Bitlocker recovery key and re-image using MECM
Question
Hi All
Just a question I have around Bitlocker.
So I have a OSD Task sequence which setups Bitlocker on the machine. I have installed the optional features for Bitlocker Administration on a domain controller and once the machine is online, Bitlocker is operational and works fine, I can also see that the recovery key is shown in AD.
However, if I was to reimage the machine, apart from removing the computer entry in AD and MECM device. What would happen with the recovery key? I assume it changes when I rebuild the device.
I ask as I have heard that if the machine is built with the same client hostname, numerous records can start to appear for recovery keys but I dont want this to occur.
Would just removal of the AD computer object and device name in MECM be enough to ensure a unique recovery key is generated all the time?
Just to add I am aware MBAM has or is being phased out. If machines are still be managed on-premises with MECM only. Would using AD be the best approach or using the Bitlocker feature in MECM? I believe the latter requires MECM to be configured with https?
Is it relatively easy to convert from http to https and can I do this without using a public cert? in other words can I create and use a self assigned cert?
Many thanks in advance for support.
Answer ( 1 )
The latest info from doc on https requirement
You can try ehttp also isn’t it ? To make mp https
The BitLocker recovery service requires HTTPS to encrypt the recovery keys across the network from the Configuration Manager client to the management point. There are two options:
HTTPS-enable the IIS website on the management point that hosts the recovery service. This option only applies to Configuration Manager version 2002.
Configure the management point for HTTPS. This option applies to Configuration Manager versions 1910 or 2002.
https://docs.microsoft.com/en-us/mem/configmgr/protect/plan-design/bitlocker-management#prerequisites