Phase 1
In this phase we are going to remove MBAM as an option for encrypting devices and migrate encrypted devices to Config Manager.
MBAM GPOs and SC groups
Three MBAM GPO links to the NCSU OU and the three departmental MBAM special configuration (SC) groups will be deleted.
To encrypt devices going forward see Phase 2 below.
AES 256-bit encrypted devices
Devices encrypted with settings from our default MBAM policy use the AES 256-bit encryption method. Our default Config Manager BitLocker policy will use the newer XTS-AES 256-bit. We will not be forcing a re-encryption of the drive to switch from AES 256-bit to XTS-AES 256-bit. The migration from AES 256-bit to XTS-AES 256-bit for these devices will occur at a later time.
A Config Manager collection has been created containing all devices whose storage was encrypted with the AES 256-bit encryption method. An AES 256-bit BitLocker policy will be deployed to the collection so the devices will migrate to Config Manager BitLocker management and show as compliant in reporting.
XTS-AES 128-bit encrypted devices
We discovered some devices that were encrypted with the XTS-AES 128-bit encryption method. XTS-AES 128-bit is the default encryption method for Windows 10 and later. BitLocker management offered by NC State has not used the XTS-AES 128-bit encryption method so it’s likely the encryption was enabled manually after provisioning or by an OEM. It’s likely for these devices that the recovery key is not available anywhere other than the computer itself or maybe if someone wrote it down.
Similarly to the MBAM encrypted devices, a Config Manager collection of XTS-AES 128-bit devices has been created and a BitLocker policy configured with the same encryption method will be deployed so those devices will escrow their recovery keys with Config Manager and show up as compliant in reporting.
Additional information
For the migration, no user intervention is needed. Notifications should not appear unless the device is a laptop that is not plugged in to power. Upon receiving the policy, the device will rotate its BitLocker recovery key(s) and store the recovery key(s), encrypted, in the Config Manager database. Devices that are off-prem should still receive the policy and store the recovery key in the database by using the Config Manager Cloud Management Gateway.
Phase 2
This phase will occur simultaneously with Phase 1 and is to provide a method for encrypting Windows Desktop OS devices while we work towards our goal to encrypt by default. For the interim, an opt-in Config Manager BitLocker collection and corresponding Active Directory departmental special configuration groups have been created to use for OS and fixed drive encryption.
<DEPT>-SC-Microsoft-SCCM-OS and Fixed Drive Encryption-OptIn
Add new computers, encrypted computers that are being reinstalled, and computers that are not encrypted that you would like to be, to this group. Note: Computers that were encrypted with MBAM (AES 256-bit) should not be added to this group unless they are being reinstalled. This is so devices will appear as compliant in reporting.
Phase 3
When ready, we’ll announce the deployment of an AES-XTS 256-bit policy to all eligible devices that have not been encrypted and have not received approval to opt out of encryption.
Eligible device criteria:
- Running Windows Desktop OS
- Not a virtual machine
- UEFI firmware enabled
- TPM 1.2 or 2.0
- Active Config Manager client
- Manufacturer is Dell, Alienware, Lenovo, HP, or Microsoft
We’ll assess other manufacturers at a later date.
Additional Information
The HelpDesk portal is up for recovery key retrieval by departmental IT staff. More information is available at https://activedirectory.ncsu.edu/services/bitlocker/.