From fad365a0c766571700e85328104c460fcc7c9b93 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 18 Jul 2018 14:28:41 -0700 Subject: [PATCH] added transition to AAD --- .../bitlocker/bitlocker-management-for-enterprises.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index e32e8560b9..dbd4d929b6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -55,15 +55,12 @@ Windows continues to be the focus for new features and improvements for built-in Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx). -For older client computers with BitLocker that are domain joined on-premises, use Microsoft BitLocker Administration and Management[1]. Using MBAM provides the following functionality: +For older client computers with BitLocker that are domain joined on-premises, Microsoft recommends moving from Microsoft BitLocker Administration and Management[1] to cloud management: -- Encrypts device with BitLocker using MBAM -- Stores BitLocker Recovery keys in MBAM Server -- Provides Recovery key access to end-user, helpdesk and advanced helpdesk -- Provides Reporting on Compliance and Recovery key access audit +1. Disable MBAM management and leave MBAM as only a database backup for the recovery key. +2. Join the computers to Azure Active Directory (Azure AD). BitLocker will generate a new recovery key and upload it to Azure AD. - -[1]The latest MBAM version is [MBAM 2.5](https://technet.microsoft.com/windows/hh826072.aspx) with Service Pack 1 (SP1). +BitLocker recovery keys can be managed from Azure AD thereafter. The MBAM database does not need to be migrated.