question

jamieh avatar image
0 Votes"
jamieh asked RahulJindal-2267 commented

Functionality in Azure/Intune comparable to MBAM Help Desk Portal

We're a large enterprise currently utilizing MBAM for BitLocker management (keys are currently saved in ConfigMan), we're looking to move off of MBAM and moving everything BitLocker related to our Azure AD instance and Intune. One piece of MBAM functionality we rely on heavily currently is the MBAM Help Desk Portal (I've provided link as reference below) , is there comparable functionality to this in the Azure/Intune configuration?
Thanks,
Jamie

https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v2/how-to-use-the-help-desk-portal

mem-intune-general
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

There is no dedicated MBAM recovery portal in Azure. When the key is escrowed in Azure, you have the option to either fetch it from Azure->Devices or from Devices in MEM if your managing your devices using Intune.

0 Votes 0 ·

And also user himself see his devices and keys from his account portal, I believe.

0 Votes 0 ·
LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered

@jamieh Thanks for posting in our Q&A.

From view of intune, we can configure the Bitlocker profile. We can refer to the following article:
https://docs.microsoft.com/en-us/mem/intune/protect/encrypt-devices#create-an-endpoint-security-policy-for-bitlocker

For the link about MBAM Help Dest Portal, it seems to review reports, recover end users’ drives, and manage end users’ TPMs. In fact, I'm not familiar with MBAM Help Desk Portal. Just for reports, intune reports details in the following link. And it doesn't seem to be as detailed as MBAM Reports.
https://docs.microsoft.com/en-us/mem/intune/protect/encryption-monitor

Hope the above information will help.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jamieh avatar image
0 Votes"
jamieh answered RahulJindal-2267 commented

Thanks a lot for this info, it really helps. I think what would work for us would be to utilize the Help Desk Operator role for those users that we had using the MBAM Help Desk Portal.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am not sure how that will help you as the role is a built-in role in Intune which will cover all objects in Intune and not just the bitlocker piece and this doesn’t address your actual requirement. I am going out on a limb here but you may be able to setup an interactive UI leveraging an Azure app using Graph API that could function similar to an MBAM helpdesk portal. bitlockerrecoverykey-get


0 Votes 0 ·
jamieh avatar image
0 Votes"
jamieh answered LuDaiMSFT-0289 commented

OK thanks, I misunderstood, I was going to look at the custom role option and build what was needed from the Help Desk role but if that doesn't give us anything usable then I won't look at it. I'll check our Graph config to see if it's enabled yet and then maybe we can build an app ourselves.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@jamieh Haven't heard from you for a long time, I noticed that you are doing some check. I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns, feel free to let us know.

0 Votes 0 ·
yannara avatar image
0 Votes"
yannara answered

Basically MBAM should not be needed anymore when you to Intune. Bitlocker config profile will enforce encryption. You have Bitlocker report in Intune. Recovery key is found under device info. End user can login to his account portal and shoud see his devices and keys.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jamieh avatar image
0 Votes"
jamieh answered RahulJindal-2267 commented

The help desk was something we used if a user was locked out of their machine and with our config a user wouldn't have access to their account on another device unfortunately.
I'm looking at the Graph option to see if we could build something from that. I see conflicting info on whether the report would bring the data back to anyone other than an admin and obviously we don't want to add the admin role to a set of Intune users that really don't need it for the role they're actually acting in.
From this thread this seems to be a common item that Intune customers are looking for.
1587597


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Look under azure->Devices->Bitlocker keys (preview). It is somewhat similar to a helpdesk portal. You feed in the bitlocker key to retrieve the recovery key.

0 Votes 0 ·