How to migrate standalone MBAM to SCCM for bitlocker – All about Microsoft Endpoint Manager

How to migrate standalone MBAM to SCCM for bitlocker – All about Microsoft Endpoint Manager

Everyone knows that Microsoft BitLocker Administration and Monitoring (MBAM) is an administrative software for managing BitLocker Drive Encryption for home windows units which are on-prem area joined.

MBAM mainstream help ended on July 2019 and is at present in prolonged help till April 2026.

To know extra about mainstream help and prolonged help, please learn the article

Contemplating the help for MBAM, what different various instruments/merchandise do we have now to handle the BitLocker function?

Microsoft has included the MBAM options into Configuration Supervisor (SCCM) beginning in model 1910, since then it has improved so much with new options and enhancements. We will additionally use Microsoft Intune in its place method and is the longer term.

To know concerning the migration of the MBAM server to Microsoft Endpoint Supervisor (Intune), please learn the article

Learn the issues from MBAM to SCCM

On this weblog publish, I want to present the steps that i’ve used emigrate the standalone MBAM to SCCM for my clients.

This migration steps assume that you’re utilizing MBAM server with a GPO configuration coverage (BitLocker settings).

You need to migrate the purchasers from MBAM and proceed to SCCM for the BitLocker function.

Earlier than we begin the migration course of, be certain your present SCCM infra has the BitLocker function enabled and configured. Comply with the Microsoft article on the best way to allow the bitlocker function

Enabling the BitLocker function in SCCM is impartial of your present MBAM setup. you may merely set up/allow the bitlocker in SCCM however do not create or deploy any BitLocker insurance policies to your purchasers (assortment).

After getting enabled the BitLocker function in SCCM and is working situation (confirm the IIS internet portals if they’re working or not), we might want to gather the settings from the present MBAM setup resembling encryption technique, cipher energy, and many others that you just configured in GPO.

Go to your GPO, and determine the coverage that has the BitLocker settings configured resembling bitlocker cipher energy resembling AES 128, AES 256 and many others. This is among the essential settings we’ll want for SCCM.

After getting acquired the data, go to the SCCM server, endpoint safety, and Create a brand new bitlocker coverage with settings much like GPO.

If there may be any distinction within the bitlocker coverage settings (algorithm 128 to 256) from MBAM to SCCM, there might be conflicts if you deploy this to the gathering and you may even see sudden outcomes.

If you need to vary the encryption algorithm resembling 128 (MBAM) to 256 (SCCM), it is advisable decrypt the disk first earlier than you encrypt utilizing 256.

Word: What occurs if deploy a bitlocker coverage from SCCM with an encryption algorithm of 256 to the units when the units are already bitlocker with a unique algorithm utilizing MBAM?

In my testing , the SCCM consumer will consider the coverage and report the system as non-compliant attributable to mismatch within the configuration settings (key will nonetheless escrow being non-compliant) with out making any hassle with the system.

When you created the bitlocker coverage with settings that matches your MBAM GPO, create a set and add just a few units to it.

Deploy the bitlocker coverage to the check assortment that you’ve created above.

Provoke the machine coverage cycle or await the coverage to set off on the machine. If you happen to can not wait, run the machine coverage cycle, go to the PC, and provoke the bitlocker coverage from the configuration tab within the configuration supervisor applet.

Anticipate the system to guage the coverage and escrow the important thing to SCCM utilizing the restoration service.

Learn the consumer log BitlockerManagementHandler.log  situated in C:windowsccmlogs for troubleshooting goal.

Word: Whenever you deploy the bitlocker coverage to the gathering, if the system is already bitlocker by MBAM, SCCM consumer merely validate the settings, if it matches, the consumer merely escrows the keys to the SCCM database and this course of has no affect to the end-user.

This complete course of occurs silently within the backend.

If the consumer is bitlocker with totally different settings than what you deploy in SCCM, the consumer will merely report back to SCCM as non-compliant attributable to a mismatch within the settings.


If the consumer shouldn’t be bitlocker by MBAM, however it’s within the SCCM deployment schedule, SCCM consumer evaluates the coverage and performs the bitlocker and escrows the important thing to SCCM server.

Word: Microsoft has deprecated key escrow through the Restoration Service a very long time in the past . So SCCM consumer escrows the important thing instantly through the present MP utilizing a safe channel.

Now Verify if the consumer bitlocker secret is accessible SCCM database or not utilizing the next SQL question.

choose a.Title, b.VolumeId, c.RecoveryKeyId, c.RecoveryKey, c.LastUpdateTime
from dbo.RecoveryAndHardwareCore_Machines a
inside be part of dbo.RecoveryAndHardwareCore_Machines_Volumes b ON a.Id = b.MachineId
inside be part of dbo.RecoveryAndHardwareCore_Keys c ON b.VolumeId = c.VolumeId
the place a.title =cmcb-w11-03

Run the self-service portal and helpdesk portal for restoration keys and make sure the performance of the bitlocker is working.
SCCM additionally comes with enterprise bitlocker reviews as a part of the default SCCM reviews. you can also make use of those reviews as nicely to examine the bitlocker compliance standing.


At this stage, we have now created the bitlocker coverage in SCCM and deployed it to our check assortment, validated the important thing within the database, and likewise reviews.

Along with this, if you’re provisioning the units utilizing SCCM (imaging), you can also make use of the duty sequence to carry out bitlocker (silent) throughout the imaging course of itself. Learn the article from Niall Brady


We’ll now broaden SCCM bitlocker coverage deployment to different collections (staggered method) until we attain the tip.

Monitor the deployment standing utilizing console and compliance reviews

At this stage, it is advisable determine if you want to cease the brand new units managed by MBAM for bitlocker. If you’re good to cease the brand new units managed by MBAM, we’ll take the database backup and/or backup the keys from MBAM database to a safe location.

When you migrate all of the purchasers from MBAM to SCCM, we’ll begin the decommissioning technique of the MBAM and GPOs.

Begin unlinking the GPO course of on 1 OU and monitor the suggestions (there shouldn’t be any points ). Anticipate a day or 2 and proceed the method on all of the OUs until you attain finish.

Plan for the shutdown of the server for 1-2 weeks earlier than the fee of the server.

Take away the MBAM GPOs.

Thanks for studying the publish and let me know your suggestions through the feedback part.


We use cookies to enable site functionality and collect data about user interactions. By clicking Accept, you agree to our use for advertising, analytics, and support.