Deploy BitLocker management

Applies to: Configuration Manager (current branch)

BitLocker management in Configuration Manager includes the following components:

Before you create and deploy BitLocker management policies:

Create a policy

When you create and deploy this policy, the Configuration Manager client enables the BitLocker management agent on the device.

Note

To create a BitLocker management policy, you need the Full Administrator role in Configuration Manager.

  1. In the Configuration Manager console, go to the Assets and Compliance workspace, expand Endpoint Protection, and select the BitLocker Management node.

  2. In the ribbon, select Create BitLocker Management Control Policy.

  3. On the General page, specify a name and optional description. Select the components to enable on clients with this policy:

    • Operating System Drive: Manage whether the OS drive is encrypted

    • Fixed Drive: Manage encryption for additional data drives in a device

    • Removable Drive: Manage encryption for drives that you can remove from a device, like a USB key

    • Client Management: Manage the key recovery service backup of BitLocker Drive Encryption recovery information

  4. On the Setup page, configure the following global settings for BitLocker Drive Encryption:

    Note

    Configuration Manager applies these settings when you enable BitLocker. If the drive is already encrypted or is in progress, any change to these policy settings doesn't change the drive encryption on the device.

    If you disable or don't configure these settings, BitLocker uses the default encryption method (AES 128-bit).

    • For Windows 8.1 devices, enable the option for Drive encryption method and cipher strength. Then select the encryption method.

    • For Windows 10 devices, enable the option for Drive encryption method and cipher strength (Windows 10). Then individually select the encryption method for OS drives, fixed data drives, and removable data drives.

    For more information on these and other settings on this page, see Settings reference - Setup.

  5. On the Operating System Drive page, specify the following settings:

    • Operating System Drive Encryption Settings: If you enable this setting, the user has to protect the OS drive, and BitLocker encrypts the drive. If you disable it, the user can't protect the drive.

    On devices with a compatible TPM, two types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require the entry of a personal identification number (PIN). Configure the following settings:

    • Select protector for operating system drive: Configure it to use a TPM and PIN, or just the TPM.

    • Configure minimum PIN length for startup: If you require a PIN, this value is the shortest length the user can specify. The user enters this PIN when the computer boots to unlock the drive. By default, the minimum PIN length is 4.

    For more information on these and other settings on this page, see Settings reference - OS drive.

  6. On the Fixed Drive page, specify the following settings:

    • Fixed data drive encryption: If you enable this setting, BitLocker requires users to put all fixed data drives under protection. It then encrypts the data drives. When you enable this policy, either enable auto-unlock or the settings for Fixed data drive password policy.

    • Configure auto-unlock for fixed data drive: Allow or require BitLocker to automatically unlock any encrypted data drive. To use auto-unlock, also require BitLocker to encrypt the OS drive.

    For more information on these and other settings on this page, see Settings reference - Fixed drive.

  7. On the Removable Drive page, specify the following settings:

    • Removable data drive encryption: When you enable this setting, and allow users to apply BitLocker protection, the Configuration Manager client saves recovery information about removable drives to the recovery service on the management point. This behavior allows users to recover the drive if they forget or lose the protector (password).

    • Allow users to apply BitLocker protection on removable data drives: Users can turn on BitLocker protection for a removable drive.

    • Removable data drive password policy: Use these settings to set the constraints for passwords to unlock BitLocker-protected removable drives.

    For more information on these and other settings on this page, see Settings reference - Removable drive.

  8. On the Client Management page, specify the following settings:

    Important

    If you don't have a management point with an HTTPS-enabled website, don't configure this setting. For more information, see Recovery service.

    • Configure BitLocker Management Services: When you enable this setting, Configuration Manager automatically and silently backs up key recovery information in the site database. If you disable or don't configure this setting, Configuration Manager doesn't save key recovery information.

      • Select BitLocker recovery information to store: Configure it to use a recovery password and key package, or just a recovery password.

      • Allow recovery information to be stored in plain text: Without a BitLocker management encryption certificate, Configuration Manager stores the key recovery information in plain text. For more information, see Encrypt recovery data.

    For more information on these and other settings on this page, see Settings reference - Client management.

  9. Complete the wizard.

To change the settings of an existing policy, choose it in the list, and select Properties.

When you create more than one policy, you can configure their relative priority. If you deploy multiple policies to a client, it uses the priority value to determine its settings.

Deploy a policy

  1. Choose an existing policy in the BitLocker Management node. In the ribbon, select Deploy.

  2. Select a device collection as the target of the deployment.

  3. If you want the device to potentially encrypt or decrypt its drives at any time, select the option to Allow remediation outside the maintenance window. If the collection has any maintenance windows, it still remediates this BitLocker policy.

  4. Configure a Simple or Custom schedule. The client evaluates its compliance based on the settings specified in the schedule.

  5. Select OK to deploy the policy.

You can create multiple deployments of the same policy. To view additional information about each deployment, select the policy in the BitLocker Management node, and then in the details pane, switch to the Deployments tab.

Important

The MBAM Client does not start BitLocker Drive Encryption actions if a remote desktop protocol connection is active. All remote console connections must be closed and a user must be logged on to a physical console session before BitLocker Drive Encryption begins.

Monitor

View basic compliance statistics about the policy deployment in the details pane of the BitLocker Management node:

  • Compliance count
  • Failure count
  • Non-compliance count

Switch to the Deployments tab to see compliance percentage and recommended action. Select the deployment, then in the ribbon, select View Status. This action switches the view to the Monitoring workspace, Deployments node. Similar to the deployment of other configuration policy deployments, you can see more detailed compliance status in this view.

To understand why clients are reporting not compliant with the BitLocker management policy, see Non-compliance codes.

For more troubleshooting information, see Troubleshoot BitLocker.

Use the following logs to monitor and troubleshoot:

Client logs

  • MBAM event log: in the Windows Event Viewer, browse to Applications and Services > Microsoft > Windows > MBAM. For more information, see About BitLocker event logs and Client event logs.

  • BitlockerMangementHandler.log in client logs path, %WINDIR%\CCM\Logs by default

Management point logs (recovery service)

  • Recovery service event log: in the Windows Event Viewer, browse to Applications and Services > Microsoft > Windows > MBAM-Web. For more information, see About BitLocker event logs and Server event logs.

  • Recovery service trace logs: <Default IIS Web Root>\Microsoft BitLocker Management Solution\Logs\Recovery And Hardware Service\trace*.etl

Recovery service

The BitLocker recovery service is a server component that receives BitLocker recovery data from Configuration Manager clients. The site deploys the recovery service when you create a BitLocker management policy. Configuration Manager automatically installs the recovery service on each management point with an HTTPS-enabled website.

Configuration Manager stores the recovery information in the site database. Without a BitLocker management encryption certificate, Configuration Manager stores the key recovery information in plain text.

For more information, see Encrypt recovery data.

Migration considerations

If you currently use Microsoft BitLocker Administration and Monitoring (MBAM), you can seamlessly migrate management to Configuration Manager. When you deploy BitLocker management policies in Configuration Manager, clients automatically upload recovery keys and packages to the Configuration Manager recovery service.

Important

When you migrate from stand-alone MBAM to Configuration Manager BitLocker management, if you require existing functionality of stand-alone MBAM, don't reuse stand-alone MBAM servers or components with Configuration Manager BitLocker management. If you reuse these servers, stand-alone MBAM will stop working when Configuration Manager BitLocker management installs its components on those servers. Don't run the MBAMWebSiteInstaller.ps1 script to set up the BitLocker portals on stand-alone MBAM servers. When you set up Configuration Manager BitLocker management, use separate servers.

Group policy

  • The BitLocker management settings are fully compatible with MBAM group policy settings. If devices receive both group policy settings and Configuration Manager policies, configure them to match.

    Note

    If a group policy setting exists for standalone MBAM, it will override the equivalent setting attempted by Configuration Manager. Standalone MBAM uses domain group policy, while Configuration Manager sets local policies for BitLocker management. Domain policies will override the local Configuration Manager BitLocker management policies. If the standalone MBAM domain group policy doesn't match the Configuration Manager policy, Configuration Manager BitLocker management will fail. For example, if a domain group policy sets the standalone MBAM server for key recovery services, Configuration Manager BitLocker management can't set the same setting for the management point. This behavior causes clients to not report their recovery keys to the Configuration Manager BitLocker management key recovery service on the management point.

  • Configuration Manager doesn't implement all MBAM group policy settings. If you configure additional settings in group policy, the BitLocker management agent on Configuration Manager clients honors these settings.

    Important

    Don't set a group policy for a setting that Configuration Manager BitLocker management already specifies. Only set group policies for settings that don't currently exist in Configuration Manager BitLocker management. Configuration Manager version 2002 has feature parity with standalone MBAM. With Configuration Manager version 2002 and later, in most instances there should be no reason to set domain group policies to configure BitLocker policies. To prevent conflicts and problems, avoid use of group policies for BitLocker. Configure all settings through Configuration Manager BitLocker management policies.

TPM password hash

  • Previous MBAM clients don't upload the TPM password hash to Configuration Manager. The client only uploads the TPM password hash once.

  • If you need to migrate this information to the Configuration Manager recovery service, clear the TPM on the device. After it restarts, it will upload the new TPM password hash to the recovery service.

Re-encryption

Configuration Manager doesn't re-encrypt drives that are already protected with BitLocker Drive Encryption. If you deploy a BitLocker management policy that doesn't match the drive's current protection, it reports as non-compliant. The drive is still protected.

For example, you used MBAM to encrypt the drive with the AES-XTS 128 encryption algorithm, but the Configuration Manager policy requires AES-XTS 256. The drive is non-compliant with the policy, even though the drive is encrypted.

To work around this behavior, first disable BitLocker on the device. Then deploy a new policy with the new settings.

Co-management and Intune

The Configuration Manager client handler for BitLocker is co-management aware. If the device is co-managed, and you switch the Endpoint Protection workload to Intune, then the Configuration Manager client ignores its BitLocker policy. The device gets Windows encryption policy from Intune.

When you switch encryption management authorities and the desired encryption algorithm also changes, you will need to plan for re-encryption .

For more information about managing BitLocker with Intune, see the following articles:

Next steps

Set up BitLocker reports and portals