Microsoft expands BitLocker management capabilities for the enterprise
Published May 08 2019 03:30 AM 142K Views

Microsoft is excited to announce enhancements to BitLocker management capabilities in both Microsoft Intune and System Center Configuration Manager (SCCM), coming in the second half of 2019. Whether your management infrastructure is on-premises or in the cloud, robust BitLocker management is required for today’s enterprises to secure modern endpoints.

 

Microsoft provides a range flexible BitLocker management alternatives to meet your organization’s needs, as follows:

  1. Cloud-based BitLocker management using Microsoft Intune
  2. On-premises BitLocker management using System Center Configuration Manager
  3. Microsoft BitLocker Administration and Monitoring (MBAM)

 

Enterprise BitLocker management lifecycle – Enterprise BitLocker management includes assessing readiness, key management and recovery, and compliance reporting. Whichever option is right for your company, we have a complete enterprise solution.Enterprise BitLocker management lifecycle – Enterprise BitLocker management includes assessing readiness, key management and recovery, and compliance reporting. Whichever option is right for your company, we have a complete enterprise solution.

 

Let us explore each of these alternatives in some detail

 

Option 1 - Cloud-based BitLocker management using Microsoft Intune

Microsoft Azure Active Directory and Microsoft Intune bring the power of intelligent cloud to Windows 10 device management and include management capabilities for Microsoft BitLocker on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions.

 

Microsoft Intune Endpoint Protection portal with example settings – With 38 BitLocker Encryption settings, you can customize the settings for your company.Microsoft Intune Endpoint Protection portal with example settings – With 38 BitLocker Encryption settings, you can customize the settings for your company.

 

As enterprises increasing look to modernize through cloud scale and simplicity, Microsoft is committed to driving the same approach for cloud-based BitLocker management. Microsoft Intune BitLocker management platform is available today, and includes features such as compliance reporting, encryption configuration, with key retrieval and rotation on the roadmap. In the coming months, we expect Microsoft cloud-based BitLocker management to meet and exceed the MBAM capabilities you are familiar with.

 

Additionally, Windows AutoPilot offers a modern provisioning approach to ensure BitLocker is seamlessly enabled on Windows devices, integrating with Azure Active Directory to provide a compliant device on first logon.

 

Here are some BitLocker management features you will find in Microsoft Intune:

 

  • Readiness and Compliance Reporting
  • Dedicated encryption reports that help admins understand the encryption status of their device estate; reports if devices can be successfully enabled with BitLocker. If devices fail BitLocker enablement, you’ll see onscreen error codes to help you troubleshoot and bring them to a successful state.

 

  • Configuration
  • Granular BitLocker configuration that empowers admins to manage devices to their intended level of security. We’re constantly working with customers and making bold investments to determine which features require mobile device management (MDM) support.

 

 

  • Key recovery auditing
  • Get reports on who accessed recovery key information in Azure AD. Reports coming later in 2019.

 

  • Key recovery
  • Enables you or another admin to recover keys in the Microsoft Intune console. You may enable user self-service key recovery using the Company Portal app, available across device platforms such as web, iOS, Android, Windows, and MacOS. Self-service is expected to be available later in calendar year 2019.

 

  • Key management (coming in 2019)
  • Enable single-use recovery keys on Windows devices by ensuring keys are rolled on-access (by client) or on-demand (by Intune remote actions). Key rotation is expected later in calendar year 2019.

 

  • Migrating from MBAM to cloud management (coming in 2019)
  • For our current MBAM customers that need to migrate to modern BitLocker management, we are integrating that migration directly into the key rotation feature, available later in calendar year 2019.

 

Option 2 – On-premises BitLocker management using System Center Configuration Manager

For organizations currently using on-premises management, the best approach still remains getting your Windows devices to a co-managed state, to take advantage of cloud-based BitLocker management with Microsoft Intune. However to support scenarios where cloud is not an option, Microsoft is also introducing BitLocker management through Configuration Manager current branch.

Beginning in June 2019, Configuration Manager will release a product preview for BitLocker management capabilities, followed by general availability later in 2019. Similar to the Intune cloud-based approach, Configuration Manager will support BitLocker for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions. It will also support Windows 7, Windows 8, and Windows 8.1 during their respective support lifecycles.  

 

Configuration Manager (SCCM) will provide the following BitLocker management capabilities:

 

  • Provisioning
  • Our provisioning solution will ensure that BitLocker will be a seamless experience within the SCCM console while also retaining the breadth of MBAM.

 

  • Prepare Trusted Platform Module (TPM)
  • Admins can open the TPM management console for TPM versions 1.2 and 2.0. Additionally, SCCM will support TPM+PIN for log in. For those devices without a TPM, we also permit USBs to be used as authenticators on boot.

 

  • Setting BitLocker Configuration
  • All MBAM configuration specific values that you set will be available through the SCCM console, including: choose drive encryption and cipher strength, configure user exemption policy, fixed data drive encryption settings, and more.

 

  • Encryption
  • Encryption allows admins to determine the algorithms with which to encrypt the device, the disks that are targeted for encryption, and the baselines users must provide in order to gain access to the disks.

 

  • Policy enactment / remediation on device
  • Admins can force users to get compliant with new security policies before being able to access the device.

 

  • New user can set a pin / password on TPM & non-TPM devices
  • Admins can customize their organization’s security profile on a per device basis.

 

  • Auto unlock
  • Policies to specify whether to unlock only an OS drive, or all attached drives, when a user unlocks the OS drive.

 

  • Helpdesk portal with auditing
  • A helpdesk portal allows other personas in the organization outside of the SCCM admin to provide help with key recovery, including key rotation and other MBAM-related support cases that may arise.

 

  • Key rotation
  • Key rotation allows admins to use a single-use key for unlocking a BitLocker encrypted device. Once this key is used, a new key will be generated for the device and stored securely on-premises.

 

  • Compliance reporting
  • SCCM reporting will include all reports currently found on MBAM in the SCCM console. This includes key details like encryption status per volume, per device, the primary user of the device, compliance status, reasons for non-compliance, etc.

 

Option 3 - Microsoft BitLocker Administration and Monitoring (MBAM)

Since 2011, the enterprise standard for BitLocker management has been Microsoft BitLocker Administration and Monitoring (MBAM), which requires dedicated on-premises infrastructure, including database servers. Microsoft has announced MBAM will end mainstream support on July 9, 2019 and will enter extended support until July 9, 2024. Customers can continue to deploy and use MBAM 2.5 SP1, fully supported by Microsoft during the extended support period. The end of mainstream support indicates that new features will not be added to MBAM 2.5 SP1.  Microsoft is dedicated to investing in modern approaches that simplify and streamline BitLocker management for the enterprise. MBAM remains a supported management tool for customers that don’t currently use either Microsoft Intune or System Center Configuration Manager.

 

More info and feedback

Whether you are a current MBAM customer or are using a third-party tool for BitLocker management, Microsoft can help support your transition to modern enterprise BitLocker management at your own pace with a unified endpoint management platform that includes Microsoft Intune and Configuration Manager.

 

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 

Follow @MSIntune and @MSWindowsITPro on Twitter

 

33 Comments
Copper Contributor

This will be useful. We already have SCCM on premise in our environment, is additional MBAM infrastructure required?

Brass Contributor

So after this, the user must still enable Bitlocker by himself? I see we can enforce that the user must first enable Bitlocker before he can proceed:

Admins can force users to get compliant with new security policies before being able to access the device.

 

But the biggest struggle now is that the user must do it by himself. Let us do it, it makes things far more easy, less helpdesk phonecalls, more user satisfaction. Like this uservoice: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/32170921-ability-to-seamlessly...

Copper Contributor

Will there be a migration path from an established mbam infrastructure  to configmgr?

Microsoft

@Erjen Rijnders you can leverage MBAM to seamlessly encrypt the device with no user interaction. We can also use SCCM and the "enable-Bitlocker" Task Sequence step, leveraging PowerShell and the manage-bde commands, to also enable encryption with no user interaction. 

 

I also am looking forward to Intune being able to seamlessly enable Bitlocker, but there are other options if your organization has the products and technologies. 

Copper Contributor

Will we have the option to enforce  MFA for self service recovery key access?

Silver Contributor

Option 4 - free of cost :) We have enabled BitLocker on our Windows 10 Pro machines without any of these tools with a GPO which runs a PowerShell script (via task scheduler), which enables encryption on the next startup without any prompts. Of course, no proper monitoring or keys rotation, but one can have a script that scans all computer objects in AD and checks if they have BitLocker key stored in their account. Not ideal. But we were able to quickly enable BitLocker and encrypt all our laptops without having to invest in new licenses/infrastructure.

Copper Contributor

There's one major shortcoming in both Intune and ConfigMgr based BitLocker management, as I understand them: Non-repudiation.  With MBAM, the check-in status of each device is stored indefinitely (unless you manually run the cleanup tool).  This means that a device that is lost, but not reported for a long time, can still be proven to have been encrypted last time it was online.

 

As I understand it (and I know more about ConfigMgr than Intune on this topic).. with both ConfigMgr and Intune, when the device record ages out for inactivity, the history data goes with it.  So you cannot prove that a device that was lost but last checked in many months before it was reported lost was encrypted when it last checked in.  This leaves you open to extra fines or legal issues in some environments (HIPAA and some gov sectors).  Is there a solution for this in Intune or ConfigMgr now?

 

The solution some of my clients need is exactly as above:

Step 1: A device is offline for a long time, and ages out of ConfigMgr/Intune/AD (through manual or automatic processes, many clients want to expunge stale ConfigMgr clients to prevent them from impacting patch compliance #s)

Step 2: The user reports the device lost

Step 3: To ensure that sensitive data (for example: HIPAA health records/PII) cannot be accessed by an unauthorized user, the Data at Rest encryption must be proven to have been in place

Step 4: Currently, we can pull the MBAM report for this device, regardless of how long it has been since it checked in, but the ConfigMgr based reports and the Intune based reports don't have this data if there is no longer a computer record for the system in question.

 @Dilip_Radhakrishnan 

Copper Contributor

@Erjen RijndersFrom my experience auto deployment without user intervention is possible via Intune only for Windows 10 Ent machines. Our Pro machines require user intervention with this method as some of the Endpoint security options that make it seemless are ONLY compatible with Windows 10 Ent or I even below Education as well. 

Copper Contributor

We are also finding that Bitlocker and Endpoint CSP for autopilot devices is hit and miss. We have been attempting to encrypt with 256 full disk for some time and have issue on the Instant Go hardware. We have tried to even unplug the power as a work around with no success. Been told that it will be "fixed in the next release". This part isn't ready at this point. For some hardware yes, but newer, not likely. 

Microsoft

@Erjen Rijnders , from 1809 Windows can automatically enable BitLocker encryption for all devices, not just those that are HSTI compliant. This should mean no user interaction required (assuming you don't want a PIN)

 

@nomeara , you can use the Intune Datawarehouse as a source for this information and archive it for as long as you require.

 

@Jorge Otero  all of the Enterprise SKU BitLocker management features are available for Pro SKU devices from Windows 10 1809, so silent/automatic enablement should work with recent Windows builds

 

@jasonoakes , ping me your case number on Twitter (@ConfigMgrDogs) and I'll take a look. Autopilot should consistently set the encryption method assuming you've configured it correctly. https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Setting-256-bit-encryption-for-BitLoc...

Copper Contributor

@Matt Shadbolt 

 

Thank you.  After reading a bit about it, am I to understand that the "Intune Data Warehouse" is really just an API allowing me to query intune data directly, and the actual long-term storage of that data would be up to me?  There is no direct feature to keep historical intune data where I can just set the retention period and query the historical data in the console?

Copper Contributor

With OnPremis ConfigMgr/SCCM option where will recovery keys be stored ?

Copper Contributor

@Matt Shadbolt The only option available for Windows pro is selecting "Windows Settings" within Device configuration - Profiles > Bitlocker - Properties > Endpoint protection > Windows Encryption. This does not automate the process for the user. All the options below "Windows settings" starting from "Bitlocker base settings" and downward all require Windows 10 Ent, Education or Mobile edition as per image below:

Bitlocker.PNG

 

I've also tested this thoroughly on both OS versions and it indeed works as intended. Please advise if this is suppose to change with 1809 but the verbage in Intune has not yet been updated?

 

 

Silver Contributor

I wonder how MBAM licensing correlates with Intune/EMS/Windows Enterprise.

Microsoft

@Jorge Otero 

The tooltip was written for previous versions, but we can update it.. I'll raise a bug. Here is the doc stating Windows supports Pro for the BitLocker CSP from 1809

 

https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp

 

The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.

Bronze Contributor

I heard this first hand from the ConfigMgr team and saw a quick demo at MMS Conference last week. This is great!

Brass Contributor



What if we have SCCM managed client and has Bitlocker policy via Intune will it work without co management or co management is requirement in order to have bitlocker via intune on SCCM Managed device. 

 

Copper Contributor

Nice.. any word what size increase this adds to the SCCM database?

Copper Contributor

@nomeara. That would be a "depends" question. You can set SCCM not delete resources up to 365 days.  Not sure if SCCM datawarehouse will achieve what you need as it does keep compliance information.

Copper Contributor

@Matt Shadbolt  I've tested my bitlocker configuration within Intune on Windows 10 Pro systems running version 1809 as per the article you linked. I've had success with automatically encrypting the devices without user intervention on the first few systems and pushed to a larger pilot group which I ran into an issue with a few devices. 

 

Some devices are erroring out as shown below:encryption error.PNG

 

When inspecting all the devices with the same error to see if the drive is encrypted we see the following:

used_space_only_encrypted.PNG 

All of the errored out systems show as "Used Space Only Encrypted" and also do not automatically save a key. At the moment my current test has 10/55 like this and all the test machines are on 1809. We have varying laptop models but I've seen no pattern regarding a particular system and they're all rather new machines. The systems without errors are fully encrypted and save the keys in AAD as it should. 

 

Any ideas?

 

Thanks!

 

P.S  Just an FYI The tooltips are still not updated

 

Microsoft

@Jorge Otero can you make sure you have this patch applied to your 1809 device? This will fix a bug with silent enablement. https://support.microsoft.com/en-us/help/4497934/windows-10-update-kb4497934

 

If this doesn't work please raise a support case 

Copper Contributor

also looking forward to a well-documented migration path from MBAM 2.x to SCCM.

We can't use intune, and are also concerned with historical data, not just for non-repudiation, but also data recovery.  if someone sticks their encrypted laptop in a drawer or safe or whatever and it falls out of SCCM, how do we then access the data if they forget their PIN?  currently we can go to the MBAM website and recover, or in some cases the database will have the key even when the site says no recovery key found, even if the device has been offline for 3 or 4 years.

It doesn't happen often, but hopefully we won't need to restore our SCCM database just to recover a key or device encryption report.  Some sort of historical record would be nice.  Maybe start when the device shows up in SCCM, and a new entry for each time the status changes (encrypt/unencrypt/suspend/resume/etc)

Brass Contributor

In what SCCM version the MBAM policies and build-in functionalities be released? I saw MBAM policies first time been there in Technical Preview at this spring, but in SCCM 1906 there is no MBAM stuff yet. Is there official release information yet? Our customers are waiting for more MBAM implementations this year.

Copper Contributor
Moving from MBAM to cloud (Intune and Azure AD) - is it live in production or still in Roadmap or Preview is released?
Copper Contributor
Hello @Dilip_Radhakrishnan, any update on this new features ? Thank you
Brass Contributor

What version of Windows 10 is required to migrate from MBAM management to Intune Cloud Managed Bitlocker?

 

One of my colleagues seems to think it's the just released 1909, but given that this article was published at the start of August, that doesn't seem right.

 

Can you confirm please?

Brass Contributor

MBAM is now fully integrated in SCCM 1910, but the biggest headache is it requires then https mode. For existing enviroments it is a killer to start transforming sccm infra into https mode with PKI from a production perspective. 

Copper Contributor

One of y colleagues installed SCCM 1902 and upgraded to 1906 from console update, well BitLocker Manageme nt (MBAM) appears in teh SCCM console under Endpoint Protection, does anyone see the same? I thought MBAM BitLocker only officially available from GA release SCCM 1910. 

 

SCCM1906.JPG

Iron Contributor

Now on SCCM 2002 and looking to add BitLocker Management.  We intend to only HTTPS-enable the recovery service website.  How is that done for the first time if the MP is not already HTTPS-enabled?  We're using Enhanced HTTP with a CMG so setting up Client Management only allows plain text recovery data when creating the initial compliance policy.  Until we create that initial policy there is no website available to bind a cert to.  We haven't gone past that point, yet, because we're worried we won't be able to encrypt the data later.  We're not concerned about the data in the site DB, just website.

Thanks,

Russell

Copper Contributor

Hello Folks,

 

Just wanted to check moving from MBAM to cloud (Intune or Azure AD)  is it available now for production or is it still in Road-Map or Preview is released?

Microsoft

hello Manoj, 

 

Then is no outlined migration strategy that I am aware of, however I can share some tips below.

 

Within Intune, it is encouraged to utilize the device configuration profile to apply encryption settings to your devices. Here is documentation that outlines this process: https://docs.microsoft.com/en-us/mem/intune/protect/encrypt-devices#:~:text=The%20BitLocker%20profil... 

 

For devices that are currently encrypted with MBAM and want to save the key to Azure AD, I would recommend using the below PS example to backup the key to Azure AD. Documentation is found here: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-managem...

 

Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector

$BLV = Get-BitLockerVolume -MountPoint "C:"

BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId

 

Also please remember to uninstall the MBAM agent so that there are no conflicts with escrowing or rotating the key. I hope this helps!

Copper Contributor

Have I missed something, or have these features not been released?

 

We have been using MBAM to escrow recovery keys.  Due to MBAM support ending we need to migrate to Azure AD.  We are already running in a mixed MBAM/Azure AD mode due to InTune provisioning for new clients.  We could script all clients to backup their keys to Azure AD, but this doesn't address clients who are not regularly checking in, and especially doesn't address any clients which have been kept for legal hold reasons.  

 

I am also unable to find any information on recovery key access auditing for Azure AD stored keys, only this under-represented UserVoice request: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/39903610-audit-log-for-accessi....  I understand MBAM extended support goes until 2026, but it would be great if customers were provided migration paths that offered what we need from a legal/audit perspective.

Copper Contributor

I'm new to Microsoft Bitlocker, currently we use McAfee to manage and encrypt our devices, however, the plan is to move all devices to Microsoft and manage them via Intune/MEM  in a few months. I'm running into issues with Bitlcoker policies, they are not getting applied properly when applied from Intune/MEM.

Microsoft support is recommending that I should consider using a standalone "MBAM". 

We have SCCM (Config manager) in place and our systems are co-managed. Our workload has been configured for Intune\MEM to manage "Endpoint protection".

 

Questions:

1) Should I use SCCM (config manager) just for "Bitlocker" and disable "Bitlocker" policy in Intune\MEM?

2) Manage "Bitlocker" policy from Intune\MEM only?

3) Setup a standalone MBAM to manage "Bitlcoker"?

 

Your help is much appreciated

 

Version history
Last update:
‎Apr 02 2020 08:21 AM
Updated by: