BitLocker Administration Service in MEMCM

Starting in ConfigMgr Current branch 1910 integrated BitLocker management (MBAM) is supported. This is all well and fine except one detail; it does not include the Administration Service Endpoint available in MBAM standalone. This endpoint is, most cases, crucial if you are using any kind of automation, management system, custom helpdesk tool or such.

This article describes a simple hack, that is in no way endorsed or supported by Microsoft and consequently implemented at own risk, to get the service endpoint back. The method should be considered temporary, to bridge the gap until Microsoft eventually decides to include the functionality (we still hope for that).

If you are configuring integrated BitLocker management and have not used the admin service in a previous MBAM standalone installation, this information is probably of little, if any, value to you.

This table indicates what is missing in the integrated implementation.

As we can see the integrated solution lacks the “Administration Service”, some of us needs it and it is safe to say this loss is a significant drawback. However unsupported there is a way to get it back by manually copy it from an existing standalone installation. If you have not used MBAM standalone in the past, you will need to set up the solution first to get your hands on the necessary files.

Step #1: Copy the folder

Copy the “Administration Service” folder from “c:\inetpub\Microsoft BitLocker Management Solution” on the old standalone MBAM server to the same location on the server running the >> Portals << (Helpdesk and/or SelfService). Ensure the source installation is the latest, fully patched, version.

We also need to create this log folder for the new Application.

Step #2: Add the Application to IIS

Open IIS Manager and right click the site running your portals (typically Default Web Site). Click >> Add Application <<.

Fill in the necessary information for the new application.

Alias: MBAMAdministrationService

Application pool: MBAMWebSitePool

Physical path: C:\inetpub\Microsoft BitLocker Management Solution\Administration Service

Press “OK” when Done!

Make sure to enable Windows Authentication on the new Application:

Step #3: Correct web.config

Depending on if you are reusing the old security groups from the standalone installation or not you will have to edit the web.config file in the folder you just copied.

Locate the >> appSettings << section and make sure the two group names reflect your configuration:

Finally correct these two values to avoid running into SPN issues:

Replace <SERVER.DOMAIN.COM> with the FQDN of the server running the service.


The admin service will now be available at:



One Comment

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.