Hello everyone, thank you all for your replies.
This is occurring consistently on a HP ZBook Firefly G7 and a Dell Latitude 7390 using bare-metal rebuilds from USB boot media configured with the latest driver pack for each device. Before each rebuild all traces of the laptops are purged from MEM, from Devices, Device Enrolment, and Azure AD -> Devices.
Some key facts from my testing:
- This is a Azure AD environment, not Hybrid
- Sometimes - not consistently - BitLocker will enable during OOBE during the Get-AutoPilotInfo -Assign stage - i.e. before the White Glove profile is assigned to the device. This is in AES-128 Used-Space only mode. Reading some information on the Microsoft site, this can occur during OOBE when a user signs in with a Microsoft or Azure account. The only way to stop this is to add the following lines to the autounattend.xml file on the USB stick:
<settings pass="oobeSystem">
<component name="Microsoft-Windows-SecureStartup-FilterDriver" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<PreventDeviceEncryption>true</PreventDeviceEncryption>
</component>
</settings>
- This seems to ignore the Device Restriction policy setting Do Not Enable BitLocker during AADJ Join, which I have assigned to All Devices
- I am using Windows 10 Enterprise 21H1 X64
- The only BitLocker settings now are under Endpoint Protection - Disk Encryption now, aside from the Device Restriction setting above
- Consistently the autopilot procedure will complete, signing in as a Standard User without enabling BitLocker. As soon as I 'Switch User' to an account with Admin rights, automatic encryption begins, in the correct AES-XTS 256 Full Disk mode.
I hope that this information is helpful, and I am grateful for any assistance or guidance you can provide.
