UNM SCCM/BitLocker Encryption Process
Prework
Ensure the computer is configured for UEFI and that the TPM is enabled (TPM version 2 is preferred)
Ensure the SCCM client is installed, configured, and properly reporting into SCCM
If you are migrating MBAM-managed devices to SCCM BitLocker management, ensure you unlink the legacy MBAM GPOs from the OUs containing your encrypted devices
Process
1. Create Collections in SCCM containing the devices you want to encrypt (and manage with SCCM) The Collections can be based on Active Directory OUs or Groups if you prefer to manage encryption through AD, but note, it is ultimately SCCM that applies the BitLocker policies
1. Deploy the UNM – MBAM Policy BitLocker Management Policy to your Collections in SCCM
2. Within 24 hours, the MBAM client will be automatically deployed to the device(s) and the BitLocker encryption process will begin.
3. You can expedite the process by doing the following:
Run the Machine Policy Retrieval & Evaluation Cycle Action in the Configuration Manager Control Panel
If the device is receiving the UNM – MBAM Policy, it should appear under the Configurations tab:
MDOP MBAM should be automatically installed and appears under Add/Remove Programs:
4. If you performed/checked the steps above and the BitLocker encryption process has not begun after an hour, run the following command to see if there are errors/issues preventing the process from starting (this same command will actually jump-start the encryption process also, if there are no pending issues):
C:\Program Files\Microsoft\MDOP MBAM\MBAMClientUI.exe If the MBAM GUI reveals errors, remediate them and re-run MBAMClientUI.exe to start the encryption process
5. Wait for BitLocker encryption to complete
6. Lastly, check Event Viewer (Applications and Services Logs --> Microsoft --> Windows --> MBAM) and look for Event ID 29 (RecoveryKeyEscrowed) - this indicates that SCCM has successfully escrowed the key
This may take 24 hours or so (and require logging out and back into the computer) To be 100% sure the key is escrowed, submit a ticket to the EMSS team to validate the presence of the key in the SCCM database