question

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 asked CiciWu2-MSFT commented

Windows Autopilot Hybrid Azure AD join & Bitlocker (co-managed device)

Hi, I want to implement Bitlocker encryption during Windows Autopilot (Hybrid Azure AD joined device) - I must note here that during Autopilot Configuration Manager client will be installed as well so device will be co-managed after autopilot completes. Is this doable and what would be end-user experience (how would he/she know PIN for instance ...)?

Any step-by-step walkthrough would come in very handy since I can not test this on VM so real physical desktop will be used (HWID already imported so device is pretty much ready with bitlocker configuration end to be done).

mem-autopilot
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CiciWu2-MSFT avatar image
0 Votes"
CiciWu2-MSFT answered

You can refer the official article to manage BitLocker policy for hybrid AD co-management device in Intune. Please note change "Allow standard users to enable encryption during Azure AD Join" to not configured, this policy is for Azure AD device.
Reference: https://docs.microsoft.com/en-us/mem/intune/protect/encrypt-devices

Also, there is a step-by-step guide that written by Nickolaj for silently enable BitLocker for Hybrid Azure AD joined devices using Windows Autopilot.
https://msendpointmgr.com/2019/10/31/silently-enable-bitlocker-for-hybrid-azure-ad-joined-devices-using-windows-autopilot/

Note: Non-Microsoft link, just for the reference.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BojanZivkovic-7448 avatar image
0 Votes"
BojanZivkovic-7448 answered CiciWu2-MSFT commented

I tried today (on Hyper-V 2016 Gen 2 VM with vTPM 2.0 enabled) but autopilot errored out - I see in cmd prompt that C: is still unencrypted while application I deployed as required is CM client itself and it failed causing whole deployment to fail. How to troubleshoot this:

91808-image.png

91774-image.png

Both, BitLocker policy and CM client app are assigned to the group containing autopilot devices. Just to point out that I did not have problems with CM client app having made it available to test group containing my user account - I successfully installed it from web company portal on other devices already successfully deployed with autopilot. This is first time I tested BitLocker during Autopilot though.

I read somewhere that CM client installation could break whole Autopilot but prefer (if that is doable) to install it during autopilot - I want to "map" same pattern as current OSD Task Sequence with MECM where CM client is installed during OSD itself.

I found these:

91749-image.png

91799-image.png



image.png (119.7 KiB)
image.png (13.5 KiB)
image.png (30.9 KiB)
image.png (27.6 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have done a lot of research and consult senior resources. For such co-management issue, it may need to involve SCCM resource to troubleshoot together. At such situation, it is highly suggested to create a free online support ticket to resolve this issue more effectively. Thanks very much for your cooperation and understanding. Here is the link: https://docs.microsoft.com/en-us/mem/get-support

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·