On-premises BitLocker management using System Center Configuration Manager SCCM

As MBAM is end of life a have a few options to manage Bitlocker, Intune or SCCM. Good new is now with SCCM 1910 you don't need MBAM to manage Biltocker on prem.

For organizations currently using on-premises management, the best approach still remains getting your Windows devices to a co-managed state, to take advantage of cloud-based BitLocker management with Microsoft Intune. However to support scenarios where cloud is not an option, Microsoft is also introducing BitLocker management through Configuration Manager current branch.

Beginning in June 2019, Configuration Manager will release a product preview for BitLocker management capabilities, followed by general availability later in 2019. Similar to the Intune cloud-based approach, Configuration Manager will support BitLocker for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions. It will also support Windows 7, Windows 8, and Windows 8.1 during their respective support lifecycles.  


Configuration Manager (SCCM) will provide the following BitLocker management capabilities:


  • Provisioning
  • Our provisioning solution will ensure that BitLocker will be a seamless experience within the SCCM console while also retaining the breadth of MBAM.


  • Prepare Trusted Platform Module (TPM)
  • Admins can open the TPM management console for TPM versions 1.2 and 2.0. Additionally, SCCM will support TPM+PIN for log in. For those devices without a TPM, we also permit USBs to be used as authenticators on boot.


  • Setting BitLocker Configuration
  • All MBAM configuration specific values that you set will be available through the SCCM console, including: choose drive encryption and cipher strength, configure user exemption policy, fixed data drive encryption settings, and more.


  • Encryption
  • Encryption allows admins to determine the algorithms with which to encrypt the device, the disks that are targeted for encryption, and the baselines users must provide in order to gain access to the disks.


  • Policy enactment / remediation on device
  • Admins can force users to get compliant with new security policies before being able to access the device.


  • New user can set a pin / password on TPM & non-TPM devices
  • Admins can customize their organization’s security profile on a per device basis.


  • Auto unlock
  • Policies to specify whether to unlock only an OS drive, or all attached drives, when a user unlocks the OS drive.


  • Helpdesk portal with auditing
  • A helpdesk portal allows other personas in the organization outside of the SCCM admin to provide help with key recovery, including key rotation and other MBAM-related support cases that may arise.


  • Key rotation
  • Key rotation allows admins to use a single-use key for unlocking a BitLocker encrypted device. Once this key is used, a new key will be generated for the device and stored securely on-premises.


  • Compliance reporting
  • SCCM reporting will include all reports currently found on MBAM in the SCCM console. This includes key details like encryption status per volume, per device, the primary user of the device, compliance status, reasons for non-compliance, etc.