Managing Bitlocker from MEM vs Config manager

%3CLINGO-SUB%20id%3D%22lingo-sub-2154505%22%20slang%3D%22en-US%22%3EManaging%20Bitlocker%20from%20MEM%20vs%20Config%20manager%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2154505%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20new%20to%20Microsoft%20Bitlocker%2C%20currently%20we%20use%20McAfee%20to%20manage%20and%20encrypt%20our%20devices%2C%20however%2C%20the%20plan%20is%20to%20move%20all%20devices%20to%20Microsoft%20and%20manage%20them%20via%20Intune%2FMEM%26nbsp%3B%20in%20a%20few%20months.%20I'm%20running%20into%20issues%20with%20Bitlcoker%20policies%2C%20they%20are%20not%20getting%20applied%20properly%20when%20applied%20from%20Intune%2FMEM.%3C%2FP%3E%3CP%3EMicrosoft%20support%20is%20recommending%20that%20I%20should%20consider%20using%20a%20standalone%20%22MBAM%22.%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20SCCM%20(Config%20manager)%20in%20place%20and%20our%20systems%20are%20co-managed.%20Our%20workload%20has%20been%20configured%20for%20Intune%5CMEM%20to%20manage%20%22Endpoint%20protection%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestions%3A%3C%2FP%3E%3CP%3E1)%20Should%20I%20use%20SCCM%20(config%20manager)%20just%20for%20%22Bitlocker%22%20and%20disable%20%22Bitlocker%22%20policy%20in%20Intune%5CMEM%3F%3C%2FP%3E%3CP%3E2)%20Manage%20%22Bitlocker%22%20policy%20from%20Intune%5CMEM%20only%3F%3C%2FP%3E%3CP%3E3)%20Setup%20a%20standalone%20MBAM%20to%20manage%20%22Bitlcoker%22%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYour%20help%20is%20much%20appreciated%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2154505%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EManaging%20Bitlocker%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2156572%22%20slang%3D%22en-US%22%3ERe%3A%20Managing%20Bitlocker%20from%20MEM%20vs%20Config%20manager%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2156572%22%20slang%3D%22en-US%22%3E%3CP%3EBitlocker%20policy%20via%20Intune%20is%20supported%20for%20co-managed%20device%2C%20ideally%20it%20should%20be%20working%20for%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20What%20is%20the%20status%20of%20Intune%20Bitlocker%20policy%20on%20Intune%20admin%20UI%20for%20this%20test%20device%3F%20what%20is%20the%20error.%3C%2FP%3E%3CP%3E2)%20Can%20you%20share%20Bitlocker%20policy%20configuration%20screenshots%3F%20Most%20likely%20there%20could%20be%20a%20conflict%20in%20the%20configuration%20you%20did.%3C%2FP%3E%3CP%3E3)%20On%20the%20Intune%20console%20%26gt%3B%20devices%20%26gt%3B%20Select%20the%20device%20%26gt%3B%20does%20it%20show%20device%20is%20healthy%20and%20managed%20by%20SCCM%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I'm new to Microsoft Bitlocker, currently we use McAfee to manage and encrypt our devices, however, the plan is to move all devices to Microsoft and manage them via Intune/MEM  in a few months. I'm running into issues with Bitlcoker policies, they are not getting applied properly when applied from Intune/MEM.

Microsoft support is recommending that I should consider using a standalone "MBAM". 

We have SCCM (Config manager) in place and our systems are co-managed. Our workload has been configured for Intune\MEM to manage "Endpoint protection".

 

Questions:

1) Should I use SCCM (config manager) just for "Bitlocker" and disable "Bitlocker" policy in Intune\MEM?

2) Manage "Bitlocker" policy from Intune\MEM only?

3) Setup a standalone MBAM to manage "Bitlcoker"?

 

Your help is much appreciated

 

 

 

 

 

3 Replies

Bitlocker policy via Intune is supported for co-managed device, ideally it should be working for you.

 

1) What is the status of Intune Bitlocker policy on Intune admin UI for this test device? what is the error.

2) Can you share Bitlocker policy configuration screenshots? Most likely there could be a conflict in the configuration you did.

3) On the Intune console > devices > Select the device > does it show device is healthy and managed by SCCM?

Hi @Pa_D 

 

Please see below:

 

1) Status showing Active now, I had to enabled bitlocker manually on system by right click. 

but user never received any prompt in notification center.

.................

ERROR: An error occurred (code 0x80310066):

Group policy does not permit the use of TPM-only at startup. Please choose a different BitLocker startup option.

NOTE: If the -on switch has failed to add key protectors or start encryption,

 

2) 

Sohel_0-1614021794713.png

 

3)  Device is co-managed (SCCM\Intune)... see below:

Sohel_1-1614021994144.png

 

 I was able to push same policy from Intune to 3 other test system, and they all worked well, except this device, which belong to a user and where encryption pop-up never showed up?

Since we are at initial state and have SCCM already in our environment - do you think I should consider SCCM and not Intune for Bitlocker? my biggest concern is I don't want to run into same situaion when we enable it on 2000+ users.

 

Thanks again.

 

 

 

 

 

 

 

@Sohel 

 

1) Where are you seeing this error message? On Intune admin console or event logs on PC?

ERROR: An error occurred (code 0x80310066):

Group policy does not permit the use of TPM-only at startup. Please choose a different BitLocker startup option.

NOTE: If the -on switch has failed to add key protectors or start encryption,

 

2) Do you also have GPO policy for Bitlocker deployed to this PC?

 

3) Does this PC in question, have TPM chip?