cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Managing Bitlocker from MEM vs Config manager

Solu
Copper Contributor

‎Feb 21 2021 06:22 PM

‎Feb 21 2021 06:22 PM

Managing Bitlocker from MEM vs Config manager

I'm new to Microsoft Bitlocker, currently we use McAfee to manage and encrypt our devices, however, the plan is to move all devices to Microsoft and manage them via Intune/MEM  in a few months. I'm running into issues with Bitlcoker policies, they are not getting applied properly when applied from Intune/MEM.

Microsoft support is recommending that I should consider using a standalone "MBAM". 

We have SCCM (Config manager) in place and our systems are co-managed. Our workload has been configured for Intune\MEM to manage "Endpoint protection".

 

Questions:

1) Should I use SCCM (config manager) just for "Bitlocker" and disable "Bitlocker" policy in Intune\MEM?

2) Manage "Bitlocker" policy from Intune\MEM only?

3) Setup a standalone MBAM to manage "Bitlcoker"?

 

Your help is much appreciated

 

 

 

 

 

Labels:
1,163 Views
0 Likes
3 Replies
Reply
3 Replies
Pa_D

‎Feb 22 2021 10:52 AM

‎Feb 22 2021 10:52 AM

Re: Managing Bitlocker from MEM vs Config manager

Bitlocker policy via Intune is supported for co-managed device, ideally it should be working for you.

 

1) What is the status of Intune Bitlocker policy on Intune admin UI for this test device? what is the error.

2) Can you share Bitlocker policy configuration screenshots? Most likely there could be a conflict in the configuration you did.

3) On the Intune console > devices > Select the device > does it show device is healthy and managed by SCCM?

0 Likes
Reply
Solu

‎Feb 22 2021 11:31 AM

‎Feb 22 2021 11:31 AM

Re: Managing Bitlocker from MEM vs Config manager

Hi @Pa_D 

 

Please see below:

 

1) Status showing Active now, I had to enabled bitlocker manually on system by right click. 

but user never received any prompt in notification center.

.................

ERROR: An error occurred (code 0x80310066):

Group policy does not permit the use of TPM-only at startup. Please choose a different BitLocker startup option.

NOTE: If the -on switch has failed to add key protectors or start encryption,

 

2) 

Sohel_0-1614021794713.png

 

3)  Device is co-managed (SCCM\Intune)... see below:

Sohel_1-1614021994144.png

 

 I was able to push same policy from Intune to 3 other test system, and they all worked well, except this device, which belong to a user and where encryption pop-up never showed up?

Since we are at initial state and have SCCM already in our environment - do you think I should consider SCCM and not Intune for Bitlocker? my biggest concern is I don't want to run into same situaion when we enable it on 2000+ users.

 

Thanks again.

 

 

 

 

 

 

 

0 Likes
Reply
Pa_D

‎Feb 23 2021 12:30 PM

‎Feb 23 2021 12:30 PM

Re: Managing Bitlocker from MEM vs Config manager

@Solu 

 

1) Where are you seeing this error message? On Intune admin console or event logs on PC?

ERROR: An error occurred (code 0x80310066):

Group policy does not permit the use of TPM-only at startup. Please choose a different BitLocker startup option.

NOTE: If the -on switch has failed to add key protectors or start encryption,

 

2) Do you also have GPO policy for Bitlocker deployed to this PC?

 

3) Does this PC in question, have TPM chip?

0 Likes
Reply