In this video (linked at the bottom of this post) I show you how you can migrate existing MBAM managed clients to Configuration Manager using the new BitLocker Management feature that was released in Microsoft Endpoint Configuration Manager version 1910.
In order for this to work you’ll need an existing MBAM standalone server(s) that is managing one or more clients. The recovery keys (and associated data) will be stored on that MBAM server as defined by the Group Policy settings you’ve configured for MDOP.
Before the MBAM Migration scenario
The screenshot below shows a MBAM GPO which is linked to the MBAM Clients OU. From there MBAM managed clients get MBAM specific group policy setting encryption settings instructing them to report to the MBAM server and upload compliance data and recovery keys.
The Configuration Manager server is only used at this point to deploy the MBAM client agent (MDOP agent) to resources in the MBAM Clients collection (which has a membership query to look for resources in the MBAM Clients OU).
In the below screenshot you can see the ConfigMgr database on the left, and the MBAM database on the right, the client that was managed by MBAM is now managed by ConfigMgr and the key and it’s associated data is migrated over to ConfigMgr.
When you migrate clients from MBAM to Bitlocker Management within Configuration Manager, the recovery key and associated data will be migrated and automatically populated in ConfigMgr’s database without you needing to do anything other than pre-configure BitLocker Management policy and target the desired computers to be migrated with that policy.
- Try and keep the settings contained in the MBAM GPO the same as in your ConfigMgr Bitlocker policy otherwise you may get conflicts and as a result, unexpected results.
- Do not remove the MBAM GPO from your clients to be migrated until they have received their Bitlocker Management policy.
- Test this setup in a lab before implementing it in production, and remember that your ConfigMgr primary and the clients need to be in HTTPS mode.
- If you change encryption algorithm, then you will need to first decrypt your clients before re-encrypting them with the new encryption settings, for details about enforcing encryption see this video.
- Once you have migrated over all your MBAM clients to ConfigMgr, you can decommission the MBAM server and remove the MBAM GPO.
The following links should help you get MBAM setup in a lab so you can practice the migration yourself.
also to note that setting up MBAM from scratch is covered in a book i wrote here https://www.niallbrady.com/book/
This is part 8 from a 10 part video series on youtube.
- BitLocker management – Part 1 Initial setup
- BitLocker management – Part 2 Deploy portals
- BitLocker management – Part 3 Customize portals
- BitLocker management – Part 4 Force encryption with no user action
- BitLocker management – Part 5 key rotation
- BitLocker management – Part 6 Force decryption with no user action
- BitLocker management – Part 7 Reporting and compliance
- BitLocker management – Part 8 Migration
- BitLocker management – Part 9 Group Policy settings
- BitLocker management – Part 10 Troubleshooting
For more info about the new Bitlocker Management ability in Configuration Manager 1910 see https://www.niallbrady.com/2019/11/13/want-to-learn-about-the-new-bitlocker-management-in-microsoft-endpoint-manager-configuration-manager/
Take a look !