Bitlocker (EPP) policy assigments : question

Rajesh Sura 21 Reputation points Microsoft Employee
2021-06-17T10:15:50.287+00:00

We have Implemented the Bitlocker group policy with MBAM agent, the policy was implemented last year on few computers.
But I also see previous IT staff have Intune bitlocker EPP created and have also assigned & targeted to all devices.

Since there were 2 encryption polices, some computers have picked up Intune's EPP policy and some have gone the MBAM way :).

IT management has decided to use MBAM, so I would want remove EPP policy assignment in Intune.

So the question is :

1) Would there be an impact to devices which are already encrypted with Intune's EPP.

2) Will the devices be decrypted and encrypted by MBAM again ?

3) What happens to bitlocker key backed up AAD ? Will this disappear ?

Just wanted to double check as its a production environment, though I understand there would be little or no-imapct as removing assignment of EPP policy.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,336 questions
0 comments
Accepted answer
  1. Jason Sandys 31,151 Reputation points Microsoft Employee
    2021-06-18T00:29:08.377+00:00

    1) No, not unless there was a policy configured on the Intune side that isn't configured using MBAM.

    2) No. Volumes will never be decrypted or have their algorithm changed because of a policy change.

    Also, MBAM does not encrypt volumes. MBAM, Intune, ConfigMgr, Group Policy, and every other tool simply configure policies for BitLocker. It is up to the OS to implement and enforce those policies. The OS really doesn't care where a policy or setting came from and doesn't change its behavior based on this either.

    3) No. Recovery keys are never automatically deleted from AAD or AD. There isn't even a manual method to do this to my knowledge.

    Plus one to @Rahul Jindal [MVP] 's comments here as well as this doesn't match our roadmap and seems like a short-sighted choice.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rahul Jindal [MVP] 9,146 Reputation points MVP
    2021-06-17T20:47:40.237+00:00

    I think you should probably approach this holistically. What is the rationale behind sticking to MBAM? Sounds like it may be standalone. If so then consider moving to AAD to future proof your disk encryption requirements. Also, what are you using to manage your endpoints? If it is Intune then it just makes sense to use Bitlocker policies from Intune.