Forum Discussion
Intune BitLocker silent encryption not working on Hybrid Azure AD devices.
Thank you for your response.
Encryption starts after Autopilot is completed and it stuck at some point with backing up encryption key to AD (which is not needed for us). Some times it completes the encryption after a day or not at all completes the encryption and the encryption stuck at some point.
In your reply you suggested to block start up pin but we need TPM + PIN configuration as per our policies. I will check only TPM configuration as well to see if it is working with that setting.
Thank you for your suggestion.
Actually I am using MDM Wins over GP policy from Intune so on premises GPOs shouldn't be a problem. But I will check your suggestion as well to see whether the MDM wins over GP policy pushed from Intune is working or not.
Thanks for your suggestion, I will check that PowerShell script as well and let you know the results.
Just to let you know how we are implementing Autopilot in our organization, please see the below points
1. I connect to VPN at the windows logon screen manually during autopilot and the account setup phase is skipped.
2. After connecting to VPN it takes around 1 to 1:30 hour to complete the hybrid join process in the background.
3. BitLocker policies are applied after the autopilot is completed and the device is still not connected to Azure AD of my organization (Hybrid AD join process is still not completed).
4. Encryption starts and backs up the recovery key to AD only (which is not needed)
5. Encryption doesn't complete and stuck at some point or some times takes a day or so to complete the encryption.
I have done below testing and found these things.
1. I have tried to back up the recovery key to AAD manually but it didn't work (Hybrid AD join is not completed by that time).
2. After Hybrid join process is completed, I have tried to back up the recovery key to AAD and it worked.
3. After hybrid AD join process is completed I have decrypted the drives (encryption was stuck so decrypted) and ran the sync policies, this time recovery key backed up to Azure AD and AD as well. Encryption also completed in a short period of time.
4. It seems this issue is due to Hybrid AD join process is not completing by the time BitLocker policies are applied on the device.
Could you please provide a suggestion to apply Intune BitLocker policies only after Hybrid AD join process is completed on the device?
Hi,
Sorry, I read your 1st post too fast. It’s HAADJ not AADJ, it seems that the allow standard user to enable Bitlocker have no effect on HAADJ and encryption won’t work during autopilot.
When encryption start (Step 4) your HAADJ process isn’t completed (Step 3) so recovery key can’t be back up.
This post can help you to enable Bitlocker silently during the Autopilot process, when it finish recovery key are store on AAD for HAAJD
https://msendpointmgr.com/2019/10/31/silently-enable-bitlocker-for-hybrid-azure-ad-joined-devices-using-windows-autopilot/- 😛 Thats why I asked if he could use/try it with a powershell script /converted to a win32 app just like in the msendpoint blog indeed
- Kinda funny... as I am writing ablog about delaying stuff 🙂 ..... converting that PowerShell script I linked to in the blog to a win32 so you could set requirement rules... WIth those requirement rules you could do something like this. I am checking the creation date of the IME and making sure that after (as example) 3 hours after the ime has been installed, the win32 app is installed (bitlocker converted script)
$AppInstallDelay = New-TimeSpan -Days 0 -Hours 3 -Minutes 0
$ime = Get-Item "C:\Program Files (x86)\Microsoft Intune Management Extension" | select Name,CreationTime
$EnrolmentDate = $ime.creationtime
$futuredate = $EnrolmentDate + $AppInstallDelay
#checking date and futuredate
$outcome = ((Get-Date) -ge ($EnrolmentDate))
$outcome
