Tech Community Live: Microsoft Intune
Jun 22 2023, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Suppress BitLocker Drive Choices on AADJ Machines

Regular Contributor

Hi All


We are deploying BitLocker to Azure AD Joined AutoPilot devices via Intune.


All is well, except BitLocker is prompting users about drives.


Anyway to hide this notification?


Info appreciated

2 Replies

@Stuart King 


It depends on your configuration, here is mineRudy_Ooms_2-1619534528641.png








Another possibility would be a powershell script to enable bitlocker. The Only downside: key rotation is not configured in this script but with the scheduled task you are pretty sure bitlocker is going to be enabled


$content = @'
$BLinfo = Get-Bitlockervolume
if($BLinfo.EncryptionPercentage -ne '100' -and $BLinfo.EncryptionPercentage -ne '0'){
Resume-BitLocker -MountPoint "C:"
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
if($BLinfo.VolumeStatus -eq 'FullyEncrypted' -and $BLinfo.ProtectionStatus -eq 'Off'){
Resume-BitLocker -MountPoint "C:"
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
if($BLinfo.EncryptionPercentage -eq '0'){
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

Out-File -FilePath "C:\ProgramData\CustomScripts\enablebitlocker.ps1" -Encoding unicode -Force -InputObject $content

# create custom folder and write PS script
$path = $(Join-Path $env:ProgramData CustomScripts)
if (!(Test-Path $path))
New-Item -Path $path -ItemType Directory -Force -Confirm:$false
Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\enablebitlocker.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false

# register script as scheduled task
$Time = New-ScheduledTaskTrigger -AtLogOn
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"C:\ProgramData\CustomScripts\enablebitlocker.ps1`""
Register-ScheduledTask -TaskName "EnableBitlocker" -Trigger $Time -User $User -Action $Action -Force
Start-ScheduledTask -TaskName "EnableBitlocker"







Hello @Stuart King !


Hello, I have recently created a blog post series about moving Bitlocker management to MEM.
I am sure this will set you on the right track.


You will find part one of three here: