Microsoft will end MBAM’s extended support in April 2026, requiring organizations to find alternative solutions. Without support or updates, MBAM’s functionality will no longer meet security standards or support future-proofing efforts. Therefore, in this article, we shall be discussing other tools to replace Microsoft BitLocker Administration and Monitoring since “MBAM extended support ends April 2026: Find alternative solution for BitLocker Management”. Please see how to deploy MBAM for BitLocker Administration, and how to check if Microsoft BitLocker Administration and Monitoring is installed on Windows.
In a subsequent article, we will be looking at the steps to integrate MBAM with Microsoft Endpoint Manager Configuration Manager. Employing TPM only for BitLocker key protection is not recommended. And PoC have shown that physical access to these devices will enable BitLocker keys to be extracted easily using affordable hardware and expertise. The best practice is enabling BitLocker with TPM with a Personal Identification Number (PIN) to add an extra layer of security (Pre-boot authentication)..
Increasing threats to corporate data have made hard drive encryption essential. Microsoft strengthens data security with BitLocker, offering robust encryption. Many organizations have relied on MBAM to manage BitLocker, benefiting from its detailed reporting and seamless integration.
Microsoft Intune and Microsoft Endpoint Configuration Manager (formerly SCCM) are popular tools for IT management, each with distinct advantages and limitations. Intune provides a user-friendly, cloud-based solution, but it involves a subscription cost.
On the other hand, Configuration Manager offers robust integration and extensive features but can be complex to implement, especially for tasks like BitLocker management alone. Both tools can also handle imaging, application management, and more, giving organizations flexibility based on their specific needs. Additionally, several third-party alternatives are available, which we will explore shortly.
Also, see How to Disable BitLocker on Windows 10, how to Hide Default BitLocker Drive Encryption item in Windows, and How to Disable device encryption on Windows.
What is Microsoft BitLocker Administration and Monitoring (MBAM)?
MBAM provides a simplified administrative interface for managing BitLocker Drive Encryption. BitLocker provides enhanced protection against data theft or exposure for devices that are lost or stolen. It encrypts all data stored on the Windows operating system, internal drives, and configured external drives. In MBAM terminology, these are referred to as the “OS Drive, Data Drive Encrypted and Removable Drives“. Below are some MBAM features:
- It helps administrators automate the encryption of volumes on client computers across the enterprise.
- Also, enables the security team to quickly determine the compliance status of individual computers or the entire enterprise.
With the above information, you would realize that MBAM enforces the BitLocker encryption policy options that you set for your enterprise. And monitors the compliance of client computers with those policies, and reports on the encryption status of the enterprise’s and individual’s computers.
In addition, MBAM lets you access the recovery key information when users forget their PIN or password, or when their BIOS or boot records change via the BitLocker Recovery via the Self-Service Portal and Helpdesk.
Note: With the above benefits of MBAM, you will agree with me that it is necessary to find a solution that integrates seamlessly and overtakes the BitLocker encryption on Windows
Why is enabling BitLocker not enough?
While BitLocker is a robust built-in encryption tool for securing data on Windows devices. Using it alone often falls short for enterprise-level needs. Organizations require centralized management, comprehensive monitoring, and streamlined compliance reporting areas where BitLocker on its own, lacks functionality. Below are some reasons relying solely on BitLocker may not suffice:
- BitLocker does not provide an out-of-the-box solution for managing encryption policies across multiple devices in a centralized manner. This makes it challenging to enforce consistent encryption settings, especially in large environments.
- BitLocker stores recovery keys locally or in an Entra ID account formerly Azure AD. Without a centralized mechanism like MBAM, Endpoint Configuration Manager managing and retrieving recovery keys for numerous devices becomes cumbersome, increasing the risk of key loss and unauthorized access. You will find some useful answers in the FAQ section of this blog post. Please see Backup existing and new BitLocker Recovery Keys to Active Directory. Here is how to check for BitLocker Recovery Key in Microsoft account
- Many industries have stringent compliance regulations that require detailed auditing and reporting. BitLocker alone lacks robust reporting tools, making it harder to track encryption statuses, identify non-compliant devices, and generate compliance reports.
- For Monitoring and Alerts, BitLocker does not offer built-in capabilities to monitor the encryption status of devices or send alerts for non-compliance or encryption failures. This leaves IT administrators unaware of potential security risks until it’s too late.
- Deploying BitLocker encryption at scale and ensuring uniform settings can be time-consuming without centralized tools like MBAM or Microsoft Endpoint Configuration Manager. This is why, I am advocating more on this tool as an alternative product.
- In remote or hybrid work scenarios, managing BitLocker settings and keys across geographically distributed devices without a central platform can be inefficient and error-prone.
Why Should we replace MBAM?
Microsoft BitLocker Administration and Monitoring (MBAM) regular (mainstream) support ended on 9 July 2019, and since then, there is no new capabilities after that date.
MBAM will reach the end of “extended” support on July 9, 2024. However, if you are using MBAM, but have not yet moved to the cloud, and are not using Configuration Manager, you can continue to use MBAM until April 14, 2026
The difference between mainstream and extended support is that new features will not be able and after the extended support, there will no longer be security fixes as well.
Unfortunately, MBAM is not the only tool to be retired. Since MBAM is part of Microsoft Desktop Optimization Pack (MDOP) which is a suite of tools that help improve compatibility and management, reduce support costs, improve asset management, and improve policy control.
Microsoft created each MDOP tool separately. With its own end of support date, and later packaged them into a single portfolio. To simplify planning, we are extending support for the following products through April 14, 2026, to standardize on a single end of support date.
| Product | End of mainstream support | Original End of extended support | New End of extended support |
|---|---|---|---|
| AGPM v4 SP3 | April 10, 2018 | Jan 12, 2021 | April 14, 2026 |
| App-V: 1: Application Virtualization 5.0 for Remote Desktop Services Service Pack 3 2: Application Virtualization 5.0 for Windows Desktops Service Pack 3 3: Application Virtualization Hosting 5.0 for Windows Desktops Service Pack 3 4: Application Virtualization 5.1 for Remote Desktop Services 5: Application Virtualization 5.1 for Windows Desktops 6: Application Virtualization Hosting 5.1 for Windows Desktops | Jan 9, 2018 | Jan 10, 2023 | April 14, 2026 |
| DaRT 10.0 | April 13, 2021 | April 14, 2026 | April 14, 2026 |
| MBAM 2.5 SP1 | July 9, 2019 | July 9, 2024 | April 14, 2026 |
| UE-V 2.1 SP1 | April 14, 2020 | April 8, 2025 | April 14, 2026 |
| Med-V 2.0* | April 12, 2016 | April 13, 2021 | <not changing> |
Alternative solutions to MBAM
Based on the table above, the announced and timely discontinuation of extended support for the MBAM tool ensures organizations are able to secure an efficient and reliable alternatives to manage their hard drive encryption. Please see how to Run Hype-V on Windows 11 and Install Windows OS via PXE Boot, and how to Change the number of MachineAccountQuota a user can add to AD.
We have ample time to MBAM’s extended end-of-life date of April 14th, 2026 to make an informed decision about the appropriate solution for our needs. This page provides an overview of the various tools, features, and capabilities available, which will help us make an informed decision.
| Features (Capabilities) | Microsoft Intune | Endpoint Configuration Manager Formerly (SCCM) | Trellix Data (Drive) Encryption 7.4 | Trellix Management of Native Encryption 5.2 | BitTruster | ACMP BitLocker Management |
| Migration Support (integration with MBAM) – Re-encryption |  | | Not a fan as it does not require the native BitLocker on end devices. It uses Trellix’s Encryption technology. This means you must disable BitLocker on all Endpoints before rolling out “Trellix Drive Encryption” to all clients. Trellix license model is per node. You can decide between Trellix MNE and Endpoint ConfigMgr | | (not tested yet) | (not tested yet) |
| Centralized Management | | | | | | |
| Enforce Encryption policies | | | | | via GPO | Via Containers |
| Group Policy Integration | | | X | X | | |
| Help Desk | | X | X … But BitLocker recovery key can be queried from ePO and also from AD). No help desk solution as we have in MBAM and ConfigMgr. But there is a workaround by using “permission set” to grant access to HELPDESK users. Self-service recovery and helpdesk portal for MNE are therefore possible. | | No | |
| Self-Service Portal | | | As mentioned above, I found a way to make this work by assigning a permission set. | | No | |
| Key Rotation (Life cycle management) | | Yes, but not immediately after reuse (You can define x number of days). The key does not change in AD | | No | ||
| Compliance Reporting | | | | | | (Basic) |
| Ease of Management | | | | No | ||
| Active Directory Synchronization | | | With BitLocker Policy, we can achieve this. | | (GPO) | |
| Cloud-based (Yes/No) | Yes | No | No (Has a cloud management option as well) | No (Has a SaaS offering called MVISION ePO ) | No | No |
| On-premise Deployment | Cloud-Based | | | | | |
| Agent-Based (Yes/No) | | X No additional agent is deployed. Relies on existing Trellix Agent that must be deployed on end devices for ENS. | Yes | No | Yes | |
| Encrypted channel (Server/Client communication) | TLS (When configured) | Uses port 443 by default. | | |||
| Integration with Windows Auto Pilot | N/A | | X | X | No | |
| Co-Management and Intune | N/A | | X | X (But encryption can be taken over) | No | |
| Simultaneous Test before change-over | | (But the installation must be on different hardware other than MBAM) | X MBAM must be uninstalled before the deployment of Trellix Drive Encryption. BitLocker also needs to be disabled. | (Yes, but MUST be in Reporting only mode). Else, there will be competition between both management tools on the management of BitLocker. | (seems possible) but should be tested |
Please see how to Manage BitLocker and FileVault with Trellix Native Encryption, and how to encrypt your system with Trellix Data Encryption. Here is “Selfservice Recovery: Trellix BitLocker and fileVault Recovery“.
Differences between the BitLocker Management Tools offered by Trellix
The table below shows the differences between the two solutions offered by Trellix for data protection on endpoints (windows devices).
| No. | Trellix Native Encryption | Trelix Data Encryption |
|---|---|---|
| 1 | Support both MVISION ePO (SaaS) and on-prem McAfee ePO | — I will not evaluate this as it does not use the Windows native BitLocker solutions — |
| 2 | Ability to upgrade from one major OS X version to next without having to decrypt and re-encrypt the drive | “ |
| 3 | Zero-day compatibility with OS X and Windows patches, upgrades, and firmware updates from Apple and Microsoft | “ |
| 4 | Zero-day support for new hardware from Apple and tablet hardware from Microsoft | “ |
| 5 | Self-service portal, which allows users to recover their devices in case of BitLocker Recovery | “ |
| 6 | It support for a BYOD model, where the device is not managed—only the state of complianceis reported in Trellix ePO | “ |
| 7 | Simple administration and management | “ |
| 8 | There is no need to decrypt and re-encrypt endpoints with Trellix MNE | “ |
| 9 | Enables you to specify a new encryption policy at any level of the organization to handle specific use cases | “ |
Simply put, Native encryption is the adoption and the encryption of data on the system drive through the native encryption supplied with the operating system by the OS vendor. For Windows, this is BitLocker and for Apple, this is FileVault.
Please see How to fix “You are currently signed in as: Use a different account-this account is managed by your organisation”, and how to Upgrade Expired Evaluation Configuration Manager to Full Version.
Other Possible Solutions
ManageEngine Key Manager Plus: Having used ManageEngine Password Manager, I can attest to their excellent products and support. However, you must evaluate them based on regulatory requirements and capabilities.
Note: BitTruster can take control of BitLocker management. Since we have BitLocker deployed through MBAM, the agent may need to be uninstalled. Although their documentation does not indicate any problems, adequate testing is required.
Trellix Data Encryption products work hand-in-hand with Trellix DLP to provide full-disk encryption and device control as part of an enterprise-wide DLP solution. This solution is exciting as it monitors and protects sensitive data and prevents unauthorized external devices from joining the network etc.
ACMP relies heavily on PowerShell. PowerShell scripts must be able to be executed on End devices. This is currently undefined for all execution-policy scopes due to security reasons. You can query this by using the following command very quickly.
Get-ExecutionPolicy -listDriveLock is another competitive solution I wish to recommend. Please see How to activate DriveLock License on Windows Server, and DriveLock Components: Important DriveLock components to master. Also, see How to uninstall the DriveLock Agent from your device, and How to perform DriveLock quick setup.
DriveLock can easily take over systems. The impact on the user varies depending on the protector used. If TPM alone is used as a protector, the end user will not notice the takeover at all. If TPM and PIN are used, the user is only prompted to enter a new password. This would also be the case when switching from TPM to TPM+PIN. When switching to DriveLock PBA, this is activated and the login data of the user currently logged in is automatically synchronised to the PBA user database during this process.
Here is How to install Standalone Installation DriveLock Encryption software, How to download and install DriveLock on Windows, and the Concept of DriveLock with a focus on Encryption.
Some reasons to use Configuration Manager
Enpoint Configuration manager provides centralized reporting and hardware management just like MBAM. The Help Desk reduces its workload by assisting end users with BitLocker recovery key requests. End users can independently recover encrypted devices through the Self-Service Portal. Since I am advocating more for Endpoint Configuration Manager, testing and pairing BitLocker with tools like Microsoft BitLocker Administration and Monitoring (MBAM) or Microsoft Endpoint Manager enhances usability.
These tools centralize policy enforcement, simplify recovery key management, improve compliance visibility, and enable proactive monitoring, making BitLocker a more viable solution for enterprise environments.
Note: Since using Microsoft Endpoint Configuration manager for BitLocker only can be considered overkill. You can install the Configuration Manager console on additional devices, allowing broader access for administrative tasks. Using role-based administration, you control and restrict what each administrative user can view and perform in the console.
When leveraging Configuration Manager for various roles, such as OS installation with WDS/MDT, application control (Software distribution), and more. Role-based administration ensures secure and efficient delegation of tasks. It simplifies management by assigning precise permissions, enabling administrators to focus only on their responsibilities while maintaining a secure and streamlined environment.
The Configuration Manager client handler for BitLocker is co-management aware. Therefore, it is CLOUD READY! If the device is co-managed, and you switch the Endpoint Protection workload to Intune, then the Configuration Manager client ignores its BitLocker policy.
The device gets Windows encryption policy from Intune. Please see this Microsoft documentation for more information. Also, The BitLocker management GPO settings are fully compatible with the Configuration Manager.
Note: Switching encryption management authorities while maintaining the desired encryption algorithm doesn’t require any additional actions on the client. However, if you switch encryption algorithm, you will need to plan for re-encryption.
Here is a similar behavior when devices are encrypted automatically due to modern standby. Also, see Why does MBAM not automatically re-encrypt MBAM or Bitlocker-protected devices?
Migration considerations to Configuration Manager
If you currently use Microsoft BitLocker Administration and Monitoring (MBAM), you can seamlessly migrate management to Configuration Manager. When you deploy BitLocker management policies in Configuration Manager. Clients automatically upload recovery keys and packages to the Configuration Manager recovery service.
Note: A new server is needed for Configuration Manager, and this MUST not be the same as MBAM server. In other words, when you migrate from stand-alone MBAM to Configuration Manager BitLocker management. If you require existing functionality of stand-alone MBAM, don’t reuse stand-alone MBAM servers or components with Configuration Manager BitLocker management
If you reuse these servers, stand-alone MBAM will stop working when Configuration Manager BitLocker management installs its components on those servers. Don’t run the MBAMWebSiteInstaller.ps1 script to set up the BitLocker portals on stand-alone MBAM servers. When you set up Configuration Manager BitLocker management, use separate servers. I can not over-emphasize on this!
Please see Trellix ePolicy Orchestrator Installation on Windows Server, and how to upgrade Trellix ePolicy Orchestrator.
Simulations Test before Change Over for Configuration Manager
If a group policy setting exists for standalone MBAM, it will override the equivalent setting attempted by Configuration Manager. Standalone MBAM uses domain group policy, while Configuration Manager sets local policies for BitLocker management.
Domain policies will override the local Configuration Manager BitLocker management policies. If the standalone MBAM domain group policy doesn’t match the Configuration Manager policy, Configuration Manager BitLocker management will fail. For example, if a domain group policy sets the standalone MBAM server for key recovery services. Configuration Manager BitLocker management can’t set the same setting for the management point. This behavior causes clients to not report their recovery keys to the Configuration Manager BitLocker management key recovery service on the management point.
Note: Configuration Manager doesn’t implement all MBAM group policy settings. If you configure more settings in group policy, the BitLocker management agent on Configuration Manager clients honors these settings.
Don’t set a group policy for a setting that Configuration Manager BitLocker management already specifies. Only set group policies for settings that don’t currently exist in Configuration Manager BitLocker management. Configuration Manager version has feature parity with standalone MBAM.
With Configuration Manager version 2002 and later, in most instances there should be no reason to set domain group policies to configure BitLocker policies.
To prevent conflicts and problems, avoid use of group policies for BitLocker. Configure all settings through Configuration Manager BitLocker management policies.
Please see How to Enable the End Task Option on Windows 11 Taskbar, how to Set Microsoft Defender AV to Passive mode on a Windows Server, and How to create Microsoft 365 Account.
FAQs
BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources than in previous versions of Windows. This behavior reduces the chance that BitLocker will affect the computer’s performance.
To compensate for these changes, BitLocker uses a conversion model called Encrypt-On-Write. This model ensures that BitLocker encrypts any new disk writes as soon as it is enabled. This behavior applies to all client editions and any internal drives.
The new “Encrypt-On-Write” conversion method immediately protects sensitive data when BitLocker is enabled. Unlike the previous model, which required the encryption process to reach 100% before considering the drive compliant, this method encrypts new data as it is written to the drive, ensuring compliance from the start.
Therefore, this allows organizations to store sensitive data without waiting for full encryption, avoiding delays caused by large drive sizes. Although the encryption of pre-existing data takes longer, the new method maintains performance and prioritizes immediate protection for new data.
BitLocker does not automatically manage this backup process. But you can manually back up or synchronize or automate the backup of BitLocker keys to AD.
To make an encrypted hard drive readable, the system must transfer the key from the TPM to the CPU. The system checks certain values, and if successful, it transmits the key. This process creates the attack vector when using TPM only.
I hope you found this article on “MBAM extended support ends April 2026: Find alternative solution” very useful. Please feel free to leave a comment below.
The post MBAM extended support ends April 2026: Find alternative solution appeared first on TechDirectArchive.