deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'bl-mgmt-2' of https://cpubwin.visualstudio.com/_git/it-client into bl-mgmt-2

Browse Source
This commit is contained in:
Justin Hall 2018-07-19 08:21:23 -07:00
commit 8eb60ee27d
1 changed files with 5 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -35,18 +35,6 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been p
<br />
## BitLocker management at a glance
| | PC Old Hardware | PC New* Hardware |[Servers](#servers)/[VMs](#VMs) | Phone
|---|---|----|---|---|
|On-premises Domain-joined |[MBAM](#MBAM25)| [MBAM](#MBAM25) | [Scripts](#powershell) |N/A|
|Cloud-managed|[MDM](#MDM) |Auto-encryption|[Scripts](#powershell)|[MDM](#MDM)/EAS|
<br />
*PC hardware that supports Modern Standby or HSTI
<br />
<br />
<a id="dom_join"></a>
## Recommendations for domain-joined computers
@ -55,15 +43,13 @@ Windows continues to be the focus for new features and improvements for built-in
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
For older client computers with BitLocker that are domain joined on-premises, use Microsoft BitLocker Administration and Management<sup>[1]</sup>. Using MBAM provides the following functionality:
For client computers with BitLocker that are domain joined on-premises, Microsoft recommends moving from Microsoft BitLocker Administration and Management (MBAM) to cloud management:
- Encrypts device with BitLocker using MBAM
- Stores BitLocker Recovery keys in MBAM Server
- Provides Recovery key access to end-user, helpdesk and advanced helpdesk
- Provides Reporting on Compliance and Recovery key access audit
1. Disable MBAM management and leave MBAM as only a database backup for the recovery key.
2. Join the computers to Azure Active Directory (Azure AD).
3. Use `Manage-bde -protectors -aadbackup` to backup the recovery key to Azure AD.
<a id="MBAM25"></a>
<sup>[1]</sup>The latest MBAM version is [MBAM 2.5](https://technet.microsoft.com/windows/hh826072.aspx) with Service Pack 1 (SP1).
BitLocker recovery keys can be managed from Azure AD thereafter. The MBAM database does not need to be migrated.
<br />