Deploy BitLocker management

Applies to: Configuration Manager (current branch)

BitLocker management in Configuration Manager includes the following components:

Before you create and deploy BitLocker management policies:

Create a policy

When you create and deploy this policy, the Configuration Manager client enables the BitLocker management agent on the device.

Note

In version 1910, to create a BitLocker management policy, you need the Full Administrator role in Configuration Manager.

  1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand Endpoint Protection, and select the BitLocker Management node.

  2. In the ribbon, select Create BitLocker Management Control Policy.

  3. On the General page, specify a name and optional description. Select the components to enable on clients with this policy:

    • Client Management: Manage the key recovery service backup of BitLocker Drive Encryption recovery information

    • Operating System Drive: Manage whether the OS drive is encrypted

  4. On the Setup page, configure the following settings for BitLocker Drive Encryption:

    Note

    Configuration Manager applies these settings when you enable BitLocker. If the drive is already encrypted or is in progress, any change to these policy settings doesn't change the drive encryption on the device.

    If you disable or don't configure these settings, BitLocker uses the default encryption method (AES 128-bit).

    • For Windows 8.1 or Windows 7 devices, enable the option to Choose a drive encryption and cipher strength. Then select the encryption method:

      • AES 128-bit with Diffuser (Windows 7 only)
      • AES 256-bit with Diffuser (Windows 7 only)
      • AES 128-bit (default)
      • AES 256-bit
    • For Windows 10 devices, enable the option to Choose a drive encryption and cipher strength (Windows 10). Then individually select the encryption method for OS drives, fixed data drives, and removable data drives:

      • AES-CBC 128-bit
      • AES-CBC 256-bit
      • XTS-AES 128-bit
      • XTS-AES 256-bit

    Tip

    BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. On Windows 10 devices, the AES encryption supports cipher block chaining (CBC) or ciphertext stealing (XTS).

  5. On the Client Management page, specify the following settings:

    Important

    If you don't have a HTTPS-enabled management point, don't configure this setting. For more information, see Recovery service.

    • Configure BitLocker Management Services: If you enable this setting, Configuration Manager automatically and silently backs up key recovery information in the site database. If you disable or don't configure this setting, Configuration Manager doesn't save key recovery information.

      • Select BitLocker recovery information to store: Configure it to use a recovery password and key package, or just a recovery password.

      • Allow recovery information to be stored in plain text: Without a BitLocker management encryption certificate, Configuration Manager stores the key recovery information in plain text. For more information, see Encrypt recovery data.

      • Client checking status frequency (minutes): By default, the Configuration Manager client updates its BitLocker recovery information every 90 minutes.

  6. On the Operating System Drive page, specify the following settings:

    • Operating System Drive Encryption Settings: If you enable this setting, the user has to protect the OS drive, and BitLocker encrypts the drive. If you disable it, the user can't protect the drive.

      Note

      If the drive is already encrypted, and you disable this setting, BitLocker decrypts the drive.

    • Allow BitLocker without a compatible TPM (requires a password): Allow BitLocker to encrypt the OS drive, even if the device doesn't have a Trusted Platform Module (TPM). If you allow this option, Windows prompts the user to specify a BitLocker password.

    • Select protector for operating system drive: Configure it to use a TPM and PIN, or just the TPM.

    • Configure minimum PIN length for startup: If you require a PIN, this value is the shortest length the user can specify. The user enters this PIN when the computer boots to unlock the drive. By default, the minimum PIN length is 4.

  7. Complete the wizard.

To change the settings of an existing policy, choose it in the list, and select Properties.

When you create more than one policy, you can configure their relative priority. If you deploy multiple policies to a client, it uses the priority value to determine its settings.

Deploy a policy

  1. Choose an existing policy in the BitLocker Management node. In the ribbon, select Deploy.

  2. Select a device collection as the target of the deployment.

  3. If you want the device to potentially encrypt or decrypt its drives at any time, select the option to Allow remediation outside the maintenance window. If the collection has any maintenance windows, it still remediates this BitLocker policy.

  4. Configure a Simple or Custom schedule. By default, the client evaluates its compliance with this policy every 12 hours.

  5. Select OK to deploy the policy.

You can create multiple deployments of the same policy. To view additional information about each deployment, select the policy in the BitLocker Management node, and then in the details pane, switch to the Deployments tab.

Monitor

View basic compliance statistics about the policy deployment in the details pane of the BitLocker Management node:

  • Compliance count
  • Failure count
  • Non-compliance count

Switch to the Deployments tab to see compliance percentage and recommended action. Select the deployment, then in the ribbon, select View Status. This action switches the view to the Monitoring workspace, Deployments node. Similar to the deployment of other configuration policy deployments, you can see more detailed compliance status in this view.

To understand why clients are reporting not compliant with the BitLocker management policy, see Non-compliance codes.

For more troubleshooting information, see Troubleshoot BitLocker.

Use the following logs to monitor and troubleshoot:

Client logs

  • MBAM event log: in the Windows Event Viewer, browse to Applications and Services > Microsoft > Windows > MBAM. For more information, see About BitLocker event logs and Client event logs.

  • BitlockerMangementHandler.log in client logs path, %WINDIR%\CCM\Logs by default

Management point logs (recovery service)

  • Recovery service event log: in the Windows Event Viewer, browse to Applications and Services > Microsoft > Windows > MBAM-Web. For more information, see About BitLocker event logs and Server event logs.

  • Recovery service trace logs: <Default IIS Web Root>\Microsoft BitLocker Management Solution\Logs\Recovery And Hardware Service\trace*.etl

Recovery service

The BitLocker recovery service is a server component that receives BitLocker recovery data from Configuration Manager clients. The site deploys the recovery service when you create a BitLocker management policy. Configuration Manager automatically installs the recovery service on each HTTPS-enabled management point.

Important

The recovery service requires a HTTPS-enabled management point. You can't install it on a management point that you configure for HTTP, or any other site system.

Configuration Manager stores the recovery information in the site database. Without a BitLocker management encryption certificate, Configuration Manager stores the key recovery information in plain text. For more information, see Encrypt recovery data.

Migration considerations

If you currently use Microsoft BitLocker Administration and Monitoring (MBAM), you can seamlessly migrate management to Configuration Manager. When you deploy BitLocker management policies in Configuration Manager, clients automatically upload recovery keys and packages to the Configuration Manager recovery service.

Group policy

  • The BitLocker management settings are fully compatible with MBAM group policy settings. If devices receive both group policy settings and Configuration Manager policies, configure them to match.

  • Configuration Manager doesn't implement all MBAM group policy settings. If you configure additional settings in group policy, the BitLocker management agent on Configuration Manager clients honors these settings.

TPM password hash

  • Previous MBAM clients don't upload the TPM password hash to Configuration Manager. The client only uploads the TPM password hash once.

  • If you need to migrate this information to the Configuration Manager recovery service, clear the TPM on the device. After it restarts, it will upload the new TPM password hash to the recovery service.

Re-encryption

Configuration Manager doesn't re-encrypt drives that are already protected with BitLocker Drive Encryption. If you deploy a BitLocker management policy that doesn't match the drive's current protection, it reports as non-compliant. The drive is still protected.

For example, you used MBAM to encrypt the drive without PIN protection, but the Configuration Manager policy requires a PIN. The drive is non-compliant with the policy, even though the drive is encrypted.

To work around this behavior, first disable BitLocker on the device. Then deploy a new policy with the new settings.

Next steps

Set up BitLocker reports and portals