The 1910 update has some important changes for MEMCM users, and I thought you might benefit from a short review with some links to more information. Protection is clearly one of the biggest material changes for many, so I’ve delved a bit deeper on what this update will bring to those interested in Bitlocker management.
One of the first things to note about this update is the change of brand! Configuration Manager is now part of Microsoft Endpoint Manager, so this update becomes Microsoft Endpoint Configuration Manager 1910
Coverage on the new additions to this update have been extensive, so here are some of the highlights and where to find the information you need on each:-
Reclaim SEDO lock: You could clear your lock on a task sequence from update 1906, but now you can clear your lock on any object, in the Configuration Manager console.
Extend and migrate on-premises site to Microsoft Azure: A new tool that helps you to programmatically create Azure virtual machines (VMs) for Configuration Manager.
Desktop Analytics and Configuration Manager:Desktop Analytics is now generally available and is a cloud-connected service that integrates with MEMCM.
Deploy Microsoft Edge version 77 and later: Admins can pick the Beta or Dev channel, along with a version of the Microsoft Edge client to deploy.
Gain more control over third-party update catalogues: This update gives you more granular controls over synchronisation of third-party updates.
NEW: BITLOCKER MANAGEMENT ADDED
It's now possible to deploy BitLocker Drive Encryption (BDE)to Windows devices with update 1910. This is an interesting development for many customers, as it enables full BitLocker lifecycle management, which can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM).
The MBAM tool was built into Configuration Manager from update 1908. Along with a number of other advantages, it allowed us to hold Bitlocker keys outside of Active Directory and protect against the accidental deletion of an account, along with the key to recover it. Missing, (but now addressed in update 1910), was how we could encrypt the disk during OS Deployment; and the requirement for a self-service portal for end-users, as well as the IT Helpdesk, when users have difficulty retrieving keys.
MANAGE ENCRYPTION POLICIES IN MEMCM
The key feature for many in this update will be the ability to manage Bitlocker encryption policies from within MEMCM. We can now, for example, easily choose drive encryption and cipher strength, configure user exemption policies and fixed data drive encryption settings.
It also supercharges compliance capabilities. We can force users to get compliant with new security policies before using the device; Customise security profiles across your organisation on a per device basis; and control whether to unlock only an OS drive or all attached drives, when a user unlocks the OS drive.
Remember, Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more information, see Enable optional features from updates. When you're ready to install this version, see Installing updates for Configuration Manager and Checklist for installing update 1910.
With so much happening in update 1910, I’d encourage you to check out the update from Microsoft for yourself. As always, let me know if you have any questions or want to know more about how we plan to integrate these new features in the future.