BitLocker Management Coming This Year to System Center Configuration Manager
Microsoft on Wednesday announced added options for IT pros managing BitLocker-encrypted drives on devices.
New capabilities will be coming to the Microsoft Intune mobile client management solution for managing BitLocker devices. In addition, users of System Center Configuration Manager (SCCM) "current branch" releases will be getting the ability to manage BitLocker devices, which will be a new capability.
The new BitLocker management capabilities are expected to arrive sometime this year.
The MBAM Option
One longtime existing option to manage BitLocker devices is to use the Microsoft BitLocker Administration and Monitoring (MBAM) solution. MBAM is offered as one of the tools in the Microsoft Desktop Optimization Pack, which is typically used by enterprise organizations.
However, MBAM's product lifecycle milestones are coming up fast. MBAM will reach the end of "mainstream" support on July 9, 2019, and it will not get new capabilities after that date. MBAM will reach the end of "extended" support on July 9, 2024.
It's not clear if the end of extended support, when patch support stops, will be the end of the MBAM product. Microsoft plans to put its future development efforts toward Intune and SCCM. However, the announcement also declared that "MBAM remains a supported management tool for customers that don't currently use either Microsoft Intune or System Center Configuration Manager."
The integration of MBAM capabilities into SCCM for managing BitLocker devices has been on Microsoft's roadmap since at least June 2016, when customers were vocal in requesting it. In June 2019, Microsoft expects to release a preview of BitLocker management in SCCM, with a "general availability" commercial release coming later in the year.
When available, SCCM's support for BitLocker management will work across "Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education editions," as well as "Windows 7, Windows 8 and Windows 8.1," Microsoft's announcement indicated.
Windows 7, though, will be reaching its end-of-life stage on Jan. 14, 2020, so there's not much time for those users. They could opt for Microsoft's Extended Security Updates plan, though, which adds three more years of support.
SCCM will enable the configuration of BitLocker devices, with algorithms for encrypting disks. It'll have Trusted Platform Module (TPM) 1.2 and 2.0 support, and there will be an option for end users to set a PIN or password on both TPM and non-TPM devices. IT pros will be able to enforce security policies on end users. SCCM will have a helpdesk portal to assist with key recoveries. Also, SCCM will show "all reports currently found on MBAM in the SCCM console."
Microsoft tends to pour its development efforts first into Intune. It generally recommends that organizations use Intune for device management, but SCCM users can opt to use a "comanagement" feature to get Intune capabilities within the SCCM console.
Currently, Intune has reporting capabilities on device readiness for BitLocker. It'll show the devices that failed BitLocker implementation, along with troubleshooting details. Intune also offers "granular" details about device security, and compliance policies can be set.
Coming later this year, Intune will let IT pros recover BitLocker keys, including the ability to set a "user self-service key recovery" capability. It'll also have a reporting capability that will show "who accessed recovery key information in Azure AD." Microsoft is also planning to add a "key rotation" capability in Intune sometime this year.
Also coming this year will be an ability to migrate "from MBAM to cloud management," according to the announcement. It's not clear what's meant by that phrase. Possibly, an MBAM-to-Intune migration capability is the meaning.
There also will be some kind of migration capability for SCCM users at some point. According to this Tweet by the Microsoft Configuration Manager team, it will be possible for on-premises MBAM users to migrate to SCCM.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.