Home
Microsoft

Microsoft is excited to announce enhancements to BitLocker management capabilities in both Microsoft Intune and System Center Configuration Manager (SCCM), coming in the second half of 2019. Whether your management infrastructure is on-premises or in the cloud, robust BitLocker management is required for today’s enterprises to secure modern endpoints.

 

Microsoft provides a range flexible BitLocker management alternatives to meet your organization’s needs, as follows:

  1. Cloud-based BitLocker management using Microsoft Intune
  2. On-premises BitLocker management using System Center Configuration Manager
  3. Microsoft BitLocker Administration and Monitoring (MBAM)

 

Enterprise BitLocker.pngEnterprise BitLocker management lifecycle – Enterprise BitLocker management includes assessing readiness, key management and recovery, and compliance reporting. Whichever option is right for your company, we have a complete enterprise solution.

 

Let us explore each of these alternatives in some detail

 

Option 1 - Cloud-based BitLocker management using Microsoft Intune

Microsoft Azure Active Directory and Microsoft Intune bring the power of intelligent cloud to Windows 10 device management and include management capabilities for Microsoft BitLocker on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions.

 

Microsoft Intune Endpoint.pngMicrosoft Intune Endpoint Protection portal with example settings – With 38 BitLocker Encryption settings, you can customize the settings for your company.

 

As enterprises increasing look to modernize through cloud scale and simplicity, Microsoft is committed to driving the same approach for cloud-based BitLocker management. Microsoft Intune BitLocker management platform is available today, and includes features such as compliance reporting, encryption configuration, with key retrieval and rotation on the roadmap. In the coming months, we expect Microsoft cloud-based BitLocker management to meet and exceed the MBAM capabilities you are familiar with.

 

Additionally, Windows AutoPilot offers a modern provisioning approach to ensure BitLocker is seamlessly enabled on Windows devices, integrating with Azure Active Directory to provide a compliant device on first logon.

 

Here are some BitLocker management features you will find in Microsoft Intune:

 

  • Readiness and Compliance Reporting
  • Dedicated encryption reports that help admins understand the encryption status of their device estate; reports if devices can be successfully enabled with BitLocker. If devices fail BitLocker enablement, you’ll see onscreen error codes to help you troubleshoot and bring them to a successful state.

 

  • Configuration
  • Granular BitLocker configuration that empowers admins to manage devices to their intended level of security. We’re constantly working with customers and making bold investments to determine which features require mobile device management (MDM) support.

 

 

  • Key recovery auditing
  • Get reports on who accessed recovery key information in Azure AD. Reports coming later in 2019.

 

  • Key recovery
  • Enables you or another admin to recover keys in the Microsoft Intune console. You may enable user self-service key recovery using the Company Portal app, available across device platforms such as web, iOS, Android, Windows, and MacOS. Self-service is expected to be available later in calendar year 2019.

 

  • Key management (coming in 2019)
  • Enable single-use recovery keys on Windows devices by ensuring keys are rolled on-access (by client) or on-demand (by Intune remote actions). Key rotation is expected later in calendar year 2019.

 

  • Migrating from MBAM to cloud management (coming in 2019)
  • For our current MBAM customers that need to migrate to modern BitLocker management, we are integrating that migration directly into the key rotation feature, available later in calendar year 2019.

 

Option 2 – On-premises BitLocker management using System Center Configuration Manager

For organizations currently using on-premises management, the best approach still remains getting your Windows devices to a co-managed state, to take advantage of cloud-based BitLocker management with Microsoft Intune. However to support scenarios where cloud is not an option, Microsoft is also introducing BitLocker management through Configuration Manager current branch.

Beginning in June 2019, Configuration Manager will release a product preview for BitLocker management capabilities, followed by general availability later in 2019. Similar to the Intune cloud-based approach, Configuration Manager will support BitLocker for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions. It will also support Windows 7, Windows 8, and Windows 8.1 during their respective support lifecycles.  

 

Configuration Manager (SCCM) will provide the following BitLocker management capabilities:

 

  • Provisioning
  • Our provisioning solution will ensure that BitLocker will be a seamless experience within the SCCM console while also retaining the breadth of MBAM.

 

  • Prepare Trusted Platform Module (TPM)
  • Admins can open the TPM management console for TPM versions 1.2 and 2.0. Additionally, SCCM will support TPM+PIN for log in. For those devices without a TPM, we also permit USBs to be used as authenticators on boot.

 

  • Setting BitLocker Configuration
  • All MBAM configuration specific values that you set will be available through the SCCM console, including: choose drive encryption and cipher strength, configure user exemption policy, fixed data drive encryption settings, and more.

 

  • Encryption
  • Encryption allows admins to determine the algorithms with which to encrypt the device, the disks that are targeted for encryption, and the baselines users must provide in order to gain access to the disks.

 

  • Policy enactment / remediation on device
  • Admins can force users to get compliant with new security policies before being able to access the device.

 

  • New user can set a pin / password on TPM & non-TPM devices
  • Admins can customize their organization’s security profile on a per device basis.

 

  • Auto unlock
  • Policies to specify whether to unlock only an OS drive, or all attached drives, when a user unlocks the OS drive.

 

  • Helpdesk portal with auditing
  • A helpdesk portal allows other personas in the organization outside of the SCCM admin to provide help with key recovery, including key rotation and other MBAM-related support cases that may arise.

 

  • Key rotation
  • Key rotation allows admins to use a single-use key for unlocking a BitLocker encrypted device. Once this key is used, a new key will be generated for the device and stored securely on-premises.

 

  • Compliance reporting
  • SCCM reporting will include all reports currently found on MBAM in the SCCM console. This includes key details like encryption status per volume, per device, the primary user of the device, compliance status, reasons for non-compliance, etc.

 

Option 3 - Microsoft BitLocker Administration and Monitoring (MBAM)

Since 2011, the enterprise standard for BitLocker management has been Microsoft BitLocker Administration and Monitoring (MBAM), which requires dedicated on-premises infrastructure, including database servers. Microsoft has announced MBAM will end mainstream support on July 9, 2019 and will enter extended support until July 9, 2024. Customers can continue to deploy and use MBAM 2.5 SP1, fully supported by Microsoft during the extended support period. The end of mainstream support indicates that new features will not be added to MBAM 2.5 SP1.  Microsoft is dedicated to investing in modern approaches that simplify and streamline BitLocker management for the enterprise. MBAM remains a supported management tool for customers that don’t currently use either Microsoft Intune or System Center Configuration Manager.

 

More info and feedback

Whether you are a current MBAM customer or are using a third-party tool for BitLocker management, Microsoft can help support your transition to modern enterprise BitLocker management at your own pace with a unified endpoint management platform that includes Microsoft Intune and Configuration Manager.

 

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 

Follow @MSIntune and @MSWindowsITPro on Twitter

 

17 Comments
Occasional Contributor

This will be useful. We already have SCCM on premise in our environment, is additional MBAM infrastructure required?

New Contributor

So after this, the user must still enable Bitlocker by himself? I see we can enforce that the user must first enable Bitlocker before he can proceed:

Admins can force users to get compliant with new security policies before being able to access the device.

 

But the biggest struggle now is that the user must do it by himself. Let us do it, it makes things far more easy, less helpdesk phonecalls, more user satisfaction. Like this uservoice: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/32170921-ability-to-seamlessly...

Frequent Visitor

Will there be a migration path from an established mbam infrastructure  to configmgr?

Microsoft

@Erjen Rijnders you can leverage MBAM to seamlessly encrypt the device with no user interaction. We can also use SCCM and the "enable-Bitlocker" Task Sequence step, leveraging PowerShell and the manage-bde commands, to also enable encryption with no user interaction. 

 

I also am looking forward to Intune being able to seamlessly enable Bitlocker, but there are other options if your organization has the products and technologies. 

Senior Member

Will we have the option to enforce  MFA for self service recovery key access?

Super Contributor

Option 4 - free of cost :) We have enabled BitLocker on our Windows 10 Pro machines without any of these tools with a GPO which runs a PowerShell script (via task scheduler), which enables encryption on the next startup without any prompts. Of course, no proper monitoring or keys rotation, but one can have a script that scans all computer objects in AD and checks if they have BitLocker key stored in their account. Not ideal. But we were able to quickly enable BitLocker and encrypt all our laptops without having to invest in new licenses/infrastructure.

Frequent Visitor

There's one major shortcoming in both Intune and ConfigMgr based BitLocker management, as I understand them: Non-repudiation.  With MBAM, the check-in status of each device is stored indefinitely (unless you manually run the cleanup tool).  This means that a device that is lost, but not reported for a long time, can still be proven to have been encrypted last time it was online.

 

As I understand it (and I know more about ConfigMgr than Intune on this topic).. with both ConfigMgr and Intune, when the device record ages out for inactivity, the history data goes with it.  So you cannot prove that a device that was lost but last checked in many months before it was reported lost was encrypted when it last checked in.  This leaves you open to extra fines or legal issues in some environments (HIPAA and some gov sectors).  Is there a solution for this in Intune or ConfigMgr now?

 

The solution some of my clients need is exactly as above:

Step 1: A device is offline for a long time, and ages out of ConfigMgr/Intune/AD (through manual or automatic processes, many clients want to expunge stale ConfigMgr clients to prevent them from impacting patch compliance #s)

Step 2: The user reports the device lost

Step 3: To ensure that sensitive data (for example: HIPAA health records/PII) cannot be accessed by an unauthorized user, the Data at Rest encryption must be proven to have been in place

Step 4: Currently, we can pull the MBAM report for this device, regardless of how long it has been since it checked in, but the ConfigMgr based reports and the Intune based reports don't have this data if there is no longer a computer record for the system in question.

 @Diliprad 

Senior Member

@Erjen RijndersFrom my experience auto deployment without user intervention is possible via Intune only for Windows 10 Ent machines. Our Pro machines require user intervention with this method as some of the Endpoint security options that make it seemless are ONLY compatible with Windows 10 Ent or I even below Education as well. 

Occasional Visitor

We are also finding that Bitlocker and Endpoint CSP for autopilot devices is hit and miss. We have been attempting to encrypt with 256 full disk for some time and have issue on the Instant Go hardware. We have tried to even unplug the power as a work around with no success. Been told that it will be "fixed in the next release". This part isn't ready at this point. For some hardware yes, but newer, not likely. 

Microsoft

@Erjen Rijnders , from 1809 Windows can automatically enable BitLocker encryption for all devices, not just those that are HSTI compliant. This should mean no user interaction required (assuming you don't want a PIN)

 

@nomeara , you can use the Intune Datawarehouse as a source for this information and archive it for as long as you require.

 

@Jorge Otero  all of the Enterprise SKU BitLocker management features are available for Pro SKU devices from Windows 10 1809, so silent/automatic enablement should work with recent Windows builds

 

@jasonoakes , ping me your case number on Twitter (@ConfigMgrDogs) and I'll take a look. Autopilot should consistently set the encryption method assuming you've configured it correctly. https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Setting-256-bit-encryption-for-BitLoc...

Frequent Visitor

@Matt Shadbolt 

 

Thank you.  After reading a bit about it, am I to understand that the "Intune Data Warehouse" is really just an API allowing me to query intune data directly, and the actual long-term storage of that data would be up to me?  There is no direct feature to keep historical intune data where I can just set the retention period and query the historical data in the console?

Occasional Visitor

With OnPremis ConfigMgr/SCCM option where will recovery keys be stored ?

Senior Member

@Matt Shadbolt The only option available for Windows pro is selecting "Windows Settings" within Device configuration - Profiles > Bitlocker - Properties > Endpoint protection > Windows Encryption. This does not automate the process for the user. All the options below "Windows settings" starting from "Bitlocker base settings" and downward all require Windows 10 Ent, Education or Mobile edition as per image below:

Bitlocker.PNG

 

I've also tested this thoroughly on both OS versions and it indeed works as intended. Please advise if this is suppose to change with 1809 but the verbage in Intune has not yet been updated?

 

 

Super Contributor

I wonder how MBAM licensing correlates with Intune/EMS/Windows Enterprise.

Microsoft

@Jorge Otero 

The tooltip was written for previous versions, but we can update it.. I'll raise a bug. Here is the doc stating Windows supports Pro for the BitLocker CSP from 1809

 

https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp

 

The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.

I heard this first hand from the ConfigMgr team and saw a quick demo at MMS Conference last week. This is great!

Occasional Visitor



What if we have SCCM managed client and has Bitlocker policy via Intune will it work without co management or co management is requirement in order to have bitlocker via intune on SCCM Managed device.