Forum Discussion

StuartK73's avatar
StuartK73
Iron Contributor
Apr 27, 2021

Suppress BitLocker Drive Choices on AADJ Machines

Hi All

 

We are deploying BitLocker to Azure AD Joined AutoPilot devices via Intune.

 

All is well, except BitLocker is prompting users about drives.

 

Anyway to hide this notification?

 

Info appreciated

Intune
mobile device management (mdm)

2 Replies

  • NicklasAhlberg's avatar
    NicklasAhlberg
    Brass Contributor
    Apr 28, 2021

    Hello StuartK73 !

     

    Hello, I have recently created a blog post series about moving Bitlocker management to MEM.
    I am sure this will set you on the right track.

     

    You will find part one of three here:

    https://www.nicklasahlberg.se/2021/04/04/move-bitlocker-management-to-microsoft-endpoint-manager-part-1/ 

     

    //Nicklas

     

  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Apr 27, 2021

    StuartK73 

     

    It depends on your configuration, here is mine

     

     

    Another possibility would be a powershell script to enable bitlocker. The Only downside: key rotation is not configured in this script but with the scheduled task you are pretty sure bitlocker is going to be enabled

     

    $content = @'
    $BLinfo = Get-Bitlockervolume
    if($BLinfo.EncryptionPercentage -ne '100' -and $BLinfo.EncryptionPercentage -ne '0'){
    Resume-BitLocker -MountPoint "C:"
    $BLV = Get-BitLockerVolume -MountPoint "C:" | select *
    BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
    }
    if($BLinfo.VolumeStatus -eq 'FullyEncrypted' -and $BLinfo.ProtectionStatus -eq 'Off'){
    Resume-BitLocker -MountPoint "C:"
    $BLV = Get-BitLockerVolume -MountPoint "C:" | select *
    BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
    }
    if($BLinfo.EncryptionPercentage -eq '0'){
    Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
    $BLV = Get-BitLockerVolume -MountPoint "C:" | select *
    BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
    }
    '@

    Out-File -FilePath "C:\ProgramData\CustomScripts\enablebitlocker.ps1" -Encoding unicode -Force -InputObject $content


    # create custom folder and write PS script
    $path = $(Join-Path $env:ProgramData CustomScripts)
    if (!(Test-Path $path))
    {
    New-Item -Path $path -ItemType Directory -Force -Confirm:$false
    }
    Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\enablebitlocker.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false

    # register script as scheduled task
    $Time = New-ScheduledTaskTrigger -AtLogOn
    $User = "SYSTEM"
    $Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"C:\ProgramData\CustomScripts\enablebitlocker.ps1`""
    Register-ScheduledTask -TaskName "EnableBitlocker" -Trigger $Time -User $User -Action $Action -Force
    Start-ScheduledTask -TaskName "EnableBitlocker"

     

     

     

     

     

     

Resources