Co-Management Bitlocker

%3CLINGO-SUB%20id%3D%22lingo-sub-394692%22%20slang%3D%22en-US%22%3ECo-Management%20Bitlocker%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394692%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20jumped%20on%20the%20hype%20train%20and%20I'm%20working%20my%20way%20through%20some%20of%20the%20co-management%20capabilities%2C%20I've%20encountered%20an%20issue%20specific%20to%20Bitlocker%2C%20anyone%20else%20encountering%20this%20issue%20or%20have%20any%20input%20on%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Assigned%20a%20Bitlocker%20device%20configuration%20policy%20to%20my%20test%20group.%3C%2FP%3E%3CP%3E-Policy%20is%20picked%20up%20by%20the%20device%20and%20Bitlocker%20encryption%20attempts%20to%20start%20but%20fails.%3C%2FP%3E%3CP%3E-Upon%20looking%20at%20the%20event%20logs%20I've%20noticed%20the%20following%20%22%3CSTRONG%3EFailed%20to%20enable%20Silent%20Encryption.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EError%3A%20Group%20Policy%20settings%20require%20the%20creation%20of%20a%20startup%20PIN%2C%20but%20a%20pre-boot%20keyboard%20is%20not%20available%20on%20this%20device.%20The%20user%20may%20not%20be%20able%20to%20provide%20required%20input%20to%20unlock%20the%20volume..%22%26nbsp%3B%3C%2FSTRONG%3EThe%20device%20I've%20assigned%20the%20policy%20to%20is%26nbsp%3B%20Surface%20Pro%206%20which%20was%20under%20the%20control%20of%20MBAM%20prior%20to%20this%20so%20I%20know%20Bitlocker%20works%2C%20also%20the%20device%20has%20an%20onscreen%20keyboard%20which%20you%20can%20access%20during%20boot.%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Suggestions%20were%20to%20enable%20the%20following%20group%20policy%26nbsp%3B%3CSTRONG%3E%22Enable%20use%20of%20Bitlocker%20authentication%20requiring%20preboot%20keyboard%20input%20on%20slates%22.%26nbsp%3B%3C%2FSTRONG%3EI%20did%20this%20on%20my%20local%20Group%20Policy%2C%20which%20from%20the%20start%20I%20thought%20would%20not%20work%20because%20you%20would%20introduce%20a%20conflict%20and%20I%20was%20right%26nbsp%3B%3CSTRONG%3E%22Error%3A%20The%20Group%20Policy%20settings%20for%20BitLocker%20startup%20options%20are%20in%20conflict%20and%20cannot%20be%20applied.%20Contact%20your%20system%20administrator%20for%20more%20information..%22%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20my%20question%20is%2C%20how%20do%20I%20get%20around%20this%3F%20I%20see%20no%20such%20equivalent%20CSP%20in%20Intune%2C%20can%20I%20can%20make%20it%20manually%3F%20If%20anyone%20has%20any%20input%20that%20would%20be%20awesome.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can't%20not%20have%20the%20requirement%20of%20a%20PIN%2C%20this%20is%20in%20line%20with%20company%20policy%20so%20it%20has%20to%20work%20this%20way%20as%20it%20currently%20does%20with%20MBAM%20managed%20devices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-394692%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-400679%22%20slang%3D%22en-US%22%3ERe%3A%20Co-Management%20Bitlocker%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-400679%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F13627%22%20target%3D%22_blank%22%3E%40J%C3%B6rgen%20Nilsson%3C%2FA%3EI'm%2099.9%25%20confident%20it's%20not%20a%20GP%20conflict%2C%20what%20is%20interesting%20is%20I%20originally%20assigned%20the%20Bitlocker%20policy%20to%20a%20Surface%20Pro%206%20running%20Windows%2010%20V1803%2C%20I%20noticed%20that%20one%20of%20the%20limitations%20of%20the%20policy%20on%20that%20version%20is%20that%20a%20standard%20user%20is%20prompted%20for%20admin%20rights%20when%20the%20Bitlocker%20configuration%20window%20starts%2C%20as%20my%20users%20do%20not%20have%20these%20rights%20(and%20never%20should!)%20I%20canned%20the%20idea.%20Doing%20some%20research%20it%20transpired%20that%20Window%2010%20V1809%20supports%20encryption%20for%20standard%20users%20without%20any%20UAC%20prompts%20(winning!)%20however%20I%20can't%20get%20to%20the%20previous%20stage%20because%20this%20new%20issue%20has%20been%20introduced.%20Like%20I%20said%20I%20don't%20think%20it's%20a%20policy%20conflict%20I%20think%20it's%20just%20a%20lack%20of%20support%20within%20Intune%20for%20Bitlocker%20at%20this%20stage%2C%20I%20hope%20in%20the%20coming%20future%20they%20resolve%20this.%20Looking%20online%20there%20at%20multiple%20mentions%20of%20other%20users%20encountering%20this%20same%20behaviour%20for%20example%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F37175833-enable-use-of-bitlocker-authentication-requiring-p%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F37175833-enable-use-of-bitlocker-authentication-requiring-p%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-400673%22%20slang%3D%22en-US%22%3ERe%3A%20Co-Management%20Bitlocker%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-400673%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170849%22%20target%3D%22_blank%22%3E%40Myles%20Taylor%3C%2FA%3E%26nbsp%3BIt%20sounds%20like%20there%20still%20are%20Group%20Policies%20that%20conflict%20with%20your%20Bitlocker%20settings.%20what%20if%20you%20test%20with%20a%20clean%20machine%20that%20never%20had%20any%20group%20Policies%20applied%3F%3C%2FP%3E%0A%3CP%3ERegards%2C%3CBR%20%2F%3EJ%C3%B6rgen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-511081%22%20slang%3D%22en-US%22%3ERe%3A%20Co-Management%20Bitlocker%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-511081%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20looking%20to%20enable%20this%20feature%20as%20well.%20I%20was%20about%20to%20go%20through%20the%20Intune%20GPO%20options%20and%20see%20if%20I%20could%20do%20it%20that%20way.%20I%20would%20however%20prefer%20for%20this%20to%20be%20a%20toggle%20button%20under%20the%20BitLocker%20settings%20within%20Endpoint%20Protection%3C%2FP%3E%3C%2FLINGO-BODY%3E
Myles Taylor
Occasional Contributor

I've jumped on the hype train and I'm working my way through some of the co-management capabilities, I've encountered an issue specific to Bitlocker, anyone else encountering this issue or have any input on it?

 

-Assigned a Bitlocker device configuration policy to my test group.

-Policy is picked up by the device and Bitlocker encryption attempts to start but fails.

-Upon looking at the event logs I've noticed the following "Failed to enable Silent Encryption.

Error: Group Policy settings require the creation of a startup PIN, but a pre-boot keyboard is not available on this device. The user may not be able to provide required input to unlock the volume.." The device I've assigned the policy to is  Surface Pro 6 which was under the control of MBAM prior to this so I know Bitlocker works, also the device has an onscreen keyboard which you can access during boot. 

- Suggestions were to enable the following group policy "Enable use of Bitlocker authentication requiring preboot keyboard input on slates". I did this on my local Group Policy, which from the start I thought would not work because you would introduce a conflict and I was right "Error: The Group Policy settings for BitLocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.."

 

So my question is, how do I get around this? I see no such equivalent CSP in Intune, can I can make it manually? If anyone has any input that would be awesome. 

 

I can't not have the requirement of a PIN, this is in line with company policy so it has to work this way as it currently does with MBAM managed devices.

3 Replies

@Myles Taylor It sounds like there still are Group Policies that conflict with your Bitlocker settings. what if you test with a clean machine that never had any group Policies applied?

Regards,
Jörgen

@Jörgen NilssonI'm 99.9% confident it's not a GP conflict, what is interesting is I originally assigned the Bitlocker policy to a Surface Pro 6 running Windows 10 V1803, I noticed that one of the limitations of the policy on that version is that a standard user is prompted for admin rights when the Bitlocker configuration window starts, as my users do not have these rights (and never should!) I canned the idea. Doing some research it transpired that Window 10 V1809 supports encryption for standard users without any UAC prompts (winning!) however I can't get to the previous stage because this new issue has been introduced. Like I said I don't think it's a policy conflict I think it's just a lack of support within Intune for Bitlocker at this stage, I hope in the coming future they resolve this. Looking online there at multiple mentions of other users encountering this same behaviour for example, https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/37175833-enable-use-of-bitlock...

I am looking to enable this feature as well. I was about to go through the Intune GPO options and see if I could do it that way. I would however prefer for this to be a toggle button under the BitLocker settings within Endpoint Protection

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies