Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • GitHub
  • Windows 11
  • About the author
CCMEXEC.COM – Enterprise Mobility

SCCM integrated MBAM services in Technical Preview 1908.2

Posted on September 6, 2019September 7, 2019 by Jörgen Nilsson

Spent last night testing this one out, Microsoft Bitlocker and Managment tool built in SCCM. This is one of the big features me and all my customers are looking forward to! It will make managing MBAM much easier than today by providing:
– MBAM client being part of the SCCM client, so no separate installation and updating anymore
– No additional infrastructure for MBAM, the Management Point role will have the MBAM Recovery and Hardware service.
– Updating the MBAM backend with new Service Releases is not painless today, and now we don’t need to anymore!
– No separate SQL Server/license needed.

MBAM is still the best way to manage your Bitlocker keys today, for having the Recovery keys in a Database separate from Active Directory provides protection against accidental deletion of a computer account and then the Bitlocker recovery key is gone as well. We can cleanup our AD an have it up to date with active clients and still have the recovery keys available if an old computer surfaces that needs to be unlocked.

So how does it work then?

To start with you need to run your Configuration manager site in HTTPS mode.. And it makes sense, do you want to transfer your Bitlocker keys over HTTP?? No, Let’s hope that the released version will Support Enhanced HTTP where self-signed certificates are used.

On the server side we create our MBAM policies under Assets and Compliance\Endpoint Protection\Bitlocker Management

Here we create our MBAM policy, it is the same settings we have in the GPO except for the Reporting endpoint URL is removed.

On the Management Point we have a new Endpoint in IIS (Yes, I had to do some manual steps to get it working). We have an eventlog for troubleshooting as well. So no more updating of the MBAM backend services, Yeah! 😀

On the client and this is really nice:

When the policy is applied to the machine the SCCM client kicks of the installation of the MBAM client automatically from C:\Windows\CCM as shown here in BitlockerManagementHandler.log

There are a second log file on the client as well, BitlockerManagement_GroupPolicyHandler.log which does what it says it applies the settings from the MBAM Bitlocker Policy.

The MBAM eventlog is still there on the client to troubleshoot as well so no difference there.

And when the drive is encrypted the recovery keys, user information and computer information is written to the MBAM DB tables in the SCCM Database! No more separate database!

I really want this to be in the 1910 release of Configuration Manager it will make many admins life easier! Some questions are still open like how do we encrypt the disk during OS Deployment? will there be a new self-service portal or not? Time will tell!

If you want to try this out fellow MVP Niall Brady has written an awesome blog post that will save you a lot of time, you can find it here: https://www.windows-noob.com/forums/topic/16726-on-premises-bitlocker-management-using-system-center-configuration-manager/

  • 1908.2
  • BitLocker
  • MBAM
  • 7 thoughts on “SCCM integrated MBAM services in Technical Preview 1908.2”

    1. JeffJ says:
      September 6, 2019 at 4:51 pm

      Any hints to a migration plan, yet?

      Reply
    2. Meni says:
      September 8, 2019 at 1:37 pm

      What will happen to anyone who stores the recovery key in AD?
      Will it be possible to switch to MBAM integrated with SCCM without having to re-encrypt?

      Reply
    3. Harjit Dhaliwal says:
      September 8, 2019 at 9:57 pm

      This is a great addition to SCCM. However, we need a self-service portal for end users as well as for IT Helpdesk when users have difficulty retrieving the keys.

      What’s the query you used for listing the recovery keys in the MBAM DB table?

      Reply
    4. Pingback: MBAM integration in Configuration Manager 1909 TP – CCMEXEC.COM – Enterprise Mobility
    5. Martin says:
      December 10, 2019 at 3:55 pm

      Is there any how-to-migrate yet?

      Reply
    6. Zay says:
      August 16, 2021 at 7:48 pm

      Still unclear, but are there any additional fees associated with using the MBAM integration, such as the number of endpoints, etc.?

      Reply
      1. Jörgen Nilsson says:
        September 22, 2021 at 10:18 pm

        Hi, No, if you use the integrated BitLocker Management in MEmCM there is no additional cost for it.
        Regards,
        Jörgen

        Reply

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
    All code is provided "AS-IS" with no warranties.

    Tweets by ccmexec

    Recent Posts

    • Configuring MS Edge Security Baseline v107 using Settings Catalog
    • Configuring Desktop App Installer using CSP and script?!
    • Customizing Taskbar and Start in Windows 11 22h2 with PowerShell
    • MMUGSE – physical event 2022-10-19 @Microsoft Reactor Stockholm.
    • Switch to Private Firewall profile on AAD joined when connected to specific network.

    ©2023 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
    Privacy & Cookies Policy

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT