Security Incident Response

If you think you have or know you have a Security Incident please fill in the form and our experienced Onevinn CSIRT team will reach out shortly.
 
The team has long experience in supporting customers in Incident Response and Compromised Recovery.
 
Keep calm and we will be with you shortly!

Jörgen Nilsson 01 Oct 2021
3 min

Important! – MEMCM enabling BitLocker during OSD post 2103

I have always liked Microsoft BitLocker Administration and Monitoring(MABM) as it provides us with additional functionality compared to saving the BitLocker recovery key in Active Directory. MBAM brings us for example:
– Protection against accidental deletion of AD computer object (Separate DB)
– Key rotation
– Self-Service
– Role based access to Recovery Keys
– Compliance reporting
– Escrowing TPM Password Hash
..and more.

MBAM was integrated in Configuration Manager and first released in 1910 and has been improved in every release after that. Where the latest addition is support for Enhanced HTTP and CMG to escrow the recovery key which is awesome!
To enable BitLocker during OSD when using MBAM Standalone we used the script “Invoke-MbamClientDeployment.ps1” after first installing the MBAM client during OSD. The script then escrowed the recovery key and if present the TPM Password Hash to the MBAM Webservice and all was well.

When MBAM was integrated into MEMCM many of us still used the same script / solution to enable BitLocker during OS deployment as the WebService/DB tables used by MBAM was basically just added to Configuration Manager.

However in MEMCM 2103 this all changed after supportcase it turned out that using the script (and I would assume GPO) creates extra policies and drastically impact performance.
From the KB article:
“Using the Invoke-MbamClientDeployment.ps1 PowerShell script or alternative methods that utilize the MBAM Agent API to escrow recovery keys to a Management Point in Configuration Manager current branch, version 2103 generates a large amount of policy targeted to all devices which can cause policy storms. This leads to severe degradation of performance in Configuration Manager, primarily with SQL and Management Points.”

More information can be found here: https://docs.microsoft.com/en-us/mem/configmgr/hotfix/2103/10372804
If you have used the script or MBAM GPO pointing the MBAM client to MEMCM I would run the script in the KB article above to check if you are impacted, if so you need to create a support ticket to get help to fix it.
In one of my lab environments I have one entry as shown in the sample output below:

Sample output when policies are created

The CM Update KB10372804 and later versions of MEMCM contains a fix to make sure that these policies are not created. It does not clear up already existing that is why a support call is needed to clean up the already created policies.

Docs now also has a clear statement the using the “Invoke-MbamClientDeployment.ps1” together with MEMCM 2103 and later is not supported. Even if the issue is fixed I would not use the script anyway as it clearly states “Not Supported”

Supported statement

More information here: https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25

What options do we have then to enable BitLocker during OSD to save them in MEMCM?
– Do not enable BitLocker during OSD but let the Configuration Manager client handle it after OSD ( many security departments would not approve)
– Enable BitLocker and don’t save the Recovery Key during OSD and then let the MEMCM client manage it(I would not go down that road either)
– Enable BitLocker and save the registry key in Active Directory using the builtin-steps in the Task Sequence to then later let the MEMCM client escrow it to the Configuration Manager DB.

If you like want a third option please vote for this User Voice Item!: Add option to the “Enable BitLocker” Task Sequence step to escrow the Recovery key directly to MEMCM DB – Welcome to Configuration Manager Feedback (uservoice.com)
that would be great to be able to enable BitLocker with a builtin step in the Task Sequence and save it in the MEMCM DB without having to store it in AD before for example.

Here are some sample steps, really simple in the Task Sequence, Important is to use the same Encryption Algorithm in both steps in the Task Sequence as in the BitLocker Policy in Configuration Manager.

Pre-Provision BitLocker :

Pre-Provision BitLocker

Enable BitLocker:

Enable BitLocker

What about the TPM Password Hash? Well it has been tricky to get it to escrow as it since Windows 10 1607 it is no longer available from within Windows.
We can no longer store TPM Password hash anymore even if it exists in a Task Sequence variable if TPM Ownership is taken during OSD.
More information can be found here: https://ccmexec.com/2016/11/mbam-tpm-password-hash-and-windows-10-1607/