Bitlocker Recovery

Ranjithkumar Duraisamy 226 Reputation points
2022-09-12T14:24:32.967+00:00

Hi Team, General one, If I need to understand the Bitlocker infrastructure from ConfigMgr,
where should I begin
what are all things I should check

Could you please help?

Microsoft Configuration Manager
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. AllenLiu-MSFT 43,951 Reputation points Microsoft Vendor
    2022-09-13T02:23:42.977+00:00

    Hi, @Ranjithkumar Duraisamy

    Thank you for posting in Microsoft Q&A forum.

    We may start deploying BitLocker management with this article:
    https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent

    And here is the prerequisites for your reference:
    https://learn.microsoft.com/en-us/mem/configmgr/protect/plan-design/bitlocker-management#prerequisites


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

  2. Ranjithkumar Duraisamy 226 Reputation points
    2022-09-13T06:27:02.233+00:00

    Hi @AllenLiu-MSFT , Good to see you. Thank you so much for your as usual support. This really helps.

    I just tried to review my ConifgMgr environment and found this query returns only 15 rows. Any idea why?

    Note:

    1. Not sure if Drive encryption policies are configured and applied correctly, But I don't see any other things configured other than Setup and Removable Disk tab. Attaching the same for your review.
    2. But I see the bit-locker steps in OSD TS to Pre-Provision and Enable
    3. I have heard that, Frontline supporters used to get the recovery keys from AD.

    /****** Script for SelectTopNRows command from SSMS ******/
    SELECT TOP (1000) [Id]
    ,[LastUpdateTime]
    ,[VolumeId]
    ,[RecoveryKeyId]
    ,[RecoveryKey]
    ,[RecoveryKeyPackage]
    ,[Disclosed]
    FROM [CM_BC1].[dbo].[RecoveryAndHardwareCore_Keys]

    0 comments No comments

  3. AllenLiu-MSFT 43,951 Reputation points Microsoft Vendor
    2022-09-14T08:07:13.963+00:00

    Hi, @Ranjithkumar Duraisamy

    Thanks for the feedback.

    Why do you only have Setup and Removable Disk tab? Why not configure Operating System Drive and Fixed Drive and Client Management?

    On the Client Management page, Configure BitLocker Management Services: When you enable this setting, Configuration Manager automatically and silently backs up key recovery information in the site database. If you disable or don't configure this setting, Configuration Manager doesn't save key recovery information.

    You may refer to the link to re-create and re-deploy this policy:
    https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent#create-a-policy

    0 comments No comments

  4. Ranjithkumar Duraisamy 226 Reputation points
    2022-09-14T10:11:36.173+00:00

    Hi @AllenLiu-MSFT , Those are all the configurations or misconfigurations done by an ex-colleague and that's exactly what I have been thinking of getting fixed or completed. So, I decided to get my view validated by the powerful immortals of ConfigMgr world. ;) Thank you so much sharing your view and recommendation towards fulfilling the Bit locker configuration.

    Here's an another catch, As I stated before, ConfigMgr DB has only 15 Rows of recovery keys which seems very old too and no clue about other devices recovery keys. How would I restore them back to ConfigMgr db or AAD?

    Note: Poor management wants to park ConfigMgr soon, but I have been educating(Fighting) about their too early decision. So, If you say its wise to escrow the recovery keys to AAD, Please guide me accordingly.

    Thank you once again for all your support.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.