Evaluating Endpoint Encryption Solutions: MBAM vs Intune/SCCM

49885604 190 Reputation points
2024-10-13T22:33:19.59+00:00

A client currently utilizes MBAM for encrypting laptops and USB drives and has a test Azure tenant along with an SCCM Lab. In the production environment, SCCM is fully responsible for managing workstation policies.

A POC is being prepared to facilitate the client's evaluation of switching to or testing endpoint encryption with Intune and SCCM. Key considerations include Hybrid Join/Co-Management and secure key management, ensuring minimal impact on SCCM. The SCCM database must remain unchanged, and the platform should undergo only minimal alterations.

What procedures and technical solutions should be followed? Are there any best practices to apply?

Kind regardsand thanks in advance,

Alessio

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
39,797 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
436 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,924 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,377 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,219 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marcin Policht 26,155 Reputation points MVP
    2024-10-14T00:00:46.93+00:00
    1. Key Considerations for POC and Strategy
    • Preserve SCCM Management: Ensure that the POC introduces co-management without altering the existing SCCM database and policies.
    • Hybrid Identity: Use Hybrid Azure AD Join for devices to support both on-premises and cloud-based management.
    • Encryption Management: Shift encryption to BitLocker managed via Intune or SCCM.
    • Secure Key Management: Store recovery keys securely in Azure AD or on-premises via SCCM.

    1. Recommended Technical Approach

    Step 1: Enable Co-Management and Device Enrollment

    • Enable Co-Management in SCCM to manage BitLocker policy through Intune without disrupting existing SCCM management.
      • In SCCM, go to Administration > Cloud Services > Co-management and configure the workload.
      • Configure BitLocker management policies to shift to Intune without moving other workloads.
      • Ensure Hybrid Azure AD Join for seamless device enrollment with both SCCM and Intune.

    Step 2: Configure BitLocker Management in SCCM and Intune

    SCCM Configuration:

    • Verify that BitLocker management policies are already configured in SCCM for on-premises.
      • Use SCCM’s MBAM integration for legacy devices if needed
      • Keep the SCCM database unchanged by maintaining the on-prem recovery key storage.

    Intune Configuration:

    • In Intune, create a Device Configuration Policy for BitLocker under Endpoint security > Disk encryption.
      • Store BitLocker recovery keys in Azure AD for Intune-managed devices.
      • Exclude SCCM-managed devices from Intune’s BitLocker policy to avoid conflicts.

    Step 3: Configure Recovery Key Management

    • Azure AD Recovery Keys: For devices managed by Intune, ensure recovery keys are stored securely in Azure AD.
    • On-prem Recovery Key Storage: Keep the SCCM/MBAM key storage for devices still managed on-premises.
    • Implement RBAC roles in Intune to control access to recovery keys securely.

    1. Key Best Practices
      1. Minimal Disruption: Roll out the POC with minimal changes to SCCM, ensuring devices can switch to Intune only for encryption management.
      2. Pilot Group Testing: Select a pilot group of devices to validate policies from both SCCM and Intune during the transition.
      3. Avoid Policy Conflicts: Carefully exclude devices managed by SCCM from Intune encryption policies.
      4. Backup Recovery Keys: Ensure a backup process is in place for recovery keys, whether in Azure AD or SCCM.
      5. Reporting and Compliance: Use Intune compliance policies to monitor encryption status and ensure the new policies are effective.
      6. MFA for Key Access: Secure recovery key access in Azure AD with MFA to prevent unauthorized access.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Crystal-MSFT 49,436 Reputation points Microsoft Vendor
    2024-10-14T01:44:54.0466667+00:00

    @49885604, Thanks for posting in Q&A. For MBAM and SCCM, they are on-premises BitLocker management method. For Microsoft Intune, it is cloud-based BitLocker management method. To simplify the administration or you consider cloud management in your organization, we can plan to migrate MBAM data to Microsoft Intune. Here is a blog with more details.

    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/mbam-server-migration-to-microsoft-endpoint-manager/ba-p/2192984

    To ensure minimal impact, you can use Pilot group when enable co-management. Use a pilot group for your initial testing, adding devices as needed, until you're ready to move the workloads for all Configuration Manager devices.

    https://learn.microsoft.com/en-us/mem/configmgr/comanage/how-to-enable

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.