Bitlocker certificate template

That setup is working as intended and I am quite happy with it. As the next phase of this project, I am attempting to setup Network Unlock and I am getting hung up on the certificate part. I am following the guide here:.

The guide is pretty bad IMO. Some of the steps are out of order and I think it is missing some critical information based on what I am seeing. I am on Step 4 of the guide but I cannot get the certificate to issue. I am getting the following error message:. Hi Sean - did you ever fix this. I am also getting the same issue and cannot find a fix.

I presume when I am requesting a certificate my WinR2 server is defaulting my public cert to but I have no idea where I tell it to use and there is nothing in the Cert Enrollment wizard to instruct it. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will only manage and update data recovery agents when an identification field is present on a drive and is identical to the value configured on the computer. A certificate must meet the following key usage and enhanced key usage requirements before it can be used to encrypt a drive with BitLocker:.

The BitLocker object identifier is set to 1. You can use Group Policy to change this value if, for example, you want to share an existing certificate with BitLocker. If the certificate belongs to a data recovery agent and is only used to recover BitLocker-protected data, it is recommended that it also have one of these attributes, but it is not mandatory. No certificate validation occurs when adding a data recovery agent to a drive. The following procedures describe how to configure a data recovery agent and an identification field for BitLocker.

Local Administrators is the minimum group membership required to complete these procedures. Click Next. Microsoft are no doubt looking to move people to a cloud delivered solution but until the shortcomings that are there are addressed, MBAM will continue to be deployed by organisations. In this series of posts I am going to run through the process of setting up MBAM, deploying the agent and group policies out to clients, customisation of the self service portal and troubleshooting.

These items might have been covered in other sources throughout the years since MBAM was released, however I wanted to put everything into a comprehensive guide for our readers.

You will also need to download the ASP. MBAM requires several service accounts and security groups to be set up prior to installation. For this post and example, I am going to create the following user accounts and security groups you can obviously use different naming to suit your environment however ;. If you wish to using an alternative host name for access, such as MBAM. SQL reporting services is also required for the reporting element of the installation, remember if you are using SQL for instance the SSRS installation is a separate install.

Note: Historically I have seen organisations using their systems center SQL instance for storing the database, this was due to past inaccuracies about the licensing rights for this, however Microsoft clarified the use rights in July in the following statement;.

Net Framework installed prior to installation. If you run the below PowerShell command, these components will be installed;. The ASP. To create a template for your MBAM server s simple follow the below;. With the template created you can then request the certificate on your front end web server running IIS and apply accordingly.