Jump to content


coolslim54

SCCM v2103 Enhanced HTTP with BitLocker Management

Recommended Posts

"The BitLocker recovery service requires HTTPS to encrypt the recovery keys across the network from the Configuration Manager client to the management point. Use one of the following options:

Enable the site for enhanced HTTP. This option applies to version 2103 or later.
HTTPS-enable the IIS website on the management point that hosts the recovery service. This option applies to version 2002 or later.
Configure the management point for HTTPS. This option applies to all supported Configuration Manager versions."

https://docs.microsoft.com/en-us/mem/configmgr/protect/plan-design/bitlocker-management#prerequisites

Share this post


Link to post
Share on other sites

I'm not having much luck with enabling BitLocker with SCCM v2103, running in enhanced HTTP mode. I'm able to successfully create and deploy the Bitlocker policy to a few test machines. The MDOP MBAM agent does show up in the control panel, but for some reason, the machines remain non-complaint when the SCCM client runs the evaluation. Some of the MBAM registry keys appear to be present on the machines, but the MDOPBitLockerManagement sub registry key is not present. Under the Event Viewer\Applications and Services\Microsoft\Windows\MBAM\Admin section is giving the same warning message all the way down: Unable to connect to the MBAM Recovery and Hardware service. Error code: -2147028409. 

Lastly, I've gone thru the BitlockerManagementHandler.log file just about line-by-line and I saw nothing that indicates the machine was able to detect my enhanced http Management. I did come across the following error messages in the log file:

Error executing method ProtectKeyWithNumericalPassword. 0x8031005b

Error adding numerical password to OS volume

Unable to initialize volume state. Bitlocker enactment cancelled

Error escrowing keys. 0x8031005b

Am I missing something with my enhanced http setup? It's a pretty straight forward process. Any help would be greatly appreciated! 

Share this post


Link to post
Share on other sites

also the 0x8031005b translates to "

The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.

Source: Windows
-----

 

"

Share this post


Link to post
Share on other sites

On 6/13/2021 at 12:56 PM, coolslim54 said:

The client management settings are definitely enabled. My AD guys weren't aware of any active BitLocker GPOs inplace. I ran an RSOP on the machine and did find BitLocker GPOs. I'll provide an update once they've been disabled. 

Did you manage to make it work? I'm in the same configuration than you (I'm on 2103 with http enhanced) except that I have registry keys that appears correctly but on my side, the MBAM client never shows up so clients never get notified of encryption policy even tough I putted non compliance grace period to 0 days. Even when I try to launch manually the MBAMclientUI.exe, it doesn't appear.

I get an error in the event viewer/MBAM/admin:

image.png.e58b9f56c63b87d4b91e4186eedb7759.png

Which on Microsoft website means:

image.png.8cb7b08f4729ae604b9fb3306fdabde9.png

But when I trigger the encryption manually with manage-bde c : on, the client start encrypting with the good encryption method and the recovery key appear in the database correctly.

If any of you have an idea?

Thanks in advance.

 

Edited by blop

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.