We understand the benefits of modernizing endpoint management using Microsoft Endpoint Manager (MEM) for both physical and virtual endpoints (W365). We see organizations of different types & sizes are in different phases in their cloud journey. There are businesses that move directly to a full cloud-based management and there are others with onprem dependencies or with complex requirement which requires leveraging onprem device management solution like Microsoft Endpoint Configuration Manager (ConfigMgr) in a hybrid fashion with Intune. For those companies one of the workloads, they will have to plan during migration is Endpoint Protection workload, more specifically encryption.
I felt there is not much discussion or blogs written around this topic. In this two-part blog series, we are going to see how we can use Intune portal to view Bitlocker status and recovery keys for devices that are either managed by purely ConfigMgr or Co-managed between ConfigMgr & Intune. Before we go into the technical details, let’s quickly look at some of the benefits of using MEM/Intune to manage devices.
Benefits of using Intune Standalone or co-management or Tenant Attach:
- Simple cloud-based management with less or no infrastructure requirement.
- Unified client OS management experience of major OS platforms like iOS, Android, MacOS alongside Windows.
- Access to advanced security features like Azure AD Conditional Access as part of Zero trust framework and tight integration with other Microsoft 365 security suite of products like Defender for Endpoints, Defeder for Identity, Defender of cloud apps.
- Specific to Bitlocker, you also get Key Rotation feature increasing your security posture.
- Data containerization on BYOD devices.
There are 2 ways to manage Bitlocker keys in MEM portal for devices that are currently managed by ConfigMgr.
- ConfigMgr Tenant attach
- ConfigMgr co-management
In this blog I will discuss using ConfigMgr Tenant attach option to recover Bitlocker keys, in part 2 I will discuss the details on ConfigMgr co-management option.
Option 1: ConfigMgr Tenant Attach
Assumptions & pre-requisites:
- You are running on the latest ConfigMgr current branch.
- The test devices are running on the latest ConfigMgr client.
- The test devices have Bitlocker policy deployed through ConfigMgr.
- ConfigMgr tenant attach configuration is already completed.
Here is the device that is a ConfigMgr client (Client-XIASORPE).
“Tenant Attach” configuration is already enabled in my environment. So, the device shows up automatically in MEM portal.
As you can see “Managed By” has a value “ConfigMgr” which indicates it is a “Tenant Attached” device and is not managed by Intune.
Deploy Bitlocker policy to the device.
Once the device gets encrypted, the information shows up in ConfigMgr database.
Use following query to check encryption information in ConfigMgr DB and remember to change to client name at the end of the script.
inner join RecoveryAndHardwareCore_Machines_Volumes b ON a.Id = b.MachineId
inner join RecoveryAndHardwareCore_Keys c ON b.VolumeId = c.VolumeId
where a.name = ‘xxxxxx’
After the information gets synched to MEM service, the Bitlocker recovery key shows up in MEM portal.
As mentioned earlier, one of the key advantages of integrating with MEM is you get to rotate Bitlocker recovery key. When an Administrator or Helpdesk analyst helps a user to recover the hard drive using recovery key, it changes, so that user cannot use same key again next time.
After automatic key rotation you will see a new entry in MEM portal as shown below.
This information syncs back to ConfigMgr DB as well.
In the next blog we will see how to use ConfigMgr co-managed clients to back up the recovery key into Azure AD & Intune.
Hope you find this blog helpful!!!
Script disclaimer: The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without a warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.