How to migrate standalone MBAM to SCCM for bitlocker

We all know that Microsoft BitLocker Administration and Monitoring (MBAM) is an administrative tool for managing BitLocker Drive Encryption for windows devices that are on-prem domain joined.

MBAM mainstream support ended on July 2019 and is currently in extended support until April 2026.

To know more about mainstream support and extended support, please read the article https://learn.microsoft.com/en-us/lifecycle/policies/fixed.

Considering the support for MBAM, what other alternative tools/products do we have to manage the BitLocker feature?

Microsoft has incorporated the MBAM features into Configuration Manager (SCCM) starting in version 1910, since then it has improved a lot with new features and improvements. We can also use Microsoft Intune as an alternative approach and is the future.

To know about the migration of the MBAM server to Microsoft Endpoint Manager (Intune), please read the article https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/mbam-server-migration-to-microsoft-endpoint-manager/ba-p/2192984

Read the considerations from MBAM to SCCM https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/migration-considerations

In this blog post, I would like to provide the steps that i have used to migrate the standalone MBAM to SCCM for my customers.

This migration steps assume that you are using MBAM server with a GPO configuration policy (BitLocker settings).

You want to migrate the clients from MBAM and continue to SCCM for the BitLocker feature.

Before we start the migration process, make sure your current SCCM infra has the BitLocker feature enabled and configured. Follow the Microsoft article on how to enable the bitlocker feature https://learn.microsoft.com/en-us/mem/configmgr/protect/plan-design/bitlocker-management#prerequisites

Enabling the BitLocker feature in SCCM is independent of your current MBAM setup. you can simply install/enable the bitlocker in SCCM but don't create or deploy any BitLocker policies to your clients (collection).

Once you have enabled the BitLocker feature in SCCM and is working condition (verify the IIS web portals if they are working or not), we will need to collect the settings from the existing MBAM setup such as encryption method, cipher strength, etc that you configured in GPO.

Go to your GPO, and identify the policy that has the BitLocker settings configured such as bitlocker cipher strength such as AES 128, AES 256 etc. This is one of the important settings we will need for SCCM.

Once you have got the information, go to the SCCM server, endpoint protection, and Create a new bitlocker policy with settings similar to GPO.

image

If there is any difference in the bitlocker policy settings (algorithm 128 to 256) from MBAM to SCCM, there will be conflicts when you deploy this to the collection and you may see unexpected results.

If you would like to change the encryption algorithm such as 128 (MBAM) to 256 (SCCM), you need to decrypt the disk first before you encrypt using 256.

Note: What happens if deploy a bitlocker policy from SCCM with an encryption algorithm of 256 to the devices when the devices are already bitlocker with a different algorithm using MBAM?

In my testing , the SCCM client will evaluate the policy and report the device as non-compliant due to mismatch in the configuration settings (key will still escrow being non-compliant) without making any trouble with the device.

Once you created the bitlocker policy with settings that matches your MBAM GPO, create a collection and add a few devices to it.

Deploy the bitlocker policy to the test collection that you have created above.

Initiate the machine policy cycle or wait for the policy to trigger on the machine. If you cannot wait, run the machine policy cycle, go to the PC, and initiate the bitlocker policy from the configuration tab in the configuration manager applet.

Wait for the device to evaluate the policy and escrow the key to SCCM using the recovery service.

Read the client log BitlockerManagementHandler.log  located in C:\windows\ccm\logs for troubleshooting purpose.

Note: When you deploy the bitlocker policy to the collection, if the device is already bitlocker by MBAM, SCCM client simply validate the settings, if it matches, the client simply escrows the keys to the SCCM database and this process has no impact to the end-user.

This entire process happens silently in the backend.

If the client is bitlocker with different settings than what you deploy in SCCM, the client will simply report to SCCM as non-compliant due to a mismatch in the settings. https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent#re-encryption

image

If the client is not bitlocker by MBAM, but it is in the SCCM deployment schedule, SCCM client evaluates the policy and performs the bitlocker and escrows the key to SCCM server.

Note: Microsoft has deprecated key escrow via the Recovery Service a long time ago . So SCCM client escrows the key directly via the current MP using a secure channel.

Now Check if the client bitlocker key is available SCCM database or not using the following SQL query.

select a.Name, b.VolumeId, c.RecoveryKeyId, c.RecoveryKey, c.LastUpdateTime
from dbo.RecoveryAndHardwareCore_Machines a
inner join dbo.RecoveryAndHardwareCore_Machines_Volumes b ON a.Id = b.MachineId
inner join dbo.RecoveryAndHardwareCore_Keys c ON b.VolumeId = c.VolumeId
where a.name ='cmcb-w11-03'

Run the self-service portal and helpdesk portal for recovery keys and confirm the functionality of the bitlocker is working.
SCCM also comes with enterprise bitlocker reports as part of the default SCCM reports. you can make use of these reports as well to check the bitlocker compliance status.

image

At this stage, we have created the bitlocker policy in SCCM and deployed it to our test collection, validated the key in the database, and also reports.

In addition to this, if you are provisioning the devices using SCCM (imaging), you can make use of the task sequence to perform bitlocker (silent) during the imaging process itself. Read the article from Niall Brady https://www.niallbrady.com/2022/03/03/escrow-bitlocker-recovery-password-to-the-site-during-a-task-sequence-in-configuration-manager-2203/

image

We will now expand SCCM bitlocker policy deployment to other collections (staggered approach) till we reach the end.

Monitor the deployment status using console and compliance reports

At this stage, you need to decide if you would like to stop the new devices managed by MBAM for bitlocker. If you are good to stop the new devices managed by MBAM, we will take the database backup and/or backup the keys from MBAM database to a secure location.

Once you migrate all the clients from MBAM to SCCM, we will start the decommissioning process of the MBAM and GPOs.

Start unlinking the GPO process on 1 OU and monitor the feedback (there should not be any issues ). Wait for a day or 2 and continue the approach on all the OUs till you reach end.

Plan for the shutdown of the server for 1-2 weeks before the commission of the server.

Remove the MBAM GPOs.

Thank you for reading the post and let me know your feedback via the comments section.

References:

https://learn.microsoft.com/en-us/answers/questions/738022/move-standalone-mbam-to-sccm-integrated-mbam.html

https://www.niallbrady.com/2020/01/19/learn-about-mbam-in-microsoft-endpoint-configuration-manager-version-1910-part-8-migration/

https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/migration-considerations

5 Responses to "How to migrate standalone MBAM to SCCM for bitlocker"

  1. hi Eswar,
    I inherited 1800+ Windows 10 (21H2) devices, where most OS-drives have “AES 128-bit with Diffuser” as encrypryption method, and most Fixed-drives are on “AES 256-bit with Diffuser”. More recent deployed devices now have the OS-drive on “AES 256-bit with Diffuser”. This “AES 256-bit with Diffuser” settings now GPO default, where it used to be “AES 128-bit with Diffuser”.
    If I create a Bitlocker Management Policy most devices would report non-compliant and no keys are escrowed into SCCM database. What scenario can be used to stil archieve that all keys are to be escrowed into SCCM over time.
    Any comments or experience on doing this?

    Reply
    1. Hi,
      Creating bitlocker policy in sccm with any bitlocker algorithm will escrow the keys to database but for reporting purpose they report as non-complaint.
      Have you tried creating a bitlocker policy and deploy to devices to see if their keys appear in sccm database?

      Reply
      1. You answered my question. Just bringing a device under a bitlockerpolicy, wil escrow the keys. This will address my issue. This week i will start tesrting with this, onde the portals are up and runnings. Thanx!

        Reply
  2. In the link provided on how to enable the feature, it states: "By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption."
    If our systems are already encrypted through MBAM for used space only and are showing compliant, will they now show as non-compliant after switching to BitLocker managed by ConfigMgr?

    Reply
    1. Hi Eric,
      Bitlocker management policy by default does encrypt used space only. Incase the client is already bitlocker by MBAM using full disk, and if you deploy the SCCM bitlocker policy, it report as compliant and escrow the key to SCCM.
      SCCM does not look at used space or full disk encryption when migrating the clients to from MBAM to SCCM. The important criteria is encryption algorithm.

      Does that help?

      Thanks,
      Eswar

      Reply

Post Comment