Introduction
In this video (linked at the bottom of this post) I show you how you can migrate existing MBAM managed clients to Configuration Manager using the new BitLocker Management feature that was released in Microsoft Endpoint Configuration Manager version 1910.
In order for this to work you’ll need an existing MBAM standalone server(s) that is managing one or more clients. The recovery keys (and associated data) will be stored on that MBAM server as defined by the Group Policy settings you’ve configured for MDOP.
Before the MBAM Migration scenario
The screenshot below shows a MBAM GPO which is linked to the MBAM Clients OU. From there MBAM managed clients get MBAM specific group policy setting encryption settings instructing them to report to the MBAM server and upload compliance data and recovery keys.
The Configuration Manager server is only used at this point to deploy the MBAM client agent (MDOP agent) to resources in the MBAM Clients collection (which has a membership query to look for resources in the MBAM Clients OU).
After the MBAM Migration scenario
In the below screenshot you can see the ConfigMgr database on the left, and the MBAM database on the right, the client that was managed by MBAM is now managed by ConfigMgr and the key and it’s associated data is migrated over to ConfigMgr.
When you migrate clients from MBAM to Bitlocker Management within Configuration Manager, the recovery key and associated data will be migrated and automatically populated in ConfigMgr’s database without you needing to do anything other than pre-configure BitLocker Management policy and target the desired computers to be migrated with that policy.
- Try and keep the settings contained in the MBAM GPO the same as in your ConfigMgr Bitlocker policy otherwise you may get conflicts and as a result, unexpected results.
- Do not remove the MBAM GPO from your clients to be migrated until they have received their Bitlocker Management policy.
- Test this setup in a lab before implementing it in production, and remember that your ConfigMgr primary and the clients need to be in HTTPS mode.
- If you change encryption algorithm, then you will need to first decrypt your clients before re-encrypting them with the new encryption settings, for details about enforcing encryption see this video.
- Once you have migrated over all your MBAM clients to ConfigMgr, you can decommission the MBAM server and remove the MBAM GPO.
The following links should help you get MBAM setup in a lab so you can practice the migration yourself.
- https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/evaluating-mbam-25-in-a-test-environment
- https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/solutions/how-to-download-and-deploy-mdop-group-policy–admx–templates
- https://www.microsoft.com/en-us/download/details.aspx?id=55531
also to note that setting up MBAM from scratch is covered in a book i wrote here https://www.niallbrady.com/book/
This is part 8 from a 10 part video series on youtube.
- BitLocker management – Part 1 Initial setup
- BitLocker management – Part 2 Deploy portals
- BitLocker management – Part 3 Customize portals
- BitLocker management – Part 4 Force encryption with no user action
- BitLocker management – Part 5 key rotation
- BitLocker management – Part 6 Force decryption with no user action
- BitLocker management – Part 7 Reporting and compliance
- BitLocker management – Part 8 Migration
- BitLocker management – Part 9 Group Policy settings
- BitLocker management – Part 10 Troubleshooting
For more info about the new Bitlocker Management ability in Configuration Manager 1910 see https://www.niallbrady.com/2019/11/13/want-to-learn-about-the-new-bitlocker-management-in-microsoft-endpoint-manager-configuration-manager/
Take a look !
Naill,
We really appreciate how you make this easy for us. and I have a question, do you have a series of documents on your website of Migration MBAM to Intune? please advice.
hi,
i’ve nothing like that which is recent, there’s this old blog about enabling bitlocker in intune but a lot has changed since i wrote it and native bitlocker support is much better in Intune today.
https://www.windows-noob.com/forums/topic/15514-configuring-bitlocker-in-intune-part-1-configuring-bitlocker/
Hi Naill,
Great link, one last thing I missed in your blog, how can I transfer all recovery Keys from MBAM server or SQL to upload them to Azure or Intune?
hi Mtaa,
look at https://www.windows-noob.com/forums/topic/16726-on-premises-bitlocker-management-using-system-center-configuration-manager/?do=findComment&comment=68195
Hi Naill,
Great explanation, just one question after watching the video. You mention above “Do not remove the MBAM GPO from your clients to be migrated until they have received their Bitlocker Management policy” but in the video you removed the test client from the GPO before receiving the Bitlocker Management policy. Can you leave the GPO setting until it is managed by ConfigMgr ?
hi Yrokie26,
look at microsofts official wording in relation to group policy:
“The BitLocker management settings are fully compatible with MBAM group policy settings. If devices receive both group policy settings and Configuration Manager policies, configure them to match”
so yes you can leave them until it’s managed by ConfigMgr, but make sure the settings match otherwise you may have conflicts.