager version in 1910 the M bomb integration has was previously released in technical preview versions of configuration manager but now it's available in the current branch release and you can test it for yourself I'd recommend you test it in a lab before implementing this in production so testing it in the lab well in order to do that you're gonna need a reasonably powerful computer I'm lucky enough to have got a Lenovo p1 to power my lab from Joe at Lenovo here's the box that came in and here are the specs this is a fantastic machine it's brilliant I run all my labs on it have done so for the last year and yeah it's also beautiful ok so let's get to it let's have a look at some of the virtual machines within this lab it's running hyper-v and as you can see I've got these virtual machines with underscore CB at the end and each one of them is my current branch this particular current branch lab of many other labs but this particular one is the one we're going to use for today's video it's made up of an Active Directory domain controller the configuration manager server itself running 19:06 not 19 and 10 will do the upgrade here and we also have an issuing CA for PKI we have a smooth wall for firewall activities we have a webserver also needed for PGI and we have some virtual image we have some Windows 10 virtual machines as well and you can see even the root CA is there but it's powered off because we don't need it at this point so that is one of the requirements of M bomb integrated with endpoint manager configuration manager version in 1910 in that you need to have PKI enabled or HTTPS so we can look at that briefly and let's see if we look at some of the site roles you can see that for example the distribution point management point and so on they're all set up for HTTPS as you can see right and it might sound complicated and you might start getting oh no I can't deal with this I'll never touch em BAM it's it's too difficult for me to set up PKI and then em BAM don't worry it's not that difficult so what I've done is I've prepared a bunch of guides ten actually it sounds like a lot but you can go through it in a few hours I guarantee it if you follow them step-by-step you'll have picot you'll have your SCCM lab converted to HTTPS and you'll be able to test the new functionality so where can you get those guides well head over to Windows noob comm and search for the PKI configuration guides that goes in eight parts as you can see here and once you've done all of those eight parts there is a link at the bottom of that guide which will give you two more parts and that is actually configuring sorry configuring SCCM or now endpoint manager configuration manager with PKI and it's two parts right so eight to setup pica in your lab followed by two to convert configuration manager from HTTP to HTTPS alright so those are the guides that you'll need to prepare 1906 or 1910 before you start playing with em BAM okay so now that you've now that you're aware of the requirements let's take a quick look at the lab and see what we have so if we go back to updates and servicing you'll see I've already downloaded the 1910 upgrade update and I did that by running this para shell script it's the fast ring power script fostering is the first two weeks are so after an update pack is released if you want to get it to show up in your console you need to run the faster ink script point out your CM server and it'll do the rest once it's done that you just click on check for updates it'll automatically download the update pack and then you can get installing but remember this is a lab test everything in a lab before doing it in production so I'm not going to bore you with the the upgrade process but I will show you something that's important and that's this as you can see there is a feature there called BitLocker management and we need to click on that in order to get the n-bomb integration so click on next we'll just continue through the wizard until we're done now if it goes and if you've dealt with configuration manager for a long time you'll know that there's a bunch of logs you need to be looking at such as CM update log and DMP download or blog and h-man log there's loads of logs that's the beauty of configuration manager you'll always have logs alright so off it goes it's going to upgrade what I'm gonna do is I will come back to this server after the upgrade is finished so we'll just skip ahead and then we'll continue looking at em BAM but before we do so let's just take a quick look at some of the PKI stuff just so that you're aware of you know how to verify things are ok so logging on to the issuing CA and what we can see here is our PK I view MMC application and if you click on this everything looks fine and dandy and you can right click on that and choose refresh to verify that everything is OK and as you can see as far as PGI is concerned things are things are good alright so we could check here also and just to let you know I actually followed the ten parts that I referred to previously yesterday so I configured all that yesterday in this particular lab and I converted configuration manager from HTTP to HTTPS or PGI mode because again ambam integration in version 1910 requires working PGI so one last thing we'll look at and that is a client log on to the client and this client has the configuration manager client installed on it so I think it should have so if we go in there and click on system and security scroll down a bit there's that conflict manager client and this was also upgraded so as you can see the client the client itself is in PKI mode and this is exactly what we need all right so this is the the 19:06 version of conflict manager client agent will upgrade this before we do any end activities on this virtual machine so I'll come back to you in a few minutes once the upgrade has completed and then we'll get on with the rest of this video Thanks ok welcome back the upgrade is now complete and as you can see the config manager server is upgraded to version 1910 and if we check on the client I've installed the updated client version I've just upgraded it and remember we need PGI enabled for this to work well so let's just take a look this is a VM so things are gonna behave differently to a real computer but as you can see it's not bit Lockard anything else to see here some configurations but nothing related to em BAM so we'll go back to config manager and we'll take a look actually at a is on the manager server and as you could see there's a bunch of applications running under the default website and if we refresh that refresh it here it stays the same you don't see anything M BAM specific listed here not yet because that doesn't get installed until we go ahead and create our first policy so let's go ahead and do that and then see what happens so in the conflict manager console go to assets in compliance and expand endpoint protection and there you can see the new BitLocker management and at the moment it's empty because we haven't created any policy yet so just right click on it or click in the ribbon and choose create BitLocker management client policy and control policy and we'll give it a name 19:10 okay and we'll select the two options below and we're going to go through the various options here so the first one I think is pretty much related to Windows 7 and Windows 8 but we only care about Windows 10 and what I'm going to do is I'm going to change the default encryption algorithm from 128 bits to 256 for the three of these things and you'll see why it soon enough so 256 bit for the three encryption algorithms and under client management we're going to set it to enabled and here is an important thing you'll see select BitLocker recovery information to store and if you hover over there the red exclamation mark you'll see it says plaintext storage of recovery information required when the bit Locker management encryptions certificate has not yet been deployed so what does that mean exactly what it means is if you do not deploy this BitLocker management encryption certificate on your sequence server and then you have to select this option right so what is the BitLocker management certificate all about well if you go back to actually if you go to Niall Brady comm which I've done for you and you select the following link that is one to learn about em BAM integrated with Microsoft endpoint manager configuration manager click on that and that link will give you a bunch of guides which I've written which are these ones here please look at them all so it explains how to do keyword sage and self service and so on but underneath you've got what's new in 1910 and that's the version we've just installed or upgraded to and how to plan and deploy your BitLocker management but the one that you'll be interested in in relation to that little exclamation mark is this one called encrypt recovery data so if you look at that particular link what it explains is why you're doing this and the effect it can have on performance so you know think think before doing this and test it in your lab of course and it gives you the certificate requirements for this this BitLocker management underscore cert that's what it must be named and in addition to that there are for example scripts one for creating the certificate another for backing it up another one for restoring it and I think the last one is for verifying it so you just have to modify a few little things in there such as database name and so on so make sure to have a look at that if you're interested at all in what this means so I hope that that has explained it to you if you don't go and bother with these BitLocker management encryption certificate if you don't do it then you must select this and then the next time you create a BitLocker management control policy this will be grayed out and you can't deselect it but at that point you can still go into the database and run one of those scripts to create the BitLocker management certificate and all Keys recovery keys that are stored after that point will be encrypted with that certificate okay so let's just change this to one minute cause it's lab and let's configure this also in there and we'll click Next so as soon as you've done that some magic will be happening in the background on your configuration manager server one of the things that will happen is the the mbm application I guess you could call it should appear around here so let's refresh this and see what happens and as you could see it magically has not appeared yet fantastic so while we're waiting for that we can actually open up a log called MP control log and that log file will give you information about the installation there we go of the n-bomb services within configuration manager and if there's any problem with it getting installed it will alert you here so this is a good place to look to see that everything worked out so if we go back to iis let's see does it appear yet it's not gonna be instant there it is alright so now we've got that component within is we've got the MP control log telling us that everything looks fine and dandy let's see it looks good and now the next thing that we can do is go ahead and deploy the newly created policy all right so go back into conflict manager here and it's going to deploy that to our Windows 10 computers of which I have one virtual machine ready to to test with so we'll deploy that policy we're gonna deploy it to Windows 10 this is just a lab remember just everything in a lab so I'm gonna change the schedule for this to run every let's say three minutes and that's checking for the compliance of this this policy all right so off it goes now what we need to do is go to our we understand client which is this one if we look at configurations you can see there's nothing new there let's say refresh the policy and if we also take a look in control panel and just look at installed applications you can see that there's nothing in BAM related there yet but it will come once it gets the policy so let's speed it up again and check check check check check okay I guess I should have verified that this come oh there it is boom all right so now it's got the MDM BAM client agent and you can see the version number there that comes directly from the EM BAM integration within configuration manager so that is going to control policy on this Windows 10 computer but one of the things that I have to point out is because this is a virtual machine and because I'm remoted into it it will not pop up the MDOT client agent so we're going to have to help it along the way just to get encryption started we'll do that by kicking off a command which is basically manage BD on C alright that will start encryption and as you can see encryption will start as soon as the computers is we started so let's do that where we started if we go now if this virtual machine was not managed by configuration manager with M by M integration and we issued that command then what you would see is that it would encrypt us based only with AES 128 bit that's basically all it would do right but because this computer is ember managed it should have got the policy which told it to use AES 256 right so let's just have a look at how the ambam encryption is coming along we do that with managed BD status it shouldn't take too long and off its off it goes encryption in progress and look at that there is the encryption method the algorithm as I said it's 256 and it got that setting from the ambam client and we can actually view the settings that it has got under this registry key here policies Microsoft FV e and in there you can see all the settings that ambam has configured including the key recovery service endpoint and that actually is the management point that we have and the web service right there SMS MPM BAM and that was the little application we saw getting installed in iis and as you can see it's on port 443 which is HTTP right so that is a requirement to get this working now there are two things to point out on this client while waiting for it to encrypt is that there are two logs you can look at in relation to M BAM and they are these two here BitLocker Management Group policy handler if we scroll to the end of that we don't see what I want to see just yet but we will because eventually what it will say is found found something like found management point or whatever but basically it's telling us that everything is good and if you look at the other one we have here it's giving us information about actually installing oh here we go sorry it's in this log found current management point CMO one so if you hadn't got HTTP configured it would complain about it in here and you would know that okay I need to I need to convert to PGI so those two logs keep them in mind in terms of troubleshooting when things are happening or not happening on your config manager client agent and another thing to check is the coffee manager client agent itself we'll check that out here and if we go to configurations now what we should see is yes there it is so we've got the policy that we configured in config manager and at the moment it's non-compliant according to this and that's probably because it's still encrypting so let's check the status status is now 96.4% which means it's gonna be done any second now let's rush it along ninety six point eight so basically once it reaches a hundred percent we can then um actually refresh this and evaluate it and hopefully it will go from a non-compliant state to compliant and that will be reflected eventually in the configuration manager console if you look at the deployment of your policy and then just look at the status of it summarization so let's just check we had a hundred percent yet 98.3 of course okay so while we're waiting for that we can go back to conflict manager here and look in sequel just a little thing to keep an eye on and that is the your database itself and if you go to tables and scroll right down to recovery DB Oh doc recovery and that should be here yes so all of these ones here that I'm highlighting with my mouse they're all related to em BAM BitLocker management and for example this one here and if we were to run a query on it like this would list the obfuscated recovery keys which computers there are stored procedures within the database that you can utilize to decrypt that I'm not going any further than that but just to say you can keep that in mind okay so let's go back to the client she'll be at a hundred percent now and it is 100 percent so if we look at the configuration manager client agent and do a refresh still says non-compliant but let's click on evaluate and then refresh and look at that it has changed over to compliant so you could click on view report to get information about well okay what's it compliant with and it's compliant with our policy of course all right so now if we go back to the confirm manager console here and here is our policy that we configure it and we click on deployments and here you can check your compliance at the moment it has zero percent compliance but what we could do is run a summarization of that so we'll click on view status and actually it is already compliant and here is our computer all right click on more details compliant and you've got some information about the policy itself okay so this is all good news now what I did notice in my earlier testing of this is that the key the recovery key isn't stored in the database immediately so don't be surprised if when you're testing this and you run a query like this you don't see the keys appearing immediately you can't speed them up with some registry hacks I'm not gonna do that here but you can trust me that the key are the keys will appear here and you'll get the information that you need for example machines and stuff if you like looking in sequel so this is the section of sequel that the information will be stored yeah and if you want to look into how key rotation works self-service or the help desk please refer back to that blog post I wrote which is want to learn about em BAM because here I've got a getting started video how does key rotation work how you can use the self-service feature the help desk feature a look at reporting because there's a bunch of new reports related to em BAM and how you can get the recovery keys from the Comfort Manager database and also how to deal with an error such as this but more importantly you've got all the official Doc's from Microsoft and they're really detailed and they'll help you with planning and deploying and within configuration manager so let's just take one last look here and see that our key appear magically and it didn't okay of course not but it will it will appear there and everything will be fine and dandy and we'll be happy but before we do that we can look at reports very quickly and the reports in relation to BitLocker management are in the BitLocker management node you can go ahead and run them and get detailed information which I've already blogged about in terms of okay what what state is BitLocker in in my organization okay so I hope that this guide has or this video has given you a good overview of embalm built in as a new feature within configuration manager version 1910 thanks for looking Cheers

Info

Channel: niall brady

Views: 17,376

Rating: undefined out of 5

Keywords:

Id: JK7v4b6Fi-0

Channel Id: undefined

Length: 26min 54sec (1614 seconds)

Published: Thu Dec 05 2019