Microsoft is improving management capabilities for BitLocker in enterprise environments. The company has announced cloud and on-premises alternatives via InTune and the System Center Configuration Manager (SCCM) for simplified controls.

The solutions will roll out in the second half of this year with various features. In cloud-based InTune environments, users can look forward to the following additions:

  • Readiness and Compliance Reporting Dedicated: encryption reports that help admins understand the encryption status of their device estate; reports if devices can be successfully enabled with BitLocker.
  • Configuration:  Granular BitLocker configuration that empowers admins to manage devices to their intended level of security.
  • Compliance: Leverage Intune’s compliance policies. Revoke access to corporate resources if devices do not meet your encryption requirements.
  • Key recovery auditing: Get reports on who accessed recovery key information in Azure AD. 
  • Key recovery: Enables you or another admin to recover keys in the Microsoft Intune console.
  • Key management: Enable single-use recovery keys on Windows devices by ensuring keys are rolled on-access (by client) or on-demand (by Intune remote actions).
  • Migrating from MBAM to cloud management: For our current MBAM customers that need to migrate to modern BitLocker management, we are integrating that migration directly into the key rotation feature.”

SCCM BitLocker Capabilities

Meanwhile, SCCM will support BitLocker management on Windows 10 Pro, Education, and enterprise, as well as 7, 8, and 8.1 until they reach end-of-life. Users will be able to provision seamlessly via the SCCM console, with Microsoft promising the same depth as current Microsoft BitLocker Administration and Monitoring (MBAM) solutions.

Admins will be able to open a TPM management console with PIN login support, tweaks BitLocker configuration values, choose encryption algorithms and user exemption policies, and much more. Additionally, an auto unlock feature lets them specify whether to unlock only the OS drive or all drives when the user unlocks an OS drive.

With the launch of these tools, Microsoft will begin the phase-out of MBAM. The tool will end mainstream support on July 2019, and extended support in 2024.

“Customers can continue to deploy and use MBAM 2.5 SP1, fully supported by Microsoft during the extended support period. The end of mainstream support indicates that new features will not be added to MBAM 2.5 SP1,” explains Principal PM manager for Microsoft Intune Dilip Radhakrishnan.  “Microsoft is dedicated to investing in modern approaches that simplify and streamline BitLocker management for the enterprise. MBAM remains a supported management tool for customers that don’t currently use either Microsoft Intune or System Center Configuration Manager.”