As organizations increasingly adopt cloud-based management solutions, transitioning BitLocker recovery key management from Configuration Manager (ConfigMgr) to Microsoft Intune becomes essential. This guide provides a detailed, step-by-step approach to ensure a seamless migration, particularly for environments with co-managed, Entra-Hybrid-Joined devices.
Understanding the Current Setup: ConfigMgr BitLocker Management
Traditionally, organizations have utilized ConfigMgr, often in conjunction with the Microsoft BitLocker Administration and Monitoring (MBAM) solution, to manage BitLocker encryption and recovery keys. In this setup, the MBAM Agent Service handles encryption processes, creates key protectors, seals the Trusted Platform Module (TPM), and escrows recovery keys to the ConfigMgr database or Active Directory (AD).
Key Components of ConfigMgr BitLocker Management:
1. Policy Configuration: Administrators create BitLocker policies within ConfigMgr, specifying encryption settings such as cipher strength, key protectors (e.g., TPM, recovery password), and escrow requirements.
2. Encryption Process: Upon policy application, the MBAM Agent Service initiates encryption, establishes key protectors, seals the TPM, and escrows the recovery key to the designated storage location.
3. Monitoring: Encryption status can be verified using tools like `manage-bde.exe`, PowerShell commands, or the MBAM Helpdesk Portal. ConfigMgr logs BitLocker API events, including key protector creation and encryption initiation.
Verifying Encryption Status in ConfigMgr:
To check the encryption status and recovery key details:
– PowerShell Command:
“`powershell
Get-BitLockerVolume
“`
– Manage-bde Command:
“`powershell
manage-bde -status
manage-bde -protectors -get C: -type RecoveryPassword
“`
– Registry Check for Escrow Time: ConfigMgr stores escrow details in the registry in UNIX DateTime format. Convert it using:
“`powershell
$LastEscrowTime = Get-ItemPropertyValue HKLM:\SOFTWARE\Microsoft\CCM\BLM -Name ‘LastEscrowTime’
$oUNIXDate = [System.DateTimeOffset]::FromUnixTimeSeconds($LastEscrowTime)
$oUNIXDate
“`
Transitioning to Intune for BitLocker Management
Migrating to Intune involves several critical steps to ensure existing encrypted devices continue to function correctly, recovery keys are properly escrowed, and compliance is maintained.
1. Assess Current BitLocker Policies and Configurations
Begin by reviewing existing BitLocker policies in ConfigMgr. Document encryption settings, key protectors, and escrow configurations. This assessment will serve as a baseline for configuring equivalent policies in Intune.
2. Configure BitLocker Policies in Intune
In the Microsoft Intune admin center, navigate to Endpoint security > Disk encryption to create a new policy:
– Encryption Settings: Define encryption methods and cipher strength to match or enhance existing ConfigMgr policies.
– Key Protectors: Specify key protectors such as TPM, recovery password, and startup PIN as required.
– Recovery Key Escrow: Ensure that recovery keys are set to be stored in Microsoft Entra ID (formerly Azure AD).
3. Deploy Intune Policies to Target Devices
Assign the newly created BitLocker policy to device groups that are part of the migration plan. Monitor deployment status to ensure policies are applied successfully.
4. Verify Recovery Key Escrow in Intune
After policy deployment, confirm that recovery keys are being escrowed to Microsoft Entra ID:
– Intune Portal: Navigate to Devices > All devices, select a device, and check the Recovery keys section.
– PowerShell Command:
“`powershell
Get-BitLockerVolume | Select-Object -ExpandProperty KeyProtector
“`
5. Implement Recovery Key Rotation
To enhance security, configure automatic recovery key rotation:
– Intune Policy Configuration: In the BitLocker policy, enable Client-driven recovery password rotation. This setting ensures that the recovery key is automatically rotated after each use, preventing reuse of the same key.
6. Monitor and Audit BitLocker Management
Regularly monitor encryption compliance and recovery key escrow status:
– Intune Reports: Utilize Intune’s built-in reports to track encryption status across devices.
– Audit Logs: Review audit logs in Microsoft Entra ID to monitor access to recovery keys and ensure compliance with organizational policies.
7. Educate End Users on Self-Service Recovery
Intune enables end users to access their BitLocker recovery keys through the Intune Company Portal, reducing dependency on IT support:
– Self-Service Access: Users can retrieve their recovery keys by logging into the Intune Company Portal website, navigating to the device management section, and following prompts to retrieve their recovery key.
– Security Considerations: Implement Conditional Access policies to ensure that only compliant devices can access recovery keys, enhancing security.
8. Decommission ConfigMgr BitLocker Management
Once all devices have successfully transitioned to Intune for BitLocker management:
– Remove MBAM Agents: Uninstall MBAM agents from devices to prevent conflicts.
– Disable ConfigMgr Policies: Turn off BitLocker policies in ConfigMgr to avoid policy conflicts.
– Validate Decommissioning: Ensure that all devices are reporting compliance in Intune and that recovery keys are properly escrowed in Microsoft Entra ID.
Conclusion
Migrating BitLocker recovery key management from ConfigMgr to Intune is a strategic move towards modern, cloud-based device management. By following this comprehensive guide, organizations can ensure a smooth transition, maintain compliance, and enhance security through features like automatic recovery key rotation and self-service recovery options.
