Managing BitLocker in the enterprise using Microsoft Endpoint Manager

This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.

By Matt Shadbolt (@ConfigMgrDogs) | Principal Program Manager, Microsoft Endpoint Manager

 

In November 2019, we announced the integration of Microsoft Intune and Configuration Manager into a unified, integrated management platform. Customers who wish to deploy BitLocker management on-premises may do so using Configuration Manager without the need to deploy MBAM. We also support customers who prefer to manage BitLocker using Microsoft Intune cloud services without maintaining an on-premises infrastructure. And with key rolling fully integrated into Windows 10, version 1909, and Microsoft Endpoint Manager’s investment in BitLocker management, we are providing you an update on the BitLocker management roadmap, originally posted here

 

BitLockerManagementLifecycle.png

Figure 1: Microsoft BitLocker management lifecycle

 

Cloud-based BitLocker management using Microsoft Intune

Managing BitLocker via Intune gives organizations the confidence their Windows data is stored encrypted, without the need to manage an on-premises infrastructure. Here are some of the features you’ll get when using Intune for BitLocker management:

  • Silently enable BitLocker allowing BitLocker to be enforced and enabled without user interaction. Read more
  • Ability for encryption to be enabled by non-administrator users. Read more
  • New BitLocker readiness and compliance reports. Read more
  • IT Pro recovery key access experience. Read more
  • Recovery key rotation, both triggered at the client and the service. Read more
  • Migration from MBAM to Intune can be performed by triggering a BitLocker key rotation and removing redundant BitLocker management agents.

NOTE: Make sure to remove any MBAM Group Policy Settings from the endpoint to prevent any conflicts in encryption settings.

 

IntuneSettings.png

Figure 2: Microsoft BitLocker encryption settings in Intune

 

IntuneKeyRotation.png

Figure 3: Trigger a BitLocker key rotation from the Intune portal

 

In future, we plan to release end-user self-service recovery key access, and Azure Active Directory based audits of key access.

 

On-premises BitLocker management using Configuration Manager

For customers who cannot move certain devices to cloud management, Microsoft Endpoint Manager includes both Intune and Configuration Manager capabilities. Native BitLocker management is available in Configuration Manager, version 1910 and newer releases. Some of the features include:

  • The ability to enforce the use of BitLocker on ConfigMgr managed clients. Read more
  • Helpdesk and end-user self-service of BitLocker recovery key experiences. Read more
  • BitLocker readiness and compliance reporting.  Read more
  • TPM, PIN, and recovery key management. Read more
  • Migration can be performed by upgrading the Configuration Manager client to version 1910. This upgrade will also automatically upgrade the MBAM agent, if necessary.

NOTE: Make sure to remove any MBAM Group Policy Settings from the endpoint to prevent any conflicts in encryption settings.

 

ConfigMgrBitLocker.png

Figure 4: Create a BitLocker encryption policy from the Endpoint Manager console

 

Next steps

Delivering on the Microsoft Endpoint Manager vision, customers can confidently manage device encryption for Windows and other platforms using the tools that work best for them, whether on-premises or cloud-based. You can find information about the latest feature releases in our product documentation.

 

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.