Dear IT Pros,
Today we discuss about MBAM's Bitlocker data migration to MEM
Microsoft provides a range of flexible BitLocker management alternatives to meet organization’s needs, as follows:
In order to future proof the Bitlocker Management and simplify the administration, some corporates have planned to migrate MBAM data directly from MBAM servers to Microsoft Endpoint Manager. The key point of the migration is that, making sure the amount of the recovery key IDs listed by MBAM Server are the same as the ones listed by Azure AD before the cut-off point of time in the migration process. I would suggest the a migration process with 5 steps.
Now we would look into the detail steps.
1. Generate a list of Bitlocker recovery keys in MBAM SQL Server:
You could modify the above query for more rows with SELECT TOP nnnnn instead of 1000 (rows)
2. Setup MEM Policy to escrow Bitlocker recovery passwords to Azure AD Device Accounts.
During the transition period, you will migrating batch by batch the devices from the “Bitlocker GPO devices group” to the “Bitlocker MEM devices group”.
creating a new Microsoft BitLocker policy in Microsoft Endpoint Manager
Create an Endpoint Security profile in Microsoft Endpoint Manager
Configuring BitLocker settings in Microsoft Endpoint Manager
The settings that can be configured here include:
Option 1, Using the Azure Management Portal
Go to the Devices object under the Manage heading.
If the device is registered with Bitlocker encryption, then the Bitlocker Key ID and Recovery Key will be visible.
Option 2, Using the Microsoft Endpoint Manager Admin Center Portal
Click the Copy to Clipboard button and paste the data to view the entire string.
Option 3, Using the Company Portal website to get MacOS Recovery Key:
On an iPhone, you must select the three dots before the Get recovery key option appears.
2.3 Force current MBAM devices to backup recovery password keys to MEM by script
From Endpoint Manager Portal, you could deploy to all Windows 10 devices the script to force current MBAM Clients to backup their recovery password keys to Azure AD. You could use the Github's powershell script provided by Michael Mardahl as per the "How to migrate Bitlocker to Azure AD" article
3. Generate a list of Bitlocker recovery key IDs by Graph API in Azure AD
3.1 Export list of recovery keys from Azure AD
Get a list of the bitlockerRecoveryKey objects and
Retrieve the properties and relationships of a bitlockerRecoveryKey object.
Note: The key property is not returned by default.
Prerequisite for Bitlocker Graph API
a. Register an App API in Azure AD. Example of an bitlocker client app created
> App Registration > New registration, Create, …
b. Assign permission: Read all or Read basic of bitlocker data:
c. Delegate permission for App to receive BitLockerRecoveryKey data on behalf of the signed-in User and grant admin consent:
d. Signed-in User needed to be assigned one of the following roles:
Cloud device administrator
Intune service administrator
3.2 Steps to get Bitlocker Recovery Password List
> Choose the permission to read Bitlocker ‘s properties as shown here:
> In the search box: typing bitlocker to search for bitlocker permissions
> Choose the permission to read Bitlocker ‘s properties as shown here:
> Check the box “Consent on behalf of your Organization”
> Make Query with the HTTP Graph beta and Header as shown here:
Request headers: Adding the keys
Ocp-client-name: anything (you could use your application API name registered in Azure AD
> Run Query
An Example of converting JSON to CSV file:
3.3 To monitor the status of Bitlocker device:
The Microsoft Intune encryption report is a centralized location to view details about a device's encryption status and find options to manage device recovery keys. The recovery key options that are available depend on the type of device you're viewing.
> Select Devices
> Monitor, and then
> under Configuration, select Encryption report.
The encryption report shows common details across the supported devices you manage. The following sections provide more details about the information that MEM presents in the report.
Ready: The device can be encrypted by using MDM policy, which requires MacOS10.13 or later, Windows with TPM and Enterprise version 1709 or Pro 1809
The device doesn't have full encryption capabilities, but may still support encryption.
There isn't enough information to classify this device.
Whether the OS drive is encrypted
When you select a device from the Encryption report, MEM displays the Device encryption status pane with the following detail:
A list of the Device configuration profiles that apply to this device·
TPM status is ready for bitlocker encryption or not
(the device can still be manually encrypted. or through a MDM/Group Policy setting that can be set to allow encrypting without a TPM.)
Whether the OS drive is encrypted. It can take up to 24 hours for MEM to report
For Windows devices, this field does not look at whether other drives, such as fixed drives, are encrypted
This field displays information for each applicable error that can be detected. You can use this information to understand why a device might not be encryption ready:
· The recovery key hasn't been retrieved and stored yet,
· The user is deferring encryption or is currently in the process of encryption.
· The device is already encrypted. Device user must decrypt the device to continue.
· FileVault needs the user to approve their management profile in macOS Catalina and higher.
· The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard on the OS volume.
· The encryption method of the OS volume doesn't match the BitLocker policy.
· The policy BitLocker requires a TPM protector, or PIN, or Startup Key.
· Recovery key backup failed.
· A fixed drive is unprotected.
· The encryption method of the fixed drive doesn't match the BitLocker policy.
· To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.
· Windows Recovery Environment (WinRE) isn't configured.
· The TPM isn't ready for BitLocker.
· The network isn't available.
3.4 To view list of Unencrypted devices:
We need to know if the Devices ever backup the recovery keys to Azure AD. Jos Lieben provided the script to generate a report about the devices who have not been escrowed the bitlocker recovery key to Azure AD.
Download the Get-bitlockerEscrowStatusForAzureADDevices.ps1script from Github
4. Compare between lists and make manually escrow of recovery keys to Azure AD
Use the Excel spreadsheet’s comparing feature to make sure no discrepancy between the 2 files. One CSV file who listed the Recovery Password Key IDs from MBAM Database and one listed the Key IDs from Azure AD. There should be no difference.
You could repeat step 2.3 mentioned above to deploy a script for backing up the Bitlocker Recovery Keys to Azure AD, assign script to the group of devices without keys in AAD.
5. Shutdown MBAM Server and decommission them.
I hope the information is useful for your migration plan and deployment.
Thanks for viewing and discussing this topic.
Disclaimer The sample scripts are not supported under any Microsoft standard support program or service.
The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all
implied warranties including, without limitation, any implied warranties of merchantability or of
fitness for a particular purpose. The entire risk arising out of the use or performance of the
sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or
anyone else involved in the creation, production, or delivery of the scripts be liable for any
damages whatsoever (including, without limitation, damages for loss of business profits,
business interruption, loss of business information, or other pecuniary loss) arising out of
the use of or inability to use the sample scripts or documentation, even if Microsoft has been
advised of the possibility of such damages.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.