By Matt Shadbolt (@ConfigMgrDogs) | Principal Program Manager, Microsoft Endpoint Manager
In November 2019, we announced the integration of Microsoft Intune and Configuration Manager into a unified, integrated management platform. Customers who wish to deploy BitLocker management on-premises may do so using Configuration Manager without the need to deploy MBAM. We also support customers who prefer to manage BitLocker using Microsoft Intune cloud services without maintaining an on-premises infrastructure. And with key rolling fully integrated into Windows 10, version 1909, and Microsoft Endpoint Manager’s investment in BitLocker management, we are providing you an update on the BitLocker management roadmap, originally posted here.
Figure 1: Microsoft BitLocker management lifecycle
Cloud-based BitLocker management using Microsoft Intune
Managing BitLocker via Intune gives organizations the confidence their Windows data is stored encrypted, without the need to manage an on-premises infrastructure. Here are some of the features you’ll get when using Intune for BitLocker management:
- Silently enable BitLocker allowing BitLocker to be enforced and enabled without user interaction. Read more
- Ability for encryption to be enabled by non-administrator users. Read more
- New BitLocker readiness and compliance reports. Read more
- IT Pro recovery key access experience. Read more
- Recovery key rotation, both triggered at the client and the service. Read more
- Migration from MBAM to Intune can be performed by triggering a BitLocker key rotation and removing redundant BitLocker management agents.
NOTE: Make sure to remove any MBAM Group Policy Settings from the endpoint to prevent any conflicts in encryption settings.
Figure 2: Microsoft BitLocker encryption settings in Intune
Figure 3: Trigger a BitLocker key rotation from the Intune portal
In future, we plan to release end-user self-service recovery key access, and Azure Active Directory based audits of key access.
On-premises BitLocker management using Configuration Manager
For customers who cannot move certain devices to cloud management, Microsoft Endpoint Manager includes both Intune and Configuration Manager capabilities. Native BitLocker management is available in Configuration Manager, version 1910 and newer releases. Some of the features include:
- The ability to enforce the use of BitLocker on ConfigMgr managed clients. Read more
- Helpdesk and end-user self-service of BitLocker recovery key experiences. Read more
- BitLocker readiness and compliance reporting. Read more
- TPM, PIN, and recovery key management. Read more
- Migration can be performed by upgrading the Configuration Manager client to version 1910. This upgrade will also automatically upgrade the MBAM agent, if necessary.
NOTE: Make sure to remove any MBAM Group Policy Settings from the endpoint to prevent any conflicts in encryption settings.
Figure 4: Create a BitLocker encryption policy from the Endpoint Manager console
Next steps
Delivering on the Microsoft Endpoint Manager vision, customers can confidently manage device encryption for Windows and other platforms using the tools that work best for them, whether on-premises or cloud-based. You can find information about the latest feature releases in our product documentation.