System Center Operations Manager Update Roll-up 2

by Scott Muniz | Aug 12, 2020 | Uncategorized

This article is contributed. See the original author and article here.

2020 has been a challenging year for everyone and good news has been hard to come by ,this is why we are excited to announce that System Center Operations Manager 2019 has come out with Update Rollup 2 to elevate your monitoring spirits!

Update Roll Up 2 for System Center Operations Manager 2019 was released last week and there are some cool new features to explore .This blog will briefly go through these features to get you plugged in and ready to go .

To begin with we have the management pack change tracking supported to finally be able to audit certain changes being done in SCOM. It is a feature that many SCOM users, administrators and customers have been waiting for.

In System Center Operations Manager user roles are defined to determine as to who can potentially change monitoring settings for applications and services through management packs. Various user roles (profiles) are defined to access and perform actions on the monitored objects. There can be multiple users associated with a single user role and these users interact with SCOM to monitor data relevant to their role. A profile is defined on a group of users which impose Role-based security and limit privileges that users have for various aspects of Operations Manager. When multiple users access and change the same object it becomes difficult to track, WHAT changes are done by WHOM and WHEN?

For SCOM customers with large scale environments this exercise can sometimes seem as daunting as looking for a needle in a haystack!  With the change tracking feature enabled these time consuming and frustrating activities can be carried out in a matter of minutes .Admin users can now easily identify root causes for issues caused due to changes done by any user in SCOM. Once the changes are identified the admin can choose to undo them if needed.

To overcome this challenge, SCOM 2019 UR2 has enabled Change Tracking by default which tracks and reports all the changes on the management packs and management pack objects. All these changes are logged in Operations Manager Datawarehouse Database and you can generate reports on it.

There are 3 new reports created in SCOM to show these changes.  They are present under Reporting -> Microsoft Generic Report library as “Management Pack History”, “Management Pack Objects”, “Overrides Tracking”. These reports have the filtering enabled so you can track and report the changes as per your need. The section below gives an overview of each report:

1. Management Pack History

The management pack history report generates the list of all the management packs, which are either imported or deleted on any management server in your management group. You can filter the report by date, action, and username.

You can find an example of how the filters and reports look like below:

Sample Report:

2. Management Pack Objects

This report tracks and generates the list of all management pack objects, which are newly created or deleted from the management server. This report also tracks edits on management pack objects like renaming a group/monitor/rule or adding/deleting a member in the group etc.

You can find an example of how the filters and reports look like below:

Sample Report:

3. Overrides Tracking

Overrides are created to tune monitoring. Multiple user roles can create these overrides in Operations Manager. When different users create overrides, it becomes crucial to track and capture the user who made these changes and when. 

To view detailed information for every changed parameter, expand each of the rows, the results are grouped by management pack name.

You can find an example of how the filters and reports look like below:

Sample Report:

Customers have been asking for enhancements of the schedule maintenance mode feature in SCOM and we have been listening!

As we all know schedule maintenance mode feature was introduced in SCOM 2016 where SCOM admins can choose a time in future to put the machines in maintenance mode. SCOM customers have 1000s of agents monitoring their infrastructure environments. They usually patch these agents in groups at predefined schedules which may or may not be recurring in nature.

Users who are patching the agents are generally different from admin users and conflicting maintenance mode schedules can lead to the undesirable scenario of SCOM generating multiple alerts. Based on feedback received from our customers we have included some enhancement to this critical feature to help customers ensure seamless business continuity.

With 2019 UR2, if there is a conflict in maintenance mode end time, then the object will exit maintenance mode at the furthest end time defined for the object.

Below is an example to illustrate this feature:

Let’s talk about the Web Console!

It has been our continued focus to give customers a consistent user experience in the Web Console. We have now included the Favorite Reports feature and support for folders in the monitoring view of web console in SCOM 2019 as well.

Without Favorite Reports ,running ad-hoc SCOM reports on a regular basis can be time consuming for users going about their day to day tasks ,as it adds the overhead of also launching the Operations Console .But this pain point will now be a thing of the past as Favorite Reports feature is now available in the Web Console as part of SCOM 2019 UR2 .

To further allow efficient organization and easy access to important dashboards and views users can also create folders and place dashboards inside them in SCOM 2019 UR2.

We also continue to invest in enhancing the cross-platform monitoring capabilities of SCOM to cater to the rapidly increasing diverse environments. Operations Manager 2019 UR2 now also supports CentOS 8 under Universal Linux (RPM package).

Here is a list of supported Linux distributions on SCOM 2019 as of UR2:

• Red Hat Enterprise 7 and 8
• Suse Enterprise 12 and 15
• OpenSuse Leap 15
• Debian 8 and 9
• Ubuntu 16.04 and 18.04
• CentOS 6,7 and 8
• Oracle Linux 6 and 7

Silect Dashboards for SCOM

Last but not least the new Silect dashboards for System Center Operations Manager leverage the interactive visualizations and business intelligence capabilities of Power BI to provide you with an in-depth look at the state of your IT infrastructure. View and easily share rich visualizations of the operational state of your IT environment including alert information, management pack activities, details on the state of critical SCOM components and much more. More Information https://www.silect.com/dashboards-for-scom/.

Some of you got the opportunity to try out of the preview of the Update Roll up 2 of SCOM 2019 and the feedback has been very encouraging!!

Additionally, fixes for critical defects continue to be a part of UR2. Find more details at the following link:

KB Article- Update Rollup 2 (UR2) for System Center 2019 Operations Manager.

For the details of features that are released in Update Rollup 2, see the following Microsoft Docs article: 

What’s New in System Center Operations Manager 2019 Update Rollup 2

We sincerely hope you enjoy the SCOM 2019 Update Roll up 2. Upgrade Now!

Update 2006 for Microsoft Endpoint Configuration Manager current branch is now available

by Scott Muniz | Aug 11, 2020 | Uncategorized

This article is contributed. See the original author and article here.

Update 2006 for Microsoft Endpoint Configuration Manager current branch is now available. Microsoft Endpoint Manager is an integrated solution for managing all your devices. Microsoft brings together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin center.

On our minds and we are sure yours too, are the challenges posed with working from home. Previously we have blogged some guidance for these scenarios.

• Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager
• Managing Patch Tuesday with Configuration Manager in a remote work world
• Use CMPivot to gather troubleshooting data from remote clients
• Cloud management gateway: addressing common challenges

In March, we made the decision to close the Microsoft Redmond campus and ask all of our engineers to work from home for three weeks to help curb the spread of COVID19.  At the time, three weeks sounded like a long time – little did we know that 6 months later we would still not set foot on campus.  It was certainly an adjustment for everyone – but fortunately the tools and investments that Microsoft made in the name of employee flexibility and empowerment (Cloud identity using Azure Active Directory, Cloud provisioning using AutoPilot, Cloud Management from Microsoft Endpoint Configuration Manager and Intune ) also enabled employees to more easily work from home. 

work from anywhere

But of course as we were forced to rely on our tools to work remotely 100% of the time, we found opportunities to improve: allowing clients to upgrade on metered networks, making it easier to download content from the cloud instead of a VPN, and simplifying remove provisioning among other things. So, we committed to focusing our ConfigMgr 2006 release on making these improvements and making them available to you. 

Look below for the Work from Anywhere tag   to find these features and others.

This release is brought to you by team members in Florida, Washington, British Columbia, Massachusetts, Pennsylvania, Maine, North Carolina, Michigan, Utah, California, Georgia, Shanghai and Suzhou China, and ‘Undisclosed’ – and we hope it will help make it easier to continue to manage your devices wherever they may be.

This release includes:

Microsoft Endpoint Manager tenant attach

Import previously created Azure AD application during tenant attach onboarding – During a new onboarding, an administrator can specify a previously created application during onboarding to tenant attach.

Endpoint Analytics

Endpoint Analytics Preview – the Endpoint Analytics preview is available. Endpoint analytics can help identify policies or hardware issues that may be slowing down devices and proactively make changes without disrupting end users or generating a help desk ticket.

Endpoint analytics data collection enabled by default – In 2006, the Enable Endpoint analytics data collection client setting is now enabled by default for tenants attaching for the first time. This setting allows your managed endpoints to send data, such as startup performance insights, to your Configuration Manager site server. This change affects local data collection only. Endpoint analytics data isn’t uploaded to the Microsoft Endpoint Manager admin center until you enable data upload in Configuration Manager. The new default value applies to the default client settings and any custom client settings created after upgrading to version 2006.

Site infrastructure

  VPN boundary type – To simplify managing remote clients, you can now create a new boundary type for VPNs. Previously, you had to create boundaries for VPN clients based on the IP address or subnet. Now when a client sends a location request, it includes additional information about its network configuration. Based on this information, the server determines whether the client is on a VPN.

  Management insights to optimize for remote workers – This release adds a new group of management insights, Optimize for remote workers. These insights help you create better experiences for remote workers and reduce load on your infrastructure. The insights in this release primarily focus on VPN:

• Define VPN boundary groups
• Configure VPN connected clients to prefer cloud-based content sources
• Disable peer to peer content sharing for VPN connected clients

  Improved support for Windows Virtual Desktop – The Windows 10 Enterprise multi-session platform is available in the list of supported OS versions on objects with requirement rules or applicability lists.

  Intranet clients can use a CMG software update point – Intranet clients can now access a CMG software update point when it’s assigned to a boundary group. You can allow intranet devices to scan against a CMG software update point in the following scenarios:

• When an internet machine connects to the VPN, it will continue scanning against the CMG software update point over the internet.
• If the only software update point for the boundary group is the CMG software update point, then all intranet and internet devices will scan against it.

Cloud-attached management

Notification for Azure AD app secret key expiration – If you configure Azure services to cloud-attach your site, the Configuration Manager console now displays notifications for the following circumstances:

• One or more Azure AD app secret keys will expire soon
• One or more Azure AD app secret keys have expired

Use Microsoft Azure China 21Vianet for co-management – You can now select the Azure China Cloud as your Azure environment when enabling co-management.

Real-time management

The following improvements have been made in CMPivot –

• CMPivot from the console and CMPivot standalone have been converged
• Run CMPivot from an individual device or multiple devices without having to select or create a collection
• From CMPivot query results, you can select an individual device or multiple devices then launch a separate CMPivot instance scoped to your selection.

Client management

  Install and upgrade the client on a metered connection –Previously, if the device was connected to a metered network, new clients wouldn’t install. Existing clients only upgraded if you allowed all client communication. Starting in this release, client install and upgrade both work when you set the client setting Client communication on metered internet connections to Allow or Limit. With this setting, you can allow the client to stay current, but still manage the client communication on a metered network.

Improvements to managing device restarts – Configuration Manager provides many options to manage device restart notifications. You can now configure the client setting Configuration Manager can force a device to restart to prevent devices from automatically restarting when a deployment requires it. By default, Configuration Manager can still force devices to restart

Application management

  Improvements to available apps via CMG – This release fixes an issue with Software Center and Azure Active Directory (Azure AD) authentication. For a client detected as on the intranet but communicating via the cloud management gateway (CMG), previously Software Center would use Windows authentication. When it tried to get the list of user-available apps, it would fail. It now uses Azure Active Directory (Azure AD) identity for devices joined to Azure AD. These devices can be cloud-joined or hybrid-joined.

Microsoft 365 Apps for enterprise – Office 365 ProPlus was renamed to Microsoft 365 Apps for enterprise on April 21, 2020. Starting in version 2006, the following changes have been made:

• The Configuration Manager console has been updated to use the new name. This change also includes update channel names for Microsoft 365 Apps.
• A banner notification was added to the console to notify you if one or more automatic deployment rules reference obsolete channel names in the Title criteria for Microsoft 365 Apps updates.

Operating system deployment

  Task sequence media support for cloud-based content – Task sequence media can now download cloud-based content. Instead of further taxing the WAN to download large OS deployment content, boot media and PXE deployments can now get content from cloud-based sources.

  Improvements to task sequences via CMG – This release includes the following improvements to deploy task sequences to devices that communicate via a cloud management gateway (CMG):

• Support for OS deployment: With a task sequence that uses a boot image to deploy an OS, you can deploy it to a device that communicates via CMG. The user needs to start the task sequence from Software Center.
• This release fixes the two known issues from Configuration Manager current branch version 2002. You can now run a task sequence on a device that communicates via CMG in the following circumstances:
  • A workgroup device that you register with a bulk registration token
  • You configure the site for Enhanced HTTP and the management point is HTTP

Improvements to BitLocker task sequence steps

• You can now specify the disk encryption mode on the Enable BitLocker and Pre-provision BitLocker task sequence steps. By default, the steps continue to use the default encryption method for the OS version.
• The Enable BitLocker step also now includes a setting to Skip this step for computers that do not have a TPM or when TPM is not enabled. When you enable this setting, the step logs an error on a device without a TPM or a TPM that doesn’t initialize, and the task sequence continues.

Management insight rules for OS deployment – When the size of the task sequence policy exceeds 32 MB, the client fails to process the large policy. The client then fails to run the task sequence deployment. To help you manage the policy size of task sequences, this release includes the following management insights:

• Large task sequences may contribute to exceeding maximum policy size
• Total policy size for task sequences exceeds policy limit

Improvements to OS deployment – This release includes the following additional improvements to OS deployment:

• Use a task sequence variable to specify the target of the Format and Partition Disk step. This new variable option supports more complex task sequences with dynamic behaviors.
• The Check Readiness step now includes a check to determine if the device uses UEFI. It also includes a new read-only task sequence variable, _TS_CRUEFI.
• If you enable the task sequence progress window to show more detailed progress information, it now doesn’t count enabled steps in a disabled group. This change helps make the progress estimate more precise.
• Previously, during a task sequence to upgrade a device to Windows 10, a command prompt window opened during one of the final Windows configuration phases. The window was on top of the Windows out-of-box experience (OOBE), and users could interact with it to disrupt the upgrade process. Now the SetupCompleteTemplate.cmd and SetupRollbackTemplate.cmd scripts from Configuration Manager include a change to hide this command prompt window.
• Some customers build custom task sequence interfaces using the IProgressUI::ShowMessage method, but it doesn’t return a value for the user’s response. This release adds the IProgressUI::ShowMessageEx method. This new method is similar to the existing method, but also includes a new integer result variable, pResult.

Protection

  CMG support for endpoint protection policies – While the cloud management gateway (CMG) has supported endpoint protection policies, devices required access to on-premises domain controllers. Starting in this release, clients that communicate via a CMG can immediately apply endpoint protection policies without an active connection to Active Directory.

BitLocker management support for hierarchies – You can now install the BitLocker self-service portal and the administration and monitoring website at the central administration site.

Configuration Manager console

Community hub and GitHub – (First introduced in June 2020)

The IT admin community has developed a wealth of knowledge over the years. Rather than reinventing items like scripts and reports from scratch, we’ve built a Configuration Manager Community hub where you can share with each other. The Community hub fosters creativity by building on others’ work and having other people build on yours. GitHub already has industry-wide processes and tools built for sharing. Now, the Community hub will leverage those tools directly in the Configuration Manager console as foundational pieces for driving this new community. For the initial release, the content made available in the Community hub will be uploaded only by Microsoft.

Notifications from Microsoft

You can now choose to receive notifications from Microsoft in the Configuration Manager console. These notifications help you stay informed about new or updated features, changes to Configuration Manager and attached services, and issues that require action to remediate.

Other updates

• For more information on changes to the Windows PowerShell cmdlets for Configuration Manager, see PowerShell version 2006 release notes.
• For more information on changes to the administration service REST API, see Administration service release notes.
• For more information on the monthly changes to the Desktop Analytics cloud service, see What’s new in Desktop Analytics.

For more details and to view the full list of new features in this update, check out our What’s new in version 2006 of Microsoft Endpoint Configuration Manager documentation. 

Note: As the update is rolled out globally in the coming weeks, it will be automatically downloaded, and you’ll be notified when it’s ready to install from the “Updates and Servicing” node in your Configuration Manager console. If you can’t wait to try these new features, see these instructions on how to use the PowerShell script to ensure that you are in the first wave of customers getting the update. By running this script, you’ll see the update available in your console right away.  

For assistance with the upgrade process, please post your questions in the Site and Client Deployment forum. Send us your Configuration Manager feedback through Send-a-Smile in the Configuration Manager console.  

Continue to use our UserVoice page to share and vote on ideas about new features in Configuration Manager. 

Thank you, 

The Configuration Manager team 

Additional resources: 

• What’s New in Configuration Manager 
• Documentation for Configuration Manager 
• Microsoft Endpoint Manager announcement
• Microsoft Endpoint Manager vision statement
• Evaluate Configuration Manager in a lab 
• Upgrade to Configuration Manager
• Configuration Manager Forums 
• Configuration Manager Support 
• Report an issue 
• Provide suggestions 

Managing BitLocker with Microsoft Endpoint Manager

by Scott Muniz | Aug 11, 2020 | Uncategorized

This article is contributed. See the original author and article here.

Did you know that you can utilize Microsoft Endpoint Manager to help manage BitLocker on your Windows devices?

In May of 2019, we announced that we would be adding capabilities to manage Microsoft BitLocker on enterprise Windows devices to both Microsoft Intune and Configuration Manager. We then announced the marriage of Microsoft Intune and Configuration Manager with Microsoft Endpoint Manager.

Here is a quick summary of those announcements and the current status (although I do recommend you read both posts in detail):

• We have added many configuration service providers, or CSPs, to Microsoft Intune to help you turn on, manage, report the status of, and turn off BitLocker encryption, including Trusted Platform Module (TPM) management. In Intune, these CSPs were added in the second half of 2019. We added these capabilities to Configuration Manager starting with a private preview in June 2019, and they are generally available today.
• In November of 2019, we combined our two enterprise management offerings—Microsoft Intune for cloud management and Configuration Manager for on-premises management—into  a single offering called Microsoft Endpoint Manager. Today over 200 million devices are managed with Microsoft Endpoint Manager.

Last year, we also announced extended support for Microsoft BitLocker Administration and Monitoring (MBAM). Those of you using MBAM can continue to do so until April 14, 2026. In the meantime, we recommend that you start thinking about migrating your devices to Microsoft Endpoint Manager to manage BitLocker.

Manage BitLocker using Microsoft Intune

Microsoft Azure Active Directory (Azure AD) and Microsoft Intune bring the power of the intelligent cloud to Windows 10 device management, including management capabilities for BitLocker. Some of these capabilities work on Windows 10 Pro, while other capabilities require Windows 10 Enterprise or Education editions.

The first step to managing BitLocker using Microsoft Intune is to visit the new Microsoft Endpoint Manager admin center. Select Endpoint security > Disk encryption, and then Create policy. Enter in the Platform and Profile indicated in the screen capture below, and then select Create.

creating a new Microsoft BitLocker policy in Microsoft Endpoint Manager

Next, enter the basics, such as the name of the policy and an optional description, then move on to Configuration settings. Notice you can search for a specific setting, like “fixed drive policy,” or you can scroll through the settings. Also notice the options offered for key rotation. This setting, which requires Windows 10, version 1909 or later, will change the recovery key when the recovery key is used to unlock a drive.

Create an Endpoint Security profile in Microsoft Endpoint Manager

As you enable settings, additional settings may appear. For example, Enabling Fixed drive encryption expands more options: Recovery key file creation and Configure BitLocker recovery key package.

Configuring BitLocker settings in Microsoft Endpoint Manager

Finally, add Scope tags, assign the new policy to specific groups of users or devices, and select Create.

The settings that can be configured here include:

• BitLocker – Base Settings
  • Enable full disk encryption for OS and fixed data drives
  • Require storage cards to be encrypted (mobile only)
  • Hide Prompt about third-party encryption
  • Configure client-driven recovery password rotation
• BitLocker – Fixed Drive Settings
  • BitLocker fixed drive policy
• BitLocker – OS Drive Settings
  • BitLocker system drive policy
• BitLocker – Removable Drive Settings
  • BitLocker removable drive settings

For more details, see the RequireDeviceEncryptionsection of the BitLocker CSP.

Manage BitLocker using Configuration Manager

For enterprise organizations currently using on-premises management of their endpoint devices, the best approach would be to enable co-management with Microsoft Intune and Configuration Manager, and use the CSPs available in Microsoft Intune. This may not be an option, so we’ve also made BitLocker management available in Configuration Manager current branch, as early as July 2019. When using Configuration Manager, BitLocker management also supports Windows 8.1. And, although Windows 7 is no longer a supported operating system, we are not blocking BitLocker management on Windows 7; however, some settings may not apply to Windows 7 devices. Please review the product support lifecycle page for end of support dates for these operating systems.

When you open the Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance > Overview > Endpoint Protection > BitLocker Management. From there, you can create a new BitLocker Management Control Policy, where you can specify whether to encrypt the Operating System Drive, and/or Fixed Drives, and/or Removeable Drives, and set Client Management policies.

Creating a new BitLocker Management Control Policy to manage BitLocker on the Configuration Manager managed devices

As you select these checkboxes, additional pages will appear in the navigation pane on the left.

Enabling the Drive encryption policy, then allows you to choose the encryption method: AES 128-bit (default), AES 128-bit with Diffuser, AES 256-bit with Diffuser, or AES 256-bit. Enabling the encryption and cypher strength (Windows 10) offers a few more choices: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit, XTS-AES 256-bit. Hovering over a policy displays a message box full of information. For more information about the different encryption and cypher strengths available, see the BitLocker settings reference.

Specifying setup information for the BitLocker Management Control Policy

All entries listed in the screenshot above are the default once enabled and are not necessarily the recommended settings. Research the different encryption and cypher strengths available before configuring the policy.

The next page brings you to the Operating System Drive, where you can enable settings such as TPM protector, and PIN length. PIN must be between 4-20 characters. You can also configuration settings for Enhanced PINs – that is, PINs that allow upper and lower case letters, numbers, special characters, and spaces, and a password for operating system drives, which likewise allows you to either allow or require password complexity.

Configuring BitLocker Management Control Policy settings for OS drives

Configuring the settings on the Fixed Drive page allows you to enable fixed drive encryption, as well as specify whether or not fixed drives can be auto-unlocked, deny write access to fixed drives that are not protected by BitLocker, and specify whether or not to install BitLocker To Go on FAT formatted drives.

Configuring BitLocker Management Control Policy settings for fixed drives

The next page allows you to specify the settings which will be applied to removeable drives, such as denying access to those drives which have not been protected with BitLocker, and whether or not these removeable drives should be accessible from earlier versions of Windows.

Configuring BitLocker Management Control Policy settings for removable system drives

Finally, the Client Management policy allows you to manage the key recovery service backup of the BitLocker information, such as Recovery password and key package, or Recovery password only. You can also configure how often the client will check for changes to the BitLocker policy, and a method for users to request and exemption from this policy. These choices are URL, email address, or Phone number.

Configuring client management settings for the BitLocker Management Control Policy

Once the policy has been created, deploy it to the target Collection.

Deploying the new BitLocker Management Control Policy to a target collection in Configuration Manager

Once you set the policy, in the Configuration Manager console navigate to Monitoring > Overview > Reporting > Reports. From here you can report on BitLocker compliance in the enterprise.

BitLocker reports in Configuration Manager

Learn more

Whether you are a current MBAM customer or are using a third-party tool to manage BitLocker, Microsoft can help you transition to Microsoft Endpoint Manager, at your pace. Don’t have Endpoint Manager, or need to learn more? Start a free trial or buy a subscription today!

Frequently asked questions

What licenses do I need to manage Microsoft BitLocker?

BitLocker can be enabled and disabled using Microsoft Endpoint Manager on Windows 10 Pro, Enterprise, or Education. However, all other management, such as enforcing a key rotation and compliance reporting require a Microsoft 365 E3/E5 or Windows E3/E5 license.

Can I enable BitLocker while deploying a device with Microsoft Autopilot?

Yes! You can configure the BitLocker policy in Endpoint Manager and link the policy to all devices, including those deployed with Windows Autopilot.

What settings are available for my Windows 7 workstations?

Windows 7 is no longer a supported operating system, and as such we do not test any BitLocker settings on Windows 7 clients. Using Configuration Manager, you can deploy the BitLocker policy to a Collection that contains Windows 7. However, as encryption and cyphers strengthen over time, these new settings may not work on Windows 7 workstations. The settings to enable and disable BitLocker, and a supported strength, should work on Windows 7, but again these are not tested. Our recommendation is that you upgrade to a supported operating system as soon as possible, but we’ll help you keep Windows 7 encrypted and more secure during your migration project.

How can I migrate my clients from using Configuration Manager to using Intune to manage BitLocker policies and compliance?

To migrate the clients to use Intune, enable co-management and set the Endpoint Protection workload to Intune.

Can I migrate from a third- party encryption to Microsoft BitLocker without decrypting the device?

No. If you are using a third-party disk encryption product, you must decrypt the device and then set the Microsoft BitLocker policies. To make this quicker, set the policy to only encrypt used space.

I’m using Microsoft BitLocker but am using a third-party management tool. How can I migrate the recovery key to Microsoft Endpoint Manager?

You can remove the third-party agent, configure the BitLocker policies in Endpoint Manager, and force a key rotation. This will change the recovery key from the key stored on the third-party management tool and upload a new recovery key in Endpoint Manager. You should check with the third-party management tool documentation if the removal of the agent will force a decryption of the drive.