In parts 1 & 2 of this series of posts on installing and configuring Microsoft Bitlocker Administration and Monitoring (MBAM) we ran through the installation, validation and customisation options available. In this the third part, we will look at how client GPO policies are configured and how to push out the MBAM Client Agent via Systems Center Configuration Manager (ConfigMgr)
Part 1: Installation of MBAM components
Part 2: Validating IIS sites and customisation
Part 3: Configuration of GPO policies and client agent deployment
Part 4: Validation of key storage and recovery tests
Group Policy Configuration
All settings for MBAM client deployments are configured through Group Policy. The first thing you will need to do is to update your policy central store with the MBAM ADMX group policy files which can be downloaded from Microsoft – https://www.microsoft.com/en-us/download/details.aspx?id=55531
Now let us step through creating a new GPO for the Windows clients
- Open Group Policy Management Editor or the Advanced Group Policy Management console (depending on your environment)
- Create a new Group Policy object and name it according to your naming convention
- Open the newly created GPO and expand to Computer Configuration\Policies\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management);
Configuring the GPO is going to depend on your requirements, whether or not you are going to apply BitLocker to encrypt removable drives and so on. For this example I am going to require the following settings;
- All fixed disks are encrypted
- AES XTS 256 bit encryption is required
- TPM only authentication is used
- The use of passwords (non-TPM) is blocked
- The BitLocker recovery page provides Helpdesk contact information
Below are all of the settings contained within my demo example;
GPO Path – MDOP MBAM (BitLocker Management)
Setting | Values |
Choose drive encryption method and cipher strength. (Windows 10 [Version 1511] and later) | Enabled Select the encryption method for operating system drives: XTS-AES 256-bit Select the encryption method for fixed data drives: XTS-AES 256-bit Select the encryption method for removable data drives: XTS-AES 256-bit |
Choose drive encryption method and cipher strength. | Select the encryption method: AES 256-bit |
GPO Path – MDOP MBAM (BitLocker Management)/BitLocker Drive Encryption/Client Management
Configure MBAM services | MBAM Recovery service endpoint: https://YOURSERVER/MBAMRecoveryAndHardwareService/CoreService.svc Select BitLocker recovery information to store: Recovery password and key package Enter client checking status frequency in (minutes): 90 Configure MBAM Status reporting service: Enabled MBAM Status reporting service endpoint: https://YOURSERVER/MBAMComplianceStatusService/StatusReportingService.svc Enter status report frequency in (minutes): 720 |
GPO Path – MDOP MBAM (BitLocker Management)/BitLocker Drive Encryption/Fixed Drives
Choose how BitLocker-protected fixed drives can be recovered | Enabled Allow data recovery agent Enabled Omit recovery options from the BitLocker setup wizard Enabled Save BitLocker recovery information to AD DS for fixed data drives Enabled Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives Disabled |
GPO Path – MDOP MBAM (BitLocker Management)/Fixed Drive
Choose how BitLocker-protected fixed drives can be recovered | Enabled Allow data recovery agent Enabled Omit recovery options from the BitLocker setup wizard Enabled Save BitLocker recovery information to AD DS for fixed data drives Enabled Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives Disabled |
Configure use of passwords for fixed data drives | Disabled |
Encryption Policy Enforcement Settings | Enabled Configure the number of noncompliance grace period days for fixed drives. This grace period begins only after the operating system drive compliance is detected: 0 |
Fixed data drive encryption settings | Enabled This policy setting allows you to manage whether the fixed data drive must be encrypted or not. Configure Auto-Unlock for fixed data drive: Allow Auto-Unlock |
GPO Path – MDOP MBAM (BitLocker Management)/Operating System Drive
Choose how BitLocker-protected operating system drives can be recovered | Enabled Allow data recovery agent: Enabled When using ‘BitLocker Management Solution’, the “Save BitLocker recovery information to AD DS for operating system drive” option should be unchecked Omit recovery options from the BitLocker setup wizard: Disabled Save BitLocker recovery information to AD DS for operating system drives: Enabled Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages Do not enable BitLocker until recovery information is stored to AD DS for operating system drives: Disabled |
Configure pre-boot recovery message and URL | Enabled Select an option for the pre-boot recovery message: Use custom recovery message Custom recovery message option: SCConfigMgr Lab Disk Encryption – Contact the IT Helpdesk on +x xxx xxxx Custom recovery URL option: |
At this point you should now have a functional GPO for deployment, simple link this to the computers you wish to receive the policy.
MBAM Client Agent Deployment
Here I am going to focus on deployment of the MBAM client via Configuration Manager in the form of an application. For a successful installation both the base client installation and the July 2018 hotfix will be required, without the hotfix you would receive compliance issues when using the AES-XTS cipher specified in the GPO created earlier.
The EXE provided can be pushed out using the following: MBAMClientSetup.exe /acceptEula=Yes
For this example however I am going to extract the MSI contained within the MBAMClientSetup.exe using the following command: MBAMClientSetup.exe /extract <path to extract MSI> /acceptEula=Yes
Now that the MSI is available I am going to bundle this along with the hotfix and deploy to clients using the following process;
- Copy both the MSI and MSP into a source directory
- Launch the ConfigMgr Administration Console
- Click on Software Library and expand the Application Management\Applications node
- Right click on the Applications node and click on Create Application
- Select the type as “Windows Installer (*.msi file)” then click on Browse to locate the installer;
- Click on the next button and you should arrive at the following screen;
- Now fill in any additional package information you wish;
- Click on Next and you will be presented with a summary screen;
- Click on Next to and you should then get a package created completion screen;
The next step is to bundle the MSP and include detection logic for the installation
- Right click on the MBAM MDOP application you just created and click on Properties
- Click on the Deployment Types tab and you should have a screen similar to the below;
- Click on the “Add” button
- Select “Manually specify the deployment type information“:
- Provide a name for the hotfix, in this example I’ll use “MBAM Hotfix KB4340040”, click Next
- Enter the following content information;
Installation Program : msiexec.exe /p MBAM2.5_Client_x64_KB4340040.msp /quiet /norestart
Uninstall Program : msiexec.exe /X {AEC5BCA3-A2C5-46D7-9873-7698E6D3CAA4} - Click Next and Add Clause on the Detection Method tab
- Enter the following details;
Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AEC5BCA3-A2C5-46D7-9873-7698E6D3CAA4}
Value: DisplayVersion
Value: 2.5.1143.0 - On the User Experience tab use the following settings;
- Add a new dependency, selecting the MSI file previously added;
- Complete the Deployment Wizard
- Edit the Application and change the order of the Deployment Types so that the HotFix is first in the list;
- Click OK and deploy your application;
Next Step
In the next part of the series we will look at validating key storage, recovery and troubleshooting.
Add comment