Enabling MBAM (BitLocker) in MECM 2103

Dilan Nanayakkara 1,111

HI All,

we are using MECM 2103 and have requirement of deploy BitLocker management via MECM. So I have a question since we have enabled "Enhanced HTTP" in our configuration manager, Can we configure MBAM without setting up PKI certificates? or else still do we need to configure PKI certificate infrastructure as a pre-requestees for MBAM.

highly appreciate the help.

Thanks,
Dilan

Accepted answer

Rahul Jindal [MVP] 10,196 Reputation points MVP

2022-01-25T08:32:50.49+00:00

Starting 2103, BDE supports EHTTP. So as long your clients are upgraded to 2103, you should be good. Another option is that you can configure Co-management and move the EP workload to Intune and manage Bitlocker policies through Intune.
Please sign in to rate this answer.

2 people found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

2 additional answers

Jason Sandys 31,306 Reputation points Microsoft Employee

2022-01-25T14:56:38.287+00:00

Note that you do still need to supply a certificate in SQL Server to encrypt the BitLocker recovery information in the database.
Please sign in to rate this answer.
Dilan Nanayakkara 1,111 Reputation points

2022-01-25T15:13:52.02+00:00

@Jason Sandys Thank you very much, Just wanted to clear out some things for me.

if I don't want to encrypt BitLocker recovery information, I don't want to create a certificate in SQL server right?

then, again if I did encrypt BitLocker recovery information in the databases, I would do this using self-sign certificate using script in SQL server right without configuring PKI certificates right?

I just had a look on how I can follow this SQL encryption for the recovery information and came up with below link.

https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/encrypt-recovery-data#sql-server-encryption-certificate

Appreciate if you cam let me know if I missed anything here.

thanks again for your help!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Jason Sandys 31,306 Reputation points Microsoft Employee

2022-01-25T16:02:46.607+00:00

if I don't want to encrypt BitLocker recovery information, I don't want to create a certificate in SQL server right?

Correct although I'm not sure why you wouldn't want to do this.

if I did encrypt BitLocker recovery information in the databases, I would do this using self-sign certificate using script in SQL server right without configuring PKI certificates right?

Correct. There is a way to use a PKI-issued cert but the ConfigMgr docs only include details on creating and using a self-signed cert.
Please sign in to rate this answer.
Dilan Nanayakkara 1,111 Reputation points

2022-01-25T16:41:09.81+00:00

@Jason Sandys again, thank you very much for your help!

Amandayou-MSFT 11,141 Reputation points

2022-01-26T02:43:22.807+00:00

Hi,

Thanks for your update and Jason' patient answer.

If the answer is helpful, please accept answer. It will make someone who has the similar issue easily find the answer.

If you have any other concerns, please don't hesitate to let us know.

Thanks and have a nice day.

Best regards,
Amanda
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Enabling MBAM (BitLocker) in MECM 2103

2 additional answers

Your answer