Windows machines use BitLocker for encrypting data stored in operating system volumes and drives. Many enterprises use Microsoft BitLocker Administration and Monitoring (MBAM) to simplify the management and monitoring of the enterprise Windows devices. However, after the mainstream support for MBAM ended in 2019, enterprises are exploring other options to simplify the administration of Windows devices.
Microsoft provides two other BitLocker management alternatives through System Center Configuration Manager (SCCM) and Microsoft Endpoint Manager (MEM). While SCCM is an on-premises option, MEM is a cloud-native solution that includes several tools and services for managing and monitoring mobile devices, desktop computers, virtual machines, embedded devices, and servers.
What Are the Advantages of Migrating MBAM Servers to MEM?
Microsoft Endpoint Manager uses Intune to configure BitLocker Drive Encryption. Here are the advantages of migrating MBAM servers to Microsoft Endpoint Manager.
- Admins can take advantage of advanced readiness and compliance reporting capabilities to understand the encryption status of the device estate of their enterprises. Onscreen error codes can help in troubleshooting when devices fail BitLocker enablement.
- It offers more flexibility and granularity than other options, allowing admins to implement the appropriate level of security to managed devices.
- It allows admins to recover encryption keys from the Microsoft Intune console. The user self-service key recovery can be enabled across platforms, including web, iOS, Android, Windows, and macOS.
- It supports the use of single-use recovery keys on Windows devices that can be rolled on or generated on-demand.
- Microsoft has simplified the migration from MBAM to cloud management by integrating it directly into the key rotation feature.
How Are MBAM Servers Migrated to Microsoft Endpoint Manager?
One of the most important considerations for migrating data from MBAM servers to Microsoft Endpoint Manager is to ensure that key IDs listed by MBAM Server match with the ones listed by Azure AD. Here is the 5-step process to migrate MBAM SQL Server to MEM.
- Extract the BitLocker recovery keys using SQL Management Studio and export the data to an Excel sheet.
- Configure Microsoft BitLocker policies using Microsoft Endpoint Manager to escrow BitLocker recovery passwords to Azure AD Device Accounts.
- Use Graph API to generate the list of BitLocker Recovery Keys stored in Azure AD.
- Use the data in the Excel sheet with the recovery key details to cross-check that the Password Key IDs from MBAM Database match with the Key IDs from Azure AD. Back up the missing BitLocker Recovery Keys to Azure AD and assign them to the machines that do not have the keys.
- Resolve any remaining issues with devices that are missing recovery passwords in Azure AD or MEM, create backups for the MBAM Database, and decommission the on-premises MBAM servers.
Apps4Rent Can Help with MBAM Migration
Migrating MBAM servers to Microsoft Endpoint Manager simplifies the administration of Windows devices. However, the process itself can be complex as it involves the use of scripts at various stages. As a Microsoft Gold Partner in several competencies, including cloud platform and cloud collaboration, Apps4Rent can help with Office 365/ Microsoft 365 and Azure licensing, migration, and customization. Contact our Microsoft certified professionals available 24/7 via phone, chat, and email for managed Azure services.