question

EMSRaj-7435 avatar image
0 Votes"
EMSRaj-7435 asked EMSRaj-7435 commented

Bitlocker (EPP) policy assigments : question

We have Implemented the Bitlocker group policy with MBAM agent, the policy was implemented last year on few computers.
But I also see previous IT staff have Intune bitlocker EPP created and have also assigned & targeted to all devices.

Since there were 2 encryption polices, some computers have picked up Intune's EPP policy and some have gone the MBAM way :).

IT management has decided to use MBAM, so I would want remove EPP policy assignment in Intune.


So the question is :

1) Would there be an impact to devices which are already encrypted with Intune's EPP.

2) Will the devices be decrypted and encrypted by MBAM again ?

3) What happens to bitlocker key backed up AAD ? Will this disappear ?

Just wanted to double check as its a production environment, though I understand there would be little or no-imapct as removing assignment of EPP policy.

mem-intune-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered Jason-MSFT edited

1) No, not unless there was a policy configured on the Intune side that isn't configured using MBAM.

2) No. Volumes will never be decrypted or have their algorithm changed because of a policy change.

Also, MBAM does not encrypt volumes. MBAM, Intune, ConfigMgr, Group Policy, and every other tool simply configure policies for BitLocker. It is up to the OS to implement and enforce those policies. The OS really doesn't care where a policy or setting came from and doesn't change its behavior based on this either.

3) No. Recovery keys are never automatically deleted from AAD or AD. There isn't even a manual method to do this to my knowledge.

Plus one to @RahulJindal-2267's comments here as well as this doesn't match our roadmap and seems like a short-sighted choice.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered EMSRaj-7435 commented

I think you should probably approach this holistically. What is the rationale behind sticking to MBAM? Sounds like it may be standalone. If so then consider moving to AAD to future proof your disk encryption requirements. Also, what are you using to manage your endpoints? If it is Intune then it just makes sense to use Bitlocker policies from Intune.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, we pushed all standalone/AAD setup - but customer/security are old, stubborn, outdated and even went on to ask question on whether "you backup your Intune service in a tape drive" ? :)

0 Votes 0 ·