With Microsoft dropping support for their MBAM product, and pushing their previous users to either SCCM for on Premise or InTune for cloud services, is HCL planning on looking into BitLocker Key Escrow functions in BigFix at all?
Especially since BigFix and SCCM are essentially direct competitors in terms of the endpoint support roles. I know my management is going to ask me “why have both systems” if I have to stand up an SCCM environment to support BitLocker Key Escrow for our Windows computers using BitLocker.
We operate under a Campus License Agreement with Microsoft that includes SCCM (thanks to our association with our University), and Management loves to toss that one around occasionally with relation to BigFix licensing costs. The Multi Platform Support that BigFix provides helps, but it’s being whittled away at by things like this and Apple’s crippling of their Root account when it comes to Kernel extensions.
It’s a constant battle that’s only going to get worse.
It helps that our workstation support groups are heavily invested in BigFix for software distribution and OS Refresh.
I’ve been asked for additional information about how to do the key escrow. My colleague actually wrote a nice powershell function with options to install, backup recovery key, suspend, and resume options. As it isn’t my work, I can share a few key lines, but not the whole script.
Then install RSAT features for BitLocker administration. Then in your RSAT MMC, enable Advanced Features under the View menu. Now when you view the properties of a computer, there will be a BitLocker tab which has recovery key information.
This has worked well for us on many systems. We attempted to store the keys in AirWatch (which we also have), but ran into some issues (especially with the LTSB OS flavor that we use). AD key backup works more reliably.