Move Bitlocker Management to Microsoft EndPoint Manager Part 1

You will find part 2 of this series here
You will find part 3 of this series here

Demo Environment

In this blog post divided into three parts we will look at how to move from traditional Bitlocker management to Microsoft EndPoint Manager (MEM). Our demo environment looks like this:

  • Bitlocker settings are applied by using traditional AD "Group Policy Objects" (GPO).
  • Bitlocker recovery passwords are stored in "Microsoft Bitlocker and Monitoring Administration" (MBAM).
  • All encrypted devices are running Windows 10 with TPM 1.2 or above.

How

  1. We will start by exporting data from the MBAM server to an Excel Spreadsheet.
  2. (optional): Export Bitlocker data from Active Directory (AD).
  3. Create a device encryption report. In this post we will use the device encryption report in MEM to find any decrypted devices that needs to be handled.
  4. Deploy a PowerShell script using MEM to make all currently encrypted devices upload their Bitlocker recovery passwords.
  5. Create and deploy an encryption profile to all devices to make sure we catch any decrypted devices. This profile will be used to encrypt new devices as well.
  6. (Optional): In this post we will register an app to allow us to run Graph API queries to fetch Bitlocker recovery passwords.
  7. We will look at the admin roles needed to get the Bitlocker recovery password from AAD/MEM.
  8. We will look the admin and end-user experience.

Export MBAM data to an Excel spreadsheet

Note: Skip this step if your set up does not include MBAM.

If your current setup consists of an MBAM server it is a good idea to export all current MBAM data to an Excel spreadsheet. This allows for us to have a backup in-case we need it after the MBAM servers have been shut down.

  1. Create RDP-session to the MBAM SQL server.
  2. On the MBAM SQL server open: "SQL Management Studio"
  3. Navigate to: "Databases" -> "MBAM Recovery and Hardware" -> "Tables" -> "RecoveryAndHardwareCore.Keys"
  4. Right click "RecoveryAndHardwareCore.Keys" and choose: "Select Top 1000 Rows"
  5. Optional: If you have more than 1000 devices: change "1000" to a higher number.
  6. Run the Query.
  7. To copy the results to Excel: Press "CTRL+A" to mark all results -> Press "CTRL+C" to add the results to clipart -> Create a new Excel spreadsheet -> Insert the result from clipart by pressing "CTRL+V".
  8. Step one is now complete. We have successfully created a backup of our MBAM data! Store the document in a safe location.

Optional: Export AD Bitlocker data to text file

Note: User this if you are using AD to store Bitlocker data.

  1. Sign in to a domain controller with permissions to read the Bitlocker data from AD.
  2. Run below script to save the Bitlocker data to a text file, change "$exportLocation" as per you need.
$Computers = Get-ADComputer -Filter *
$exportLocation = 'C:\Bitlocker-AD-Export.txt'

foreach ($computer in $computers)
{
$objComputer = Get-ADComputer TENDT-CX8FSY1
$Bitlocker_Object = Get-ADObject -Filter {objectclass -eq 'msFVE-RecoveryInformation'} -SearchBase $computer.DistinguishedName -Properties 'msFVE-RecoveryPassword'
Add-Content -Value $Bitlocker_Object -Path $exportLocation
}

Encryption Report

Now that we have exported Bitlocker data from AD or MBAM (based on your set up) we will create an encryption report to make sure that all of our devices are encrypted.

  1. Log in to MEM as an admin: https://endpoint.microsoft.com
  2. Navigate to: "Devices" -> "Monitor"
  3. Click "Encryption Report"
  4. This report comes in handy when you need to measure device encryption compliance. It is a good practice to always have all physical Windows 10 devices encrypted.
  5. Take note of any "Not encrypted" devices. We will need to make sure all physical devices are encrypted later on. In this demo I have one device that is Not encrypted - this is a "Windows Virtual Desktop" and will not be encrypted at this point.
  6. (Optional): Export the report by clicking "Export" and click "Download"

That is it for part 1. We have exported Bitlocker data from AD and MBAM (based on your need) and created an encryption report.

You will find part 2 of this series here
You will find part 3 of this series here

//Nicklas Ahlberg

 

 

 

 

 

2 thoughts on “Move Bitlocker Management to Microsoft EndPoint Manager Part 1

  1. This is exactly what we are looking for, is the Powershell script to upload to the keys available yet?

Leave a Reply

Your email address will not be published. Required fields are marked *