Suppress BitLocker Drive Choices on AADJ Machines

Regular Contributor

Hi All

 

We are deploying BitLocker to Azure AD Joined AutoPilot devices via Intune.

 

All is well, except BitLocker is prompting users about drives.

 

Anyway to hide this notification?

 

Info appreciated

2 Replies

@Stuart King 

 

It depends on your configuration, here is mineRudy_Ooms_2-1619534528641.png

 

Rudy_Ooms_3-1619534540137.png

Rudy_Ooms_4-1619534570083.png

Rudy_Ooms_5-1619534600298.png

Rudy_Ooms_6-1619534631280.png

Rudy_Ooms_7-1619534649730.png

 

Another possibility would be a powershell script to enable bitlocker. The Only downside: key rotation is not configured in this script but with the scheduled task you are pretty sure bitlocker is going to be enabled

 

$content = @'
$BLinfo = Get-Bitlockervolume
if($BLinfo.EncryptionPercentage -ne '100' -and $BLinfo.EncryptionPercentage -ne '0'){
Resume-BitLocker -MountPoint "C:"
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
}
if($BLinfo.VolumeStatus -eq 'FullyEncrypted' -and $BLinfo.ProtectionStatus -eq 'Off'){
Resume-BitLocker -MountPoint "C:"
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
}
if($BLinfo.EncryptionPercentage -eq '0'){
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
}
'@

Out-File -FilePath "C:\ProgramData\CustomScripts\enablebitlocker.ps1" -Encoding unicode -Force -InputObject $content


# create custom folder and write PS script
$path = $(Join-Path $env:ProgramData CustomScripts)
if (!(Test-Path $path))
{
New-Item -Path $path -ItemType Directory -Force -Confirm:$false
}
Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\enablebitlocker.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false

# register script as scheduled task
$Time = New-ScheduledTaskTrigger -AtLogOn
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"C:\ProgramData\CustomScripts\enablebitlocker.ps1`""
Register-ScheduledTask -TaskName "EnableBitlocker" -Trigger $Time -User $User -Action $Action -Force
Start-ScheduledTask -TaskName "EnableBitlocker"

 

 

 

 

 

 

Hello @Stuart King !

 

Hello, I have recently created a blog post series about moving Bitlocker management to MEM.
I am sure this will set you on the right track.

 

You will find part one of three here:

https://www.nicklasahlberg.se/2021/04/04/move-bitlocker-management-to-microsoft-endpoint-manager-par... 

 

//Nicklas