Bigfix integration with MS PKI for MDM (via NDES)

yashh.jain 2023-10-27 14:03:32 UTC #1

I wanted to know can HCL BigFix (Patch management) solution be integrated with MS PKI via NDES Server to be used as a MDM solution to enable bit locker on Windows endpoints. Also, can the Bit locker keys be managed via the MS PKI using the BigFix solution. If yes, which component of BigFix would be required and which version? Is BigFix Patch management solution be enough or do I need additional BigFix solution components.

JasonWalker 2023-10-27 14:11:03 UTC #2

I’m not sure I understand what you’re trying to ask. PKI is a huge topic, you may need to break this down into smaller pieces.

BigFix does not proxy SCEP traffic between clients and an NDES server, that seems to be part of what you’re asking?

As far as I recall, certificates & PKI are not involved in Bitlocker, either. BigFix MDM can deploy policies to enforce Bitlocker encryption, and can help escrow the BitLocker keys (to, I believe, Active Directory or Hashicorp Vault, but I’d need to find more details if that’s what you’re asking about).

Jstev 2023-10-31 21:27:55 UTC #3

I am also not understanding where BitLocker comes into play with NDES. NDES can be used with an MDM for user or machine certificates but I don’t really understand your use case with BitLocker and NDES.

JonL 2023-11-01 19:28:46 UTC #4

Its much easier to use native AD GPO to enroll your Windows clients for certs. Then use Bigfix for running any binding scripts.

For non-Windows clients, we’re successfully used Airwatch (now Workspace One), Ansible, and JAMF to proxy cert requests to our CAs. Works well.

Regarding BitLocker, either use Bigfix MDM or run your own powershell scripts to install and manage BitLocker including AD key escrow. The later is what we have done for years now.