Posted by: kurtsh | March 23, 2021

INFO: MBAM Server Migration To Microsoft Endpoint Manager

The following is an excerpt from a blog post about MBAM Server Migration To Microsoft Endpoint Manager.

imageToday we discuss about MBAM’s Bitlocker data migration to Microsoft Endpoint Manager.

Microsoft provides a range of flexible BitLocker management alternatives to meet  organization’s needs, as follows:

  1. Cloud-based BitLocker management using Microsoft Endpoint Manager.
  2. On-premises BitLocker management using System Center Configuration Manager
  3. Microsoft BitLocker Administration and Monitoring (MBAM) ended support on 7/9/2019, extended support 4/14/2026.

In order to future proof the Bitlocker Management and simplify the administration, some corporates have planned to migrate MBAM data directly from MBAM servers to Microsoft Endpoint Manager. The key point of the migration is that, making sure the amount of the recovery key IDs listed by MBAM Server are the same as the ones listed by Azure AD before the cut-off point of time in the migration process. I would suggest the a migration process with 5 steps.

  1. Generate a list of Bitlocker recovery keys in MBAM SQL Server
  2. Setup MEM Policy to escrow Bitlocker recovery passwords to Azure AD Device Accounts.
  3. Generate a list of Bitlocker recovery keys by Graph API in Azure AD, also generate a list of devices failed to escrow their keys
  4. Compare list and make manually escrow of recovery keys to Azure AD
  5. Shutdown MBAM Server and decommission them.

Read the entire article here:


%d bloggers like this: