![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 11%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E4%3C/text%3E%3C/svg%3E)
Not Monitored
Tag not monitored by Microsoft.
39,770 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
- Key Considerations for POC and Strategy
- Preserve SCCM Management: Ensure that the POC introduces co-management without altering the existing SCCM database and policies.
- Hybrid Identity: Use Hybrid Azure AD Join for devices to support both on-premises and cloud-based management.
- Encryption Management: Shift encryption to BitLocker managed via Intune or SCCM.
- Secure Key Management: Store recovery keys securely in Azure AD or on-premises via SCCM.
- Recommended Technical Approach
Step 1: Enable Co-Management and Device Enrollment
- Enable Co-Management in SCCM to manage BitLocker policy through Intune without disrupting existing SCCM management.
- In SCCM, go to Administration > Cloud Services > Co-management and configure the workload.
- Configure BitLocker management policies to shift to Intune without moving other workloads.
- Ensure Hybrid Azure AD Join for seamless device enrollment with both SCCM and Intune.
Step 2: Configure BitLocker Management in SCCM and Intune
SCCM Configuration:
- Verify that BitLocker management policies are already configured in SCCM for on-premises.
- Use SCCM’s MBAM integration for legacy devices if needed
- Keep the SCCM database unchanged by maintaining the on-prem recovery key storage.
Intune Configuration:
- In Intune, create a Device Configuration Policy for BitLocker under Endpoint security > Disk encryption.
- Store BitLocker recovery keys in Azure AD for Intune-managed devices.
- Exclude SCCM-managed devices from Intune’s BitLocker policy to avoid conflicts.
Step 3: Configure Recovery Key Management
- Azure AD Recovery Keys: For devices managed by Intune, ensure recovery keys are stored securely in Azure AD.
- On-prem Recovery Key Storage: Keep the SCCM/MBAM key storage for devices still managed on-premises.
- Implement RBAC roles in Intune to control access to recovery keys securely.
- Key Best Practices
- Minimal Disruption: Roll out the POC with minimal changes to SCCM, ensuring devices can switch to Intune only for encryption management.
- Pilot Group Testing: Select a pilot group of devices to validate policies from both SCCM and Intune during the transition.
- Avoid Policy Conflicts: Carefully exclude devices managed by SCCM from Intune encryption policies.
- Backup Recovery Keys: Ensure a backup process is in place for recovery keys, whether in Azure AD or SCCM.
- Reporting and Compliance: Use Intune compliance policies to monitor encryption status and ensure the new policies are effective.
- MFA for Key Access: Secure recovery key access in Azure AD with MFA to prevent unauthorized access.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)