Forum Discussion

StuartK73's avatar
StuartK73
Iron Contributor
Apr 27, 2021

Suppress BitLocker Drive Choices on AADJ Machines

Hi All   We are deploying BitLocker to Azure AD Joined AutoPilot devices via Intune.   All is well, except BitLocker is prompting users about drives.   Anyway to hide this notification?   Inf...
Intune
mobile device management (mdm)
Rudy_Ooms_MVP's avatar
Rudy_Ooms_MVP
MVP
Apr 27, 2021

StuartK73 

 

It depends on your configuration, here is mine

 

 

Another possibility would be a powershell script to enable bitlocker. The Only downside: key rotation is not configured in this script but with the scheduled task you are pretty sure bitlocker is going to be enabled

 

$content = @'
$BLinfo = Get-Bitlockervolume
if($BLinfo.EncryptionPercentage -ne '100' -and $BLinfo.EncryptionPercentage -ne '0'){
Resume-BitLocker -MountPoint "C:"
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
}
if($BLinfo.VolumeStatus -eq 'FullyEncrypted' -and $BLinfo.ProtectionStatus -eq 'Off'){
Resume-BitLocker -MountPoint "C:"
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
}
if($BLinfo.EncryptionPercentage -eq '0'){
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
}
'@

Out-File -FilePath "C:\ProgramData\CustomScripts\enablebitlocker.ps1" -Encoding unicode -Force -InputObject $content


# create custom folder and write PS script
$path = $(Join-Path $env:ProgramData CustomScripts)
if (!(Test-Path $path))
{
New-Item -Path $path -ItemType Directory -Force -Confirm:$false
}
Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\enablebitlocker.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false

# register script as scheduled task
$Time = New-ScheduledTaskTrigger -AtLogOn
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"C:\ProgramData\CustomScripts\enablebitlocker.ps1`""
Register-ScheduledTask -TaskName "EnableBitlocker" -Trigger $Time -User $User -Action $Action -Force
Start-ScheduledTask -TaskName "EnableBitlocker"

 

 

 

 

 

 

Resources