BitLocker Management Coming This Year to System Center Configuration Manager

Microsoft on Wednesday announced added options for IT pros managing BitLocker-encrypted drives on devices.

New capabilities will be coming to the Microsoft Intune mobile client management solution for managing BitLocker devices. In addition, users of System Center Configuration Manager (SCCM) "current branch" releases will be getting the ability to manage BitLocker devices, which will be a new capability.

The new BitLocker management capabilities are expected to arrive sometime this year.

The MBAM Option
One longtime existing option to manage BitLocker devices is to use the Microsoft BitLocker Administration and Monitoring (MBAM) solution. MBAM is offered as one of the tools in the Microsoft Desktop Optimization Pack, which is typically used by enterprise organizations.

However, MBAM's product lifecycle milestones are coming up fast. MBAM will reach the end of "mainstream" support on July 9, 2019, and it will not get new capabilities after that date. MBAM will reach the end of "extended" support on July 9, 2024.

It's not clear if the end of extended support, when patch support stops, will be the end of the MBAM product. Microsoft plans to put its future development efforts toward Intune and SCCM. However, the announcement also declared that "MBAM remains a supported management tool for customers that don't currently use either Microsoft Intune or System Center Configuration Manager."

SCCM Management
The integration of MBAM capabilities into SCCM for managing BitLocker devices has been on Microsoft's roadmap since at least June 2016, when customers were vocal in requesting it. In June 2019, Microsoft expects to release a preview of BitLocker management in SCCM, with a "general availability" commercial release coming later in the year.

When available, SCCM's support for BitLocker management will work across "Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education editions," as well as "Windows 7, Windows 8 and Windows 8.1," Microsoft's announcement indicated. 

Windows 7, though, will be reaching its end-of-life stage on Jan. 14, 2020, so there's not much time for those users. They could opt for Microsoft's Extended Security Updates plan, though, which adds three more years of support.

SCCM will enable the configuration of BitLocker devices, with algorithms for encrypting disks. It'll have Trusted Platform Module (TPM) 1.2 and 2.0 support, and there will be an option for end users to set a PIN or password on both TPM and non-TPM devices. IT pros will be able to enforce security policies on end users. SCCM will have a helpdesk portal to assist with key recoveries. Also, SCCM will show "all reports currently found on MBAM in the SCCM console."

Intune Management
Microsoft tends to pour its development efforts first into Intune. It generally recommends that organizations use Intune for device management, but SCCM users can opt to use a "comanagement" feature to get Intune capabilities within the SCCM console.

Currently, Intune has reporting capabilities on device readiness for BitLocker. It'll show the devices that failed BitLocker implementation, along with troubleshooting details. Intune also offers "granular" details about device security, and compliance policies can be set.

Coming later this year, Intune will let IT pros recover BitLocker keys, including the ability to set a "user self-service key recovery" capability. It'll also have a reporting capability that will show "who accessed recovery key information in Azure AD." Microsoft is also planning to add a "key rotation" capability in Intune sometime this year.

Migration Possibilities
Also coming this year will be an ability to migrate "from MBAM to cloud management," according to the announcement. It's not clear what's meant by that phrase. Possibly, an MBAM-to-Intune migration capability is the meaning.

There also will be some kind of migration capability for SCCM users at some point. According to this Tweet by the Microsoft Configuration Manager team, it will be possible for on-premises MBAM users to migrate to SCCM.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Tamper Protection Now Available to Microsoft Defender ATP Subscribers

    The Microsoft Defender Advanced Threat Protection (ATP) E5 subscription plan now has an optional "tamper protection" security feature, Microsoft announced on Monday.

  • Exploring OCR, a New Way To Get Data into Excel

    Microsoft recently added a new optical character recognition feature to Excel that lets users import data from a photograph taken from a smartphone. Here's how to use it.

  • Microsoft Authenticator App To Get Real-Time Phishing Protections

    Microsoft is working on adding capabilities to its Microsoft Authenticator app to help defeat security breaches enabled by advanced attack techniques, including phishing and man-in-the-middle methods.

  • A Quicker Way To Create Hyper-V Inventory Reports

    If you need to generate Hyper-V inventory reports but don't want the hassle of writing your own custom PowerShell script, here is a shortcut.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.