Microsoft will add cloud-based and on-premises BitLocker management capabilities in enterprise environments via Microsoft Intune and System Center Configuration Manager (SCCM) during the second half of 2019.
BitLocker is a full-volume encryption feature with support for the XTS-AES encryption algorithm which makes it possible for Windows users to encrypt their computer's hard drives or removable drives.
Using BitLocker to encrypt data prevents data theft and data leak incidents that would otherwise allow third parties to get access to sensitive data stored on lost, stolen or inadequately decommissioned computers.
As detailed Microsoft detailed today, the new alternatives added to Bitlocker management for corporate environments further boost the robustness required to properly manage enterprise endpoints.
Standard BitLocker management
Microsoft BitLocker Administration and Monitoring (MBAM) provides a simple to use and on-premises administration interface designed to manage BitLocker Drive Encryption and has been the enterprise standard since 2011.
Redmond announced that "MBAM will end mainstream support on July 9, 2019 and will enter extended support until July 9, 2024," with the new BitLocker management capabilities not to be included in the latest released MBAM version.
However, as Microsoft explains, MBAM will remain a supported BitLocker management tool for customers who do not want to switch to the new Microsoft Intune or System Center Configuration Manager management platforms.
Cloud-based management available today
The Microsoft Azure Active Directory and Microsoft Intune cloud-based management interface will support BitLocker for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions.
Microsoft's Intune BitLocker management platform is available starting today, with features like "compliance reporting, encryption configuration, with key retrieval and rotation" already added to the development roadmap.
Following the addition of extra features and capabilities to the Microsoft Intune BitLocker solution, the new management platform is expected to soon match and surpass the options provided by MBAM.
"Windows AutoPilot offers a modern provisioning approach to ensure BitLocker is seamlessly enabled on Windows devices, integrating with Azure Active Directory to provide a compliant device on first logon," also says Microsoft.
Some of the features that will be included with Intune cloud-based BitLocker management are listed below:
• Readiness and Compliance Reporting: Dedicated encryption reports that help admins understand the encryption status of their device estate.
• Configuration: Granular BitLocker configuration that empowers admins to manage devices to their intended level of security.
• Compliance: Leverage Intune’s compliance policies.
• Key recovery auditing: Get reports on who accessed recovery key information in Azure AD (coming later in 2019).
• Key recovery: Enables you or another admin to recover keys in the Microsoft Intune console (Self-service is expected later in 2019).
• Key management: Enable single-use recovery keys on Windows devices by ensuring keys are rolled on-access by client or on-demand by Intune remote actions (coming later in 2019).
• Migrating from MBAM to cloud management (coming in 2019)
On-premises SCCM-based management comes in June
Enterprises which are already using MBAM on-premises BitLocker management and for which the cloud-based Microsoft Intune option is not a viable choice will be able to switch to the new SCCM-powered starting with June 2019.
"Configuration Manager will release a product preview for BitLocker management capabilities, followed by general availability later in 2019," Microsoft explains.
Just as in the case of the Intune cloud-based management platform, SCCM BitLocker management will be available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions but it will also come with support for Windows 7, Windows 8, and Windows 8.1 during their lifecycle.
The capabilities which will be included with Configuration Manager (SCCM) BitLocker management are:
• Provisioning: Our provisioning solution will ensure that BitLocker will be a seamless experience within the SCCM console while also retaining the breadth of MBAM.
• Prepare Trusted Platform Module (TPM): Admins can open the TPM management console for TPM versions 1.2 and 2.0.
• Setting BitLocker Configuration: All MBAM configuration specific values that you set will be available through the SCCM console.
• Encryption: Encryption allows admins to determine the algorithms with which to encrypt the device, the disks that are targeted for encryption, and the baselines users must provide in order to gain access to the disks.
• Policy enactment / remediation on device: Admins can force users to get compliant with new security policies before being able to access the device.
• New user can set a pin / password on TPM & non-TPM devices: Admins can customize their organization’s security profile on a per device basis.
• Auto unlock: Policies to specify whether to unlock only an OS drive, or all attached drives, when a user unlocks the OS drive.
• Helpdesk portal with auditing: A helpdesk portal allows other personas in the organization outside of the SCCM admin to provide help with key recovery.
• Key rotation: Key rotation allows admins to use a single-use key for unlocking a BitLocker encrypted device.
• Compliance reporting: SCCM reporting will include all reports currently found on MBAM in the SCCM console.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now