You saved my life! I was really struggling with the BitLocker policy, and it just wasn’t working. I can confirm that it works on the latest version of MCM. I had to create a policy to decrypt the system drive, considering that the Checkpoint solution will be used.

Thank you for the video it was excellent, i will use it if we upgrade to 2309. i have one very important question once i upgrade to 2309 will the comangement slider work, and if it does work will it work as before the upgrade. thank you in advance.

you have helped to restore NPS server. thnx

Do I need to install the ODBC Driver on my DPs as well? Our DPs have the Site System role but dont currently have an ODBC Driver installed

Nial, why is it when you pxe boot and looked at the smspxe.log you still see in ssl but no client cert?, I am having this issue right now and resolving policy is taking forever to bring up the advertise task sequence window

I followed your CI/Baseline configuration but I can not get my non encrypted system to encrypt without the user popup. We are using 2309, is any of this still valid for this version?

YOO ! YOUR THE MAN BRO

I'm running in HTTPS with PKIs but I think I'm missing something when it comes to PXE as I'm getting the following messages spammed in my SMSPXE.log file whenever a machine tries to PXE boot: 7096 0x1bb8 in ssl but with no client cert. I went to Administration, Security and then Certificates. In there I had 2 out of 3 blocked DP certificates and the issued to fields were showing as GUIDs rather than actual FQDNs. Any ideas?

Excellernt series ! I'm shortly going to be involved in a project to migrate MBAM off SCCM to Azure/ Intune - have you been involved with that ? Any guidance on that will be greaat! 😁

Great !!

Luckily now they provide the link to download the odbc driver in the notes of the prerequisite check for that step.

Thanks for the video, couple of questions. 1. If we don't use OSD for clients, do I need update the ADK? 2. the new prereq SQL ODBC, let's say if I skip the 2309 and install 2403 then is it still required to install SQL ODBC? (will this be mentioned in the release info just like current release)

best explanation so far with practical examples

Thanks Niall & Paul, was reading your blog post earlier, the video step by step is ace, greatly appreciate your time going through this (the whole series is super!)

Awesome Niall. Was the content actually copied from source dp to destination DP or still transffered from site server?

We can migrate the content from one DP to other DP in a single primary site but how about One DP in one primary site to other DP in different primary site under CAS? Will it work ?

Amazing info thank you

Hi Niall, thanks for your awesome work with this videos! I am stuck With the key "recoveryserviceendpoint" not being deployed to Clients. When i add it manually, Policy by MECM 2203 just deletes its right away when the policy gets applied. On machines at the primary location, this seems not to be any issue, but at secondary sites, i have connection issues, MBAM Eventlog states problems with connection to the management point. Do you have any idea where i can search for a solution? :-( Thanks!

Niall, if you don't install the MDOP agent, will the recover key still change on a schedule?

Great job guy, thx a lot.

Hello! Under task sequnce, shouldn't I also specify the step that installs the MDOP agent? Thank you!

Hi @Niall, I have a question, do you have a series of documents on your website of Migration MBAM to Intune?

Hi Niall, when you are using this new method of escrowing the Recovery key during TS, do you need also to have CM Bitlocker policies deployed on that particular machine during build time?

Hello Niall, thank you for the great guides here. I have a small problem. The registry key doesn't have the KeyRecoveryServiceEndPoint entry. Did I miss something? Thank you. Config Mgr is Stand alone, 2207 version. the client got the CI, most of the settings are correct other than the missing config mgr server.

Hi Niall, Is this feature available from MECM CB 2207 OR earlier or old versions also available ? Please let me know

I setup MBAM and its seems to be working for me on the server but the remote helpdesk access is receiving a 403 error. You do not have permission to view this directory or page using the credentials that you supplied.

I love you man!

Hey Niall I'm curious if you know why a device ItemKey is NULL under ___hardwarecore.machines?(could add that TpmPolicyState is -1) I can see that a recovery key was added from the ts under ____hardwarecore.keys.

When I evaluate MBAM policy it delete the 2 registry key and the enforce deployment don't work, I need to know why the MBAM policy delete the registry keys I created

How to find the BitLocker key rotation status in MBAM and MBAM Config

Firstly, great guides, thank you. Secondly, I have migrated MBAM to CM, but my test device isn't escrowing the key to the CM database and I can't figure out why. Old MBAM GPOs have been removed and the new CM configuration baseline has been deployed. The client's MBAM Event Log shows VolumeEnactmentSuccessful and CM reports that the baseline is compliant - yet the key doesn't appear in the DB like it does in your example. Everything else appears to be working as expected, just not the recovery key. I'm stumped on this at the moment, any ideas? Edit: It helps to look at the right tables when looking for keys. A few years ago, before true MBAM integration with SCCM - I tried to install MBAM on the SCCM server to utilise the same SQL server. At that point, the two IIS sites didn't work with each other, due to SPN issues. So it left the MBAM databases in SQL. I didn't realise the new integratated MBAM places the tables under the CM_SITE DB. So problem sorted and it's writing the keys automatically into the DB. /Facepalm

Great video Niall !

Hi Niall, Thanks first for your all videos, not just that. my SCCM server HTTPS , but the log did not see the MP. what I have to do?

my company is looking for this exact thing to move us from on prem to AAD. is there any chance you could make a video step by step guide? i was a bit confused regarding the http app function and filling out the IDs.

Such a nice tutorial video, Thank you!

This looks amazing! I tend to use an Autopilot rest when migrating to Azure AD/Endpoint Manager. This is another level of awesome!! A lot of companies I work with don't have SCCM. Will that always be a requirement?

It failed to find, because the TS pulls info down each time. So it has settings it thinks is good. Hence the reboot needed once device deleted. Good video and information though.

Eww, don't use apply drivers built in. Use driver packs. If you use auto apply, and you have multiple models around, it will find things like Intel drivers with similar WMI returns and pull the wrong one (the 1, 2, 3, etc that are in the drivers section of console). It's the same driver. It will pull the wrong one. If, like some of mine, it pulls the wrong chipset. It's a pain to fix after. From memory I also believe Microsoft recommend driver packs too

How does this manage onedrive for business folders? aka onedrive - domain1 to onedrive - domain2 structures? More importantly any file shares therein?

This is outstanding! I would love to test this for a migration we are currently working on.

Hi Niall, great video, if we previously had the Help Desk portal setup with MBAM (still currently using it) will setting up the new portals take down / conflict with the old one?

Awesome , would like to try it

This is outstanding

Love this. I have lots of clients that we've had to go about this using a bunch of cobbled together powershell scripts, psexec, etc. Would love to test this out.

very interesting idea would love to test it out :)

This is fantastic!!!

Thanks Niall. This was a great video! I'm just wondering if you could share how to decrypt the keys in Sql. All my attempts have been a dismal failure.

Hi! Your manual is a perfect! I have this same problem like you at 18: BMSOSDEncryptionPolicy. I use SCCM 2103, values in regisry look fine... Where I should look for a problem?

Thank You Niall...Quite Handy and simplified

can you help me? if any other option for the BitLocker key rotation (without INTune)