Microsoft is excited to announce enhancements to BitLocker management capabilities in both Microsoft Intune and System Center Configuration Manager (SCCM), coming in the second half of 2019. Whether your management infrastructure is on-premises or in the cloud, robust BitLocker management is required for today’s enterprises to secure modern endpoints.
Microsoft provides a range flexible BitLocker management alternatives to meet your organization’s needs, as follows:
- Cloud-based BitLocker management using Microsoft Intune
- On-premises BitLocker management using System Center Configuration Manager
- Microsoft BitLocker Administration and Monitoring (MBAM)
Let us explore each of these alternatives in some detail
Option 1 - Cloud-based BitLocker management using Microsoft Intune
Microsoft Azure Active Directory and Microsoft Intune bring the power of intelligent cloud to Windows 10 device management and include management capabilities for Microsoft BitLocker on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions.
As enterprises increasing look to modernize through cloud scale and simplicity, Microsoft is committed to driving the same approach for cloud-based BitLocker management. Microsoft Intune BitLocker management platform is available today, and includes features such as compliance reporting, encryption configuration, with key retrieval and rotation on the roadmap. In the coming months, we expect Microsoft cloud-based BitLocker management to meet and exceed the MBAM capabilities you are familiar with.
Additionally, Windows AutoPilot offers a modern provisioning approach to ensure BitLocker is seamlessly enabled on Windows devices, integrating with Azure Active Directory to provide a compliant device on first logon.
Here are some BitLocker management features you will find in Microsoft Intune:
- Readiness and Compliance Reporting
- Dedicated encryption reports that help admins understand the encryption status of their device estate; reports if devices can be successfully enabled with BitLocker. If devices fail BitLocker enablement, you’ll see onscreen error codes to help you troubleshoot and bring them to a successful state.
- Configuration
- Granular BitLocker configuration that empowers admins to manage devices to their intended level of security. We’re constantly working with customers and making bold investments to determine which features require mobile device management (MDM) support.
- Compliance
- Leverage Intune’s compliance policies. Revoke access to corporate resources if devices do not meet your encryption requirements.
- Key recovery auditing
- Get reports on who accessed recovery key information in Azure AD. Reports coming later in 2019.
- Key recovery
- Enables you or another admin to recover keys in the Microsoft Intune console. You may enable user self-service key recovery using the Company Portal app, available across device platforms such as web, iOS, Android, Windows, and MacOS. Self-service is expected to be available later in calendar year 2019.
- Key management (coming in 2019)
- Enable single-use recovery keys on Windows devices by ensuring keys are rolled on-access (by client) or on-demand (by Intune remote actions). Key rotation is expected later in calendar year 2019.
- Migrating from MBAM to cloud management (coming in 2019)
- For our current MBAM customers that need to migrate to modern BitLocker management, we are integrating that migration directly into the key rotation feature, available later in calendar year 2019.
Option 2 – On-premises BitLocker management using System Center Configuration Manager
For organizations currently using on-premises management, the best approach still remains getting your Windows devices to a co-managed state, to take advantage of cloud-based BitLocker management with Microsoft Intune. However to support scenarios where cloud is not an option, Microsoft is also introducing BitLocker management through Configuration Manager current branch.
Beginning in June 2019, Configuration Manager will release a product preview for BitLocker management capabilities, followed by general availability later in 2019. Similar to the Intune cloud-based approach, Configuration Manager will support BitLocker for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions. It will also support Windows 7, Windows 8, and Windows 8.1 during their respective support lifecycles.
Configuration Manager (SCCM) will provide the following BitLocker management capabilities:
- Provisioning
- Our provisioning solution will ensure that BitLocker will be a seamless experience within the SCCM console while also retaining the breadth of MBAM.
- Prepare Trusted Platform Module (TPM)
- Admins can open the TPM management console for TPM versions 1.2 and 2.0. Additionally, SCCM will support TPM+PIN for log in. For those devices without a TPM, we also permit USBs to be used as authenticators on boot.
- Setting BitLocker Configuration
- All MBAM configuration specific values that you set will be available through the SCCM console, including: choose drive encryption and cipher strength, configure user exemption policy, fixed data drive encryption settings, and more.
- Encryption
- Encryption allows admins to determine the algorithms with which to encrypt the device, the disks that are targeted for encryption, and the baselines users must provide in order to gain access to the disks.
- Policy enactment / remediation on device
- Admins can force users to get compliant with new security policies before being able to access the device.
- New user can set a pin / password on TPM & non-TPM devices
- Admins can customize their organization’s security profile on a per device basis.
- Auto unlock
- Policies to specify whether to unlock only an OS drive, or all attached drives, when a user unlocks the OS drive.
- Helpdesk portal with auditing
- A helpdesk portal allows other personas in the organization outside of the SCCM admin to provide help with key recovery, including key rotation and other MBAM-related support cases that may arise.
- Key rotation
- Key rotation allows admins to use a single-use key for unlocking a BitLocker encrypted device. Once this key is used, a new key will be generated for the device and stored securely on-premises.
- Compliance reporting
- SCCM reporting will include all reports currently found on MBAM in the SCCM console. This includes key details like encryption status per volume, per device, the primary user of the device, compliance status, reasons for non-compliance, etc.
Option 3 - Microsoft BitLocker Administration and Monitoring (MBAM)
Since 2011, the enterprise standard for BitLocker management has been Microsoft BitLocker Administration and Monitoring (MBAM), which requires dedicated on-premises infrastructure, including database servers. Microsoft has announced MBAM will end mainstream support on July 9, 2019 and will enter extended support until July 9, 2024. Customers can continue to deploy and use MBAM 2.5 SP1, fully supported by Microsoft during the extended support period. The end of mainstream support indicates that new features will not be added to MBAM 2.5 SP1. Microsoft is dedicated to investing in modern approaches that simplify and streamline BitLocker management for the enterprise. MBAM remains a supported management tool for customers that don’t currently use either Microsoft Intune or System Center Configuration Manager.
More info and feedback
Whether you are a current MBAM customer or are using a third-party tool for BitLocker management, Microsoft can help support your transition to modern enterprise BitLocker management at your own pace with a unified endpoint management platform that includes Microsoft Intune and Configuration Manager.
Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!
As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.
Follow @MSIntune and @MSWindowsITPro on Twitter