Provide Support for BitLocker Management with IBCM
Currently, internet-based clients are able to receive BitLocker Management Policies via IBCM but are unable to contact the Recovery Service. I have found that this is due to the MBAM Agent looking for the CurrentManagementPoint in WMI at ROOT\ccm:SMS_Authority.Name="SMS:<SiteCode>".
It is possible to trick” the MBAM Agent into using the internet-based MP by adding the IBCM FQDN into the MP property at ROOT\ccm\LocationServices:SMS_MPInformation.MP="<IBCM FQDN>". This allows the agent to successfully find the Recovery Service MP and communicate!
I am aware that there may be more to it than just facilitating this communication but wanted to at least share that achieving this communication is easily done and would make BitLocker Management for internet-based clients available.
Attached is a brief doc which explains why I even care about BL Mgmt w/ IBCM and a brief description on how I came to find the solution for Recovery Service communication.
Marc A Graham commented
Nice option for people to look at that are stuck in this situation Anon. The problem still exists where the key does not properly escrow from the IBCM MP back to the DB. Have you see the escrow actually occur?
This is a good solution, but there might be an easier way to do this.
1. Make sure that BitLocker Management Services setting in the BLM policy is 'Disabled' or 'Not Configured' on policies that are targeted to IBCM clients. This will ensure that CM client doesn't set the Recovery Service URL in the local group policy.
2. Set the local group policy with the IBCM url of the Recovery Service.
"KeyRecoveryServiceEndPoint"="<URL OF IBCM recovery service endpoint>"
URL should end in 'SMS_MP_MBAM/CoreService.svc'
ClientWakeupFrequency - Period, in minutes, to contact the key recovery service.
0 = Recovery password only
1 = Recovery password and key package
Marc A Graham commented
Hey "Anon" and Nick!
I actually put this on the back burner after working with the client to be honest. We had to set up a process where the remote devices get the BL policies over IBCM and then finalize the process when the connect to the VPN where the keys get escrowed.
That is really good info to know and would fully explain why everything works great up until the key escrow piece.
Nick Kosenka-Evans commented
I believe MECM hasn't made any fundamental changes to the MBAM process for escrowing keys and the biggest problem with that process is that it uses the workstation account to authenticate against the IIS endpoint. It works fine for computers on an internal network or over a VPN, but if you have the MBAM web site available externally, it fails the authentication because it cannot contact a Domain Controller.
Thanks a lot for posting this. It's a great step forward for remote BitLocker management.
Ever managed to get the keys escrowed while connected to the IBCM server? We have hit the same block, followed your workaround, the policies get applied, everything looks just about right. But for nothing in the world of the registry keys the client will try to escrow the keys back to the SCCM server. No errors, it just doesn't start the Recovery Key Escrow process.