Suppress BitLocker Drive Choices on AADJ Machines

%3CLINGO-SUB%20id%3D%22lingo-sub-2297179%22%20slang%3D%22en-US%22%3ESuppress%20BitLocker%20Drive%20Choices%20on%20AADJ%20Machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2297179%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20deploying%20BitLocker%20to%20Azure%20AD%20Joined%20AutoPilot%20devices%20via%20Intune.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20is%20well%2C%20except%20BitLocker%20is%20prompting%20users%20about%20drives.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%20to%20hide%20this%20notification%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInfo%20appreciated%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2297179%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2298083%22%20slang%3D%22en-US%22%3ERe%3A%20Suppress%20BitLocker%20Drive%20Choices%20on%20AADJ%20Machines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2298083%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F131657%22%20target%3D%22_blank%22%3E%40Stuart%20King%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20depends%20on%20your%20configuration%2C%20here%20is%20mine%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rudy_Ooms_2-1619534528641.png%22%20style%3D%22width%3A%20571px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275868iB58D70D5B27E7798%2Fimage-dimensions%2F571x237%3Fv%3Dv2%22%20width%3D%22571%22%20height%3D%22237%22%20role%3D%22button%22%20title%3D%22Rudy_Ooms_2-1619534528641.png%22%20alt%3D%22Rudy_Ooms_2-1619534528641.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rudy_Ooms_3-1619534540137.png%22%20style%3D%22width%3A%20602px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275869i732A8ECC39936A6D%2Fimage-dimensions%2F602x149%3Fv%3Dv2%22%20width%3D%22602%22%20height%3D%22149%22%20role%3D%22button%22%20title%3D%22Rudy_Ooms_3-1619534540137.png%22%20alt%3D%22Rudy_Ooms_3-1619534540137.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rudy_Ooms_4-1619534570083.png%22%20style%3D%22width%3A%20621px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275870i6EB614C0B59998CC%2Fimage-dimensions%2F621x315%3Fv%3Dv2%22%20width%3D%22621%22%20height%3D%22315%22%20role%3D%22button%22%20title%3D%22Rudy_Ooms_4-1619534570083.png%22%20alt%3D%22Rudy_Ooms_4-1619534570083.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rudy_Ooms_5-1619534600298.png%22%20style%3D%22width%3A%20560px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275871iF17D638AF7855CC1%2Fimage-dimensions%2F560x277%3Fv%3Dv2%22%20width%3D%22560%22%20height%3D%22277%22%20role%3D%22button%22%20title%3D%22Rudy_Ooms_5-1619534600298.png%22%20alt%3D%22Rudy_Ooms_5-1619534600298.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rudy_Ooms_6-1619534631280.png%22%20style%3D%22width%3A%20545px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275872i30DEBE38CEE82E8A%2Fimage-dimensions%2F545x282%3Fv%3Dv2%22%20width%3D%22545%22%20height%3D%22282%22%20role%3D%22button%22%20title%3D%22Rudy_Ooms_6-1619534631280.png%22%20alt%3D%22Rudy_Ooms_6-1619534631280.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rudy_Ooms_7-1619534649730.png%22%20style%3D%22width%3A%20538px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275873i59F7225D9BF142A8%2Fimage-dimensions%2F538x258%3Fv%3Dv2%22%20width%3D%22538%22%20height%3D%22258%22%20role%3D%22button%22%20title%3D%22Rudy_Ooms_7-1619534649730.png%22%20alt%3D%22Rudy_Ooms_7-1619534649730.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20possibility%20would%20be%20a%20powershell%20script%20to%20enable%20bitlocker.%20The%20Only%20downside%3A%20key%20rotation%20is%20not%20configured%20in%20this%20script%20but%20with%20the%20scheduled%20task%20you%20are%20pretty%20sure%20bitlocker%20is%20going%20to%20be%20enabled%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24content%20%3D%20%40'%3CBR%20%2F%3E%24BLinfo%20%3D%20Get-Bitlockervolume%3CBR%20%2F%3Eif(%24BLinfo.EncryptionPercentage%20-ne%20'100'%20-and%20%24BLinfo.EncryptionPercentage%20-ne%20'0')%7B%3CBR%20%2F%3EResume-BitLocker%20-MountPoint%20%22C%3A%22%3CBR%20%2F%3E%24BLV%20%3D%20Get-BitLockerVolume%20-MountPoint%20%22C%3A%22%20%7C%20select%20*%3CBR%20%2F%3EBackupToAAD-BitLockerKeyProtector%20-MountPoint%20%22C%3A%22%20-KeyProtectorId%20%24BLV.KeyProtector%5B1%5D.KeyProtectorId%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eif(%24BLinfo.VolumeStatus%20-eq%20'FullyEncrypted'%20-and%20%24BLinfo.ProtectionStatus%20-eq%20'Off')%7B%3CBR%20%2F%3EResume-BitLocker%20-MountPoint%20%22C%3A%22%3CBR%20%2F%3E%24BLV%20%3D%20Get-BitLockerVolume%20-MountPoint%20%22C%3A%22%20%7C%20select%20*%3CBR%20%2F%3EBackupToAAD-BitLockerKeyProtector%20-MountPoint%20%22C%3A%22%20-KeyProtectorId%20%24BLV.KeyProtector%5B1%5D.KeyProtectorId%3CBR%20%2F%3E%7D%3CBR%20%2F%3Eif(%24BLinfo.EncryptionPercentage%20-eq%20'0')%7B%3CBR%20%2F%3EEnable-BitLocker%20-MountPoint%20%22C%3A%22%20-EncryptionMethod%20XtsAes256%20-UsedSpaceOnly%20-SkipHardwareTest%20-RecoveryPasswordProtector%3CBR%20%2F%3E%24BLV%20%3D%20Get-BitLockerVolume%20-MountPoint%20%22C%3A%22%20%7C%20select%20*%3CBR%20%2F%3EBackupToAAD-BitLockerKeyProtector%20-MountPoint%20%22C%3A%22%20-KeyProtectorId%20%24BLV.KeyProtector%5B1%5D.KeyProtectorId%3CBR%20%2F%3E%7D%3CBR%20%2F%3E'%40%3C%2FP%3E%3CP%3EOut-File%20-FilePath%20%22C%3A%5CProgramData%5CCustomScripts%5Cenablebitlocker.ps1%22%20-Encoding%20unicode%20-Force%20-InputObject%20%24content%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%23%20create%20custom%20folder%20and%20write%20PS%20script%3CBR%20%2F%3E%24path%20%3D%20%24(Join-Path%20%24env%3AProgramData%20CustomScripts)%3CBR%20%2F%3Eif%20(!(Test-Path%20%24path))%3CBR%20%2F%3E%7B%3CBR%20%2F%3ENew-Item%20-Path%20%24path%20-ItemType%20Directory%20-Force%20-Confirm%3A%24false%3CBR%20%2F%3E%7D%3CBR%20%2F%3EOut-File%20-FilePath%20%24(Join-Path%20%24env%3AProgramData%20CustomScripts%5Cenablebitlocker.ps1)%20-Encoding%20unicode%20-Force%20-InputObject%20%24content%20-Confirm%3A%24false%3CBR%20%2F%3E%3CBR%20%2F%3E%23%20register%20script%20as%20scheduled%20task%3CBR%20%2F%3E%24Time%20%3D%20New-ScheduledTaskTrigger%20-AtLogOn%3CBR%20%2F%3E%24User%20%3D%20%22SYSTEM%22%3CBR%20%2F%3E%24Action%20%3D%20New-ScheduledTaskAction%20-Execute%20%22powershell.exe%22%20-Argument%20%22-ex%20bypass%20-file%20%60%22C%3A%5CProgramData%5CCustomScripts%5Cenablebitlocker.ps1%60%22%22%3CBR%20%2F%3ERegister-ScheduledTask%20-TaskName%20%22EnableBitlocker%22%20-Trigger%20%24Time%20-User%20%24User%20-Action%20%24Action%20-Force%3CBR%20%2F%3EStart-ScheduledTask%20-TaskName%20%22EnableBitlocker%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

Hi All

 

We are deploying BitLocker to Azure AD Joined AutoPilot devices via Intune.

 

All is well, except BitLocker is prompting users about drives.

 

Anyway to hide this notification?

 

Info appreciated

2 Replies

@Stuart King 

 

It depends on your configuration, here is mineRudy_Ooms_2-1619534528641.png

 

Rudy_Ooms_3-1619534540137.png

Rudy_Ooms_4-1619534570083.png

Rudy_Ooms_5-1619534600298.png

Rudy_Ooms_6-1619534631280.png

Rudy_Ooms_7-1619534649730.png

 

Another possibility would be a powershell script to enable bitlocker. The Only downside: key rotation is not configured in this script but with the scheduled task you are pretty sure bitlocker is going to be enabled

 

$content = @'
$BLinfo = Get-Bitlockervolume
if($BLinfo.EncryptionPercentage -ne '100' -and $BLinfo.EncryptionPercentage -ne '0'){
Resume-BitLocker -MountPoint "C:"
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
}
if($BLinfo.VolumeStatus -eq 'FullyEncrypted' -and $BLinfo.ProtectionStatus -eq 'Off'){
Resume-BitLocker -MountPoint "C:"
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
}
if($BLinfo.EncryptionPercentage -eq '0'){
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -SkipHardwareTest -RecoveryPasswordProtector
$BLV = Get-BitLockerVolume -MountPoint "C:" | select *
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId
}
'@

Out-File -FilePath "C:\ProgramData\CustomScripts\enablebitlocker.ps1" -Encoding unicode -Force -InputObject $content


# create custom folder and write PS script
$path = $(Join-Path $env:ProgramData CustomScripts)
if (!(Test-Path $path))
{
New-Item -Path $path -ItemType Directory -Force -Confirm:$false
}
Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\enablebitlocker.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false

# register script as scheduled task
$Time = New-ScheduledTaskTrigger -AtLogOn
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"C:\ProgramData\CustomScripts\enablebitlocker.ps1`""
Register-ScheduledTask -TaskName "EnableBitlocker" -Trigger $Time -User $User -Action $Action -Force
Start-ScheduledTask -TaskName "EnableBitlocker"

 

 

 

 

 

 

Hello @Stuart King !

 

Hello, I have recently created a blog post series about moving Bitlocker management to MEM.
I am sure this will set you on the right track.

 

You will find part one of three here:

https://www.nicklasahlberg.se/2021/04/04/move-bitlocker-management-to-microsoft-endpoint-manager-par... 

 

//Nicklas