From fad365a0c766571700e85328104c460fcc7c9b93 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 18 Jul 2018 14:28:41 -0700 Subject: [PATCH 01/10] added transition to AAD --- .../bitlocker/bitlocker-management-for-enterprises.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index e32e8560b9..dbd4d929b6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -55,15 +55,12 @@ Windows continues to be the focus for new features and improvements for built-in Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx). -For older client computers with BitLocker that are domain joined on-premises, use Microsoft BitLocker Administration and Management[1]. Using MBAM provides the following functionality: +For older client computers with BitLocker that are domain joined on-premises, Microsoft recommends moving from Microsoft BitLocker Administration and Management[1] to cloud management: -- Encrypts device with BitLocker using MBAM -- Stores BitLocker Recovery keys in MBAM Server -- Provides Recovery key access to end-user, helpdesk and advanced helpdesk -- Provides Reporting on Compliance and Recovery key access audit +1. Disable MBAM management and leave MBAM as only a database backup for the recovery key. +2. Join the computers to Azure Active Directory (Azure AD). BitLocker will generate a new recovery key and upload it to Azure AD. - -[1]The latest MBAM version is [MBAM 2.5](https://technet.microsoft.com/windows/hh826072.aspx) with Service Pack 1 (SP1). +BitLocker recovery keys can be managed from Azure AD thereafter. The MBAM database does not need to be migrated.
From f00942c6a85b7ca375c7bef5385c651be7b0a982 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 18 Jul 2018 14:54:33 -0700 Subject: [PATCH 02/10] added manage-bde step --- .../bitlocker/bitlocker-management-for-enterprises.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index dbd4d929b6..15e75da6de 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -58,7 +58,8 @@ Companies that image their own computers using Microsoft System Center 2012 Conf For older client computers with BitLocker that are domain joined on-premises, Microsoft recommends moving from Microsoft BitLocker Administration and Management[1] to cloud management: 1. Disable MBAM management and leave MBAM as only a database backup for the recovery key. -2. Join the computers to Azure Active Directory (Azure AD). BitLocker will generate a new recovery key and upload it to Azure AD. +2. Join the computers to Azure Active Directory (Azure AD). +3. Use `Manage-bde -protectors -aadbackup` to backup the recovery key to Azure AD. BitLocker recovery keys can be managed from Azure AD thereafter. The MBAM database does not need to be migrated. From 882a96f44d2bd8177671616ce073a4876dedc201 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 18 Jul 2018 15:06:32 -0700 Subject: [PATCH 03/10] removed ata a glance section --- .../bitlocker-management-for-enterprises.md | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 15e75da6de..8716bf94a0 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -35,18 +35,6 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been p
-## BitLocker management at a glance - -| | PC – Old Hardware | PC – New* Hardware |[Servers](#servers)/[VMs](#VMs) | Phone -|---|---|----|---|---| -|On-premises Domain-joined |[MBAM](#MBAM25)| [MBAM](#MBAM25) | [Scripts](#powershell) |N/A| -|Cloud-managed|[MDM](#MDM) |Auto-encryption|[Scripts](#powershell)|[MDM](#MDM)/EAS| - -
-*PC hardware that supports Modern Standby or HSTI - -
-
## Recommendations for domain-joined computers From 797d6b9e061f4baab9319ae0ee2bc37997035964 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 18 Jul 2018 15:12:07 -0700 Subject: [PATCH 04/10] copyedits --- .../bitlocker/bitlocker-management-for-enterprises.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 8716bf94a0..2104084335 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -43,7 +43,7 @@ Windows continues to be the focus for new features and improvements for built-in Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx). -For older client computers with BitLocker that are domain joined on-premises, Microsoft recommends moving from Microsoft BitLocker Administration and Management[1] to cloud management: +For client computers with BitLocker that are domain joined on-premises, Microsoft recommends moving from Microsoft BitLocker Administration and Management (MBAM) to cloud management: 1. Disable MBAM management and leave MBAM as only a database backup for the recovery key. 2. Join the computers to Azure Active Directory (Azure AD). From ac4db8dcf9047002e8a7c98b92bdcc39253363ce Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 19 Jul 2018 09:03:40 -0700 Subject: [PATCH 05/10] added eol link for MBAM --- .../bitlocker-management-for-enterprises.md | 37 +++---------------- 1 file changed, 6 insertions(+), 31 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 2104084335..666b1c9b70 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -17,33 +17,17 @@ This topic explains recommendations for managing BitLocker, both on-premises usi ## Forward-looking recommendations for managing BitLocker -The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that it is more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. +The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. Therefore, we recommend that you upgrade your hardware so that your devices comply with Modern Standby or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD). -Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for: +Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers. - - [Domain-joined computers](#dom_join) - - - [Devices joined to Azure Active Directory (Azure AD)](#azure_ad) - - - [Workplace-joined PCs and Phones](#work_join) - - - [Servers](#servers) - - - [Scripts](#powershell) - -
- - - -## Recommendations for domain-joined computers - -Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. For more information, see [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption). +## Recommendations for moving domain-joined computers to cloud management Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx). -For client computers with BitLocker that are domain joined on-premises, Microsoft recommends moving from Microsoft BitLocker Administration and Management (MBAM) to cloud management: +Microsoft's enterprise solution to manage client computers with BitLocker that are domain joined on-premises has been Microsoft BitLocker Administration and Management (MBAM)], for which [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201). Microsoft recommends moving from MBAM to cloud management: 1. Disable MBAM management and leave MBAM as only a database backup for the recovery key. 2. Join the computers to Azure Active Directory (Azure AD). @@ -53,24 +37,19 @@ BitLocker recovery keys can be managed from Azure AD thereafter. The MBAM databa
- ## Recommendations for devices joined to Azure Active Directory - - -Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) (CSP), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. +Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones. For hardware that is compliant with Modern Standby and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD. - ## Workplace-joined PCs and phones -For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, and similarly for Azure AD domain join. +For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. - ## Recommendations for servers @@ -84,8 +63,6 @@ If you are installing a server manually, such as a stand-alone server, then choo For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles).   - - ## PowerShell examples For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory. @@ -122,8 +99,6 @@ PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector ``` - - ## Related Articles [BitLocker: FAQs](bitlocker-frequently-asked-questions.md) From 5834be1cef9cd7dd60c0808374c9d6753e192744 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 19 Jul 2018 13:51:57 -0700 Subject: [PATCH 06/10] revised MBAM section --- .../bitlocker/bitlocker-management-for-enterprises.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 666b1c9b70..c54982f712 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -19,15 +19,13 @@ This topic explains recommendations for managing BitLocker, both on-premises usi The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. -Therefore, we recommend that you upgrade your hardware so that your devices comply with Modern Standby or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD). - Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers. -## Recommendations for moving domain-joined computers to cloud management +## Recommendations for domain-joined computers and moving to cloud management Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx). -Microsoft's enterprise solution to manage client computers with BitLocker that are domain joined on-premises has been Microsoft BitLocker Administration and Management (MBAM)], for which [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201). Microsoft recommends moving from MBAM to cloud management: +Microsoft recommends [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises. MBAM remains in [mainstream support until July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) and can receive extended support until July 2024. Enterprises that are transitioning to the cloud can follow these steps to proactively move from MBAM to cloud management: 1. Disable MBAM management and leave MBAM as only a database backup for the recovery key. 2. Join the computers to Azure Active Directory (Azure AD). From d39c5297579c6a34fb5ceffe93718de4d52925ce Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 19 Jul 2018 16:23:32 -0700 Subject: [PATCH 07/10] revised intro --- .../bitlocker-management-for-enterprises.md | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index c54982f712..916d00346b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -11,21 +11,17 @@ author: brianlic-msft ms.date: 07/18/2018 --- -# BitLocker Management Recommendations for Enterprises +# BitLocker Management for Enterprises -This topic explains recommendations for managing BitLocker, both on-premises using older hardware and cloud-based management of modern devices. - -## Forward-looking recommendations for managing BitLocker - -The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. +The ideal for BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers. -## Recommendations for domain-joined computers and moving to cloud management +## Managing domain-joined computers and moving to cloud Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx). -Microsoft recommends [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises. MBAM remains in [mainstream support until July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) and can receive extended support until July 2024. Enterprises that are transitioning to the cloud can follow these steps to proactively move from MBAM to cloud management: +Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. During this time, following these steps to move to cloud-based management of BitLocker is a good strategy: 1. Disable MBAM management and leave MBAM as only a database backup for the recovery key. 2. Join the computers to Azure Active Directory (Azure AD). @@ -35,7 +31,7 @@ BitLocker recovery keys can be managed from Azure AD thereafter. The MBAM databa
-## Recommendations for devices joined to Azure Active Directory +## Managing devices joined to Azure Active Directory Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. @@ -44,12 +40,12 @@ Starting with Windows 10 version 1703 (also known as the Windows Creators Update For hardware that is compliant with Modern Standby and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD. -## Workplace-joined PCs and phones +## Managing workplace-joined PCs and phones For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. -## Recommendations for servers +## Managing servers Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. From 7305414de359e75ad2c82d2339fa0ba2712f493f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 19 Jul 2018 16:29:40 -0700 Subject: [PATCH 08/10] revised intro --- windows/security/information-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index c845e7e6aa..636404ef31 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -15,7 +15,7 @@ ### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md) ### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md) ### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md) -### [BitLocker: Management recommendations for enterprises](bitlocker\bitlocker-management-for-enterprises.md) +### [BitLocker: Management for enterprises](bitlocker\bitlocker-management-for-enterprises.md) ### [BitLocker: How to enable Network Unlock](bitlocker\bitlocker-how-to-enable-network-unlock.md) ### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) ### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md) From 51c6d0ab7132bb58ee5e6bf05d319376f62507f5 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 19 Jul 2018 16:55:57 -0700 Subject: [PATCH 09/10] revised intro --- .../bitlocker/bitlocker-management-for-enterprises.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 916d00346b..6626eee6e9 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -29,7 +29,7 @@ Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](h BitLocker recovery keys can be managed from Azure AD thereafter. The MBAM database does not need to be migrated. -
+Enterprises that choose to continue managing BitLocker on-premises after MBAM support ends can use the [BitLocker WMI provider class](https://msdn.microsoft.com/library/windows/desktop/aa376483) to create a custom management solution. ## Managing devices joined to Azure Active Directory From 9ac7474d2d99da3fdbba54336930ac81828e78f1 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 20 Jul 2018 08:37:51 -0700 Subject: [PATCH 10/10] revised intro to steps --- .../bitlocker/bitlocker-management-for-enterprises.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 6626eee6e9..9721dffec5 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -21,7 +21,7 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been pu Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx). -Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. During this time, following these steps to move to cloud-based management of BitLocker is a good strategy: +Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. When moving to cloud-based management, following these steps could be helpful: 1. Disable MBAM management and leave MBAM as only a database backup for the recovery key. 2. Join the computers to Azure Active Directory (Azure AD).