Learn about Bitlocker Management in Microsoft Endpoint Configuration Manager version 1910 – part 8 Migration


In this video (linked at the bottom of this post) I show you how you can migrate existing MBAM managed clients to Configuration Manager using the new BitLocker Management feature that was released in Microsoft Endpoint Configuration Manager version 1910.

In order for this to work you’ll need an existing MBAM standalone server(s) that is managing one or more clients. The recovery keys (and associated data) will be stored on that MBAM server as defined by the Group Policy settings you’ve configured for MDOP.

Before the MBAM Migration scenario

The screenshot below shows a MBAM GPO which is linked to the MBAM Clients OU. From there MBAM managed clients get MBAM specific group policy setting encryption settings instructing them to report to the MBAM server and upload compliance data and recovery keys.

The Configuration Manager server is only used at this point to deploy the MBAM client agent (MDOP agent) to resources in the MBAM Clients collection (which has a membership query to look for resources in the MBAM Clients OU).

After the MBAM Migration scenario

In the below screenshot you can see the ConfigMgr database on the left, and the MBAM database on the right, the client that was managed by MBAM is now managed by ConfigMgr and the key and it’s associated data is migrated over to ConfigMgr.

When you migrate clients from MBAM to Bitlocker Management within Configuration Manager, the recovery key and associated data will be migrated and automatically populated in ConfigMgr’s database without you needing to do anything other than pre-configure BitLocker Management policy and target the desired computers to be migrated with that policy.

  • Try and keep the settings contained in the MBAM GPO the same as in your ConfigMgr Bitlocker policy otherwise you may get conflicts and as a result, unexpected results.
  • Do not remove the MBAM GPO from your clients to be migrated until they have received their Bitlocker Management policy.
  • Test this setup in a lab before implementing it in production, and  remember that your ConfigMgr primary and the clients need to be in HTTPS mode.
  • If you change encryption algorithm, then you will need to first decrypt your clients before re-encrypting them with the new encryption settings, for details about enforcing encryption see this video.
  • Once you have migrated over all your MBAM clients to ConfigMgr, you can decommission the MBAM server and remove the MBAM GPO.

The following links should help you get MBAM setup in a lab so you can practice the migration yourself.

also to note that setting up MBAM from scratch is covered in a book i wrote here https://www.niallbrady.com/book/

This is part 8 from a 10 part video series on youtube.

For more info about the new Bitlocker Management ability in Configuration Manager 1910 see https://www.niallbrady.com/2019/11/13/want-to-learn-about-the-new-bitlocker-management-in-microsoft-endpoint-manager-configuration-manager/

Take a look !


This entry was posted in 1910, MBAM, Migration. Bookmark the permalink.

6 Responses to Learn about Bitlocker Management in Microsoft Endpoint Configuration Manager version 1910 – part 8 Migration

  1. Matt Aljanabi says:


    We really appreciate how you make this easy for us. and I have a question, do you have a series of documents on your website of Migration MBAM to Intune? please advice.

  2. yorkie26 says:

    Hi Naill,

    Great explanation, just one question after watching the video. You mention above “Do not remove the MBAM GPO from your clients to be migrated until they have received their Bitlocker Management policy” but in the video you removed the test client from the GPO before receiving the Bitlocker Management policy. Can you leave the GPO setting until it is managed by ConfigMgr ?

    • ncbrady says:

      hi Yrokie26,
      look at microsofts official wording in relation to group policy:

      “The BitLocker management settings are fully compatible with MBAM group policy settings. If devices receive both group policy settings and Configuration Manager policies, configure them to match”

      so yes you can leave them until it’s managed by ConfigMgr, but make sure the settings match otherwise you may have conflicts.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.