Jump to content


Damo

Migrate MBAM Bitlocker to Intune/Endpoint Manager During Upgrade

Recommended Posts

I am looking to get our clients to migrate from MBAM to Bitlocker on MEM Intune during an OS Upgrade deployed via SCCM, has anyone managed to do this successfully if so, any advice please im struggling with where to start?

 

Thank You

Share this post


Link to post
Share on other sites

so let me get this straight, you currently have an MBAM infrastructure to manage recovery keys etc of your BitLockered computers, and these computers have the SCCM client on them also, you want to deploy and os upgrade via sccm to get them into Intune, is that what you want ? do you mean co-managed (as in configmgr client is installed and Configmgr handles some workloads, intune handles the rest) ?

or do you want these devices/computers to be Intune only managed ? please explain....

Share this post


Link to post
Share on other sites

Apologies, for the delay, let me just explain what im trying to do and what I've done in preparation.

 

I've connected my SCCM instance to Intune and setup pilot Intune and offloaded some of the workloads for what i need to Intune.  I've targeted a collection for this and based it on a specific OS Version.  I have created policies in Intune to manage the Disk Encryption.  I've tested building PCs to 20H2 with a task sequence that wipes and configures them from scratch and they drop into the collection pick up the policy and the PCs happily encrypt via Intune great.

What im doing now is creating another task sequence that will in place upgrade my Windows 1809 clients to 20H2, the issue I have is im not sure what steps are needed during the migration regarding encryption on these clients, they currently are encrypted with on premise MBAM rules, the current 1809 clients aren't managed by Intune whatsoever.  I cant work out in my head and from reading guides quite how i can move the encryption to Intune, do they need unencrypting during the upgrade task sequence and the TPM cleared or is there a way to move them without these steps needed?  They are currently AES256 encrypted in MBAM and Intune policy is set to AES256 XTS.

 

Thanks

Edited by Damo

Share this post


Link to post
Share on other sites

On 5/24/2021 at 1:31 PM, Damo said:

Apologies, for the delay, let me just explain what im trying to do and what I've done in preparation.

 

I've connected my SCCM instance to Intune and setup pilot Intune and offloaded some of the workloads for what i need to Intune.  I've targeted a collection for this and based it on a specific OS Version.  I have created policies in Intune to manage the Disk Encryption.  I've tested building PCs to 20H2 with a task sequence that wipes and configures them from scratch and they drop into the collection pick up the policy and the PCs happily encrypt via Intune great.

What im doing now is creating another task sequence that will in place upgrade my Windows 1809 clients to 20H2, the issue I have is im not sure what steps are needed during the migration regarding encryption on these clients, they currently are encrypted with on premise MBAM rules, the current 1809 clients aren't managed by Intune whatsoever.  I cant work out in my head and from reading guides quite how i can move the encryption to Intune, do they need unencrypting during the upgrade task sequence and the TPM cleared or is there a way to move them without these steps needed?  They are currently AES256 encrypted in MBAM and Intune policy is set to AES256 XTS.

 

Thanks

If the device is already encrypted, the issue here would be the escrowing of the key. At this time, if you have MBAM integration with MECM policies, it is telling the device to escrow into the MECM DB. I prefer to keep the computer object and the key separate from one another. However, you can create an intune script deployment to tell the machine to escrow the key to AAD. You would need to exclude this collection, for testing, from any on-premise bitlocker policies. You can use the site below to incorporate the PS script to escrow the key in AAD/Intune. 

Microsoft was telling me that we had to decrypt and re-encrypt to do so. This is 100% not true. Keep your encryption, and sanity, because decrypting leaves you vulnerable and uses nearly 100% of the disk if you are FDE and not used-spaced only. I've tested this, and it does work. I just prefer to keep them on-premise. 

 

How to Migrate Bitlocker to Azure AD - MSEndpointMgr

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.