Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • GitHub
  • Windows 11
  • About the author
CCMEXEC.COM – Enterprise Mobility

Important! – MEMCM enabling BitLocker during OSD post 2103

Posted on August 24, 2021August 24, 2021 by Jörgen Nilsson

I have always liked Microsoft BitLocker Administration and Monitoring(MABM) as it provides us with additional functionality compared to saving the BitLocker recovery key in Active Directory. MBAM brings us for example:
– Protection against accidental deletion of AD computer object (Separate DB)
– Key rotation
– Self-Service
– Role based access to Recovery Keys
– Compliance reporting
– Escrowing TPM Password Hash
..and more.

MBAM was integrated in Configuration Manager and first released in 1910 and has been improved in every release after that. Where the latest addition is support for Enhanced HTTP and CMG to escrow the recovery key which is awesome!
To enable BitLocker during OSD when using MBAM Standalone we used the script “Invoke-MbamClientDeployment.ps1” after first installing the MBAM client during OSD. The script then escrowed the recovery key and if present the TPM Password Hash to the MBAM Webservice and all was well.

When MBAM was integrated into MEMCM many of us still used the same script / solution to enable BitLocker during OS deployment as the WebService/DB tables used by MBAM was basically just added to Configuration Manager.

However in MEMCM 2103 this all changed after supportcase it turned out that using the script (and I would assume GPO) creates extra policies and drastically impact performance.
From the KB article:
“Using the Invoke-MbamClientDeployment.ps1 PowerShell script or alternative methods that utilize the MBAM Agent API to escrow recovery keys to a Management Point in Configuration Manager current branch, version 2103 generates a large amount of policy targeted to all devices which can cause policy storms. This leads to severe degradation of performance in Configuration Manager, primarily with SQL and Management Points.”

More information can be found here: https://docs.microsoft.com/en-us/mem/configmgr/hotfix/2103/10372804
If you have used the script or MBAM GPO pointing the MBAM client to MEMCM I would run the script in the KB article above to check if you are impacted, if so you need to create a support ticket to get help to fix it.
In one of my lab environments I have one entry as shown in the sample output below:

Sample output when policies are created

The CM Update KB10372804 and later versions of MEMCM contains a fix to make sure that these policies are not created. It does not clear up already existing that is why a support call is needed to clean up the already created policies.

Docs now also has a clear statement the using the “Invoke-MbamClientDeployment.ps1” together with MEMCM 2103 and later is not supported. Even if the issue is fixed I would not use the script anyway as it clearly states “Not Supported”

Supported statement

More information here: https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25

What options do we have then to enable BitLocker during OSD to save them in MEMCM?
– Do not enable BitLocker during OSD but let the Configuration Manager client handle it after OSD ( many security departments would not approve)
– Enable BitLocker and don’t save the Recovery Key during OSD and then let the MEMCM client manage it(I would not go down that road either)
– Enable BitLocker and save the registry key in Active Directory using the builtin-steps in the Task Sequence to then later let the MEMCM client escrow it to the Configuration Manager DB.

If you like want a third option please vote for this User Voice Item!: Add option to the “Enable BitLocker” Task Sequence step to escrow the Recovery key directly to MEMCM DB – Welcome to Configuration Manager Feedback (uservoice.com)
that would be great to be able to enable BitLocker with a builtin step in the Task Sequence and save it in the MEMCM DB without having to store it in AD before for example.

Here are some sample steps, really simple in the Task Sequence, Important is to use the same Encryption Algorithm in both steps in the Task Sequence as in the BitLocker Policy in Configuration Manager.

Pre-Provision BitLocker :

Pre-Provision BitLocker

Enable BitLocker:

Enable BitLocker

What about the TPM Password Hash? Well it has been tricky to get it to escrow as it since Windows 10 1607 it is no longer available from within Windows.
We can no longer store TPM Password hash anymore even if it exists in a Task Sequence variable if TPM Ownership is taken during OSD.
More information can be found here: https://ccmexec.com/2016/11/mbam-tpm-password-hash-and-windows-10-1607/

  • BitLocker
  • Configuration Manager
  • Configuration Manager 2103
  • MBAM
  • 2 thoughts on “Important! – MEMCM enabling BitLocker during OSD post 2103”

    1. John says:
      August 24, 2021 at 11:51 pm

      Hi Jorgen,

      Running the SQL query in our production environment, it has returned 7 entries should I create a support ticket?. I have applied the 2103 hotfix.

      Reply
      1. Jörgen Nilsson says:
        September 22, 2021 at 10:16 pm

        Hi, According to the support statement from Microsoft, Yes.
        Regards,
        Jörgen

        Reply

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
    All code is provided "AS-IS" with no warranties.

    Tweets by ccmexec

    Recent Posts

    • Configuring MS Edge Security Baseline v107 using Settings Catalog
    • Configuring Desktop App Installer using CSP and script?!
    • Customizing Taskbar and Start in Windows 11 22h2 with PowerShell
    • MMUGSE – physical event 2022-10-19 @Microsoft Reactor Stockholm.
    • Switch to Private Firewall profile on AAD joined when connected to specific network.

    ©2023 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
    Privacy & Cookies Policy

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT