Windows 10 Home - Device Encryption - Can I turn on without a Microsoft account
Hello, Happy Friday! 🙂 I would like to turn on the BitLocker Device Encryption with an offline Administrator account, but I am asked to sign in with a Microsoft account instead. May I know how I can bypass signing in to the Microsoft online account? Any information is welcomed. 🙂 Model: Surface Go 3 OS: Windows 10 Home (No S) Error message: You need a Microsoft account to finish encrypting this device. Best regards, Fung
Enable Bitlocker on devices without TPM - Standard Users
Hello, We are in the process of migrating our Drive Encryption solution to Bitlocker. We successfully migrated the majority of our clients with TPM to Bitlocker by using Intune Configuration Profiles. The issue we are facing now is that we need to enable Bitlocker on devices without TPM. Users are not local admins so they cannot complete the Bitlocker Wizard. I have played around with different Intune Profiles, Encryption Policies and custom OMA-URI but the closest I get is through the first prompt regarding 3rd party encryption and then I get UAC prompt to elevate. Is there a configuration that allows me to enable Bitlocker on devices that do not have TPM, without requiring IT to have to manually touch each device? Some screenshot of settings below... I have tried with the "Compatible TPM Startup" as Blocker / Not Configured / Allowed...
Intune Bitlocker for USB/external drive (Missing policy for Azure AD Join scenario)
When we enable intune policy: Block write access to devices configured in another organization in Intune Bitlocker policy We also need to deploy an Onprem GPO policy: Provide unique identifier for your organization. This will allow the PC to differentiate the Org it belongs to. GPO policy: Provide unique identifier for your organization is missing in Intune. Because of this we cannot use Intune policy: Block write access to devices configured in another organization. Looking for suggestions how we implement Block write access to devices configured in another organization in Intune for Azure AD Join (not hybrid domain join)?Domain joined BitLocker recovery ID not updating in AD but is in MECM
Hi fellow professionals. I have a question regarding BitLocker key recovery in AD. On-premises AD is based on 2008 R2, MECM environment is 1910 and Windows 10 is on 1909. I am working with a client who is seeing inconsistent recovery keys being updated into AD and seems to be intermittent. Devices can be either on the corporate network or using a VPN. What they are finding is if they need to recover the key it won't always update the value in AD. The devices are also managed by ConfigMgr (MECM) and also recovery can be performed by Microsoft BitLocker Administration and Monitoring. If the recovery is performed here it successfully writes the drive recovery key into the MECM database. During the OSD built there is a MECM task sequence to enable BitLocker and enable the key recovery into AD. This first key after OSD build seems to always appear in AD, its the subsequent ones where it changes. My understanding is once you setup MECM Bitlocker and following post build of Windows 10 and the ConfigMgr client is installed, receiving MECM policies the MECM Bitlocker feature then takes over. I am just puzzled why the recovery key writes successfully for some devices and not others. I thought it maybe because they client doesn't have a CMG and it is unable to write the keys to AD over VPN however it appear to occur for corporate devices as well. If anyone could clarify this it would be greatly appreciated. Thanks
Setup and configure Bit locker network unlock remotely
Hi Fellow members This is a question for anyone who has setup and configured the Bitlocker network unlock feature. I have been asked to set this up in my enterprise however with COVID-19 I am working remotely. For anyone who has done this already, is it possible to do all the configuration and testing of this remotely or will I need to be in the office? I am thinking that whilst the server configuration I could do remotely, my question would be how would I test it? So I will be following this article: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#:~:text=%20Configure%20Network%20Unlock%20%201%20Install%20the,properly%20configured%20Active%20Directory%20Services%20Certification...%20More%20 Any thoughts on this would be most appreciated. ThanksBitLocker backup to cloud domain error id 846 access denied
Hi everyone, Weird story: We have close to 100 workgroup laptops which are managed in SCCM (ICBM). We want to move them to Intune only without CMG. They all have BitLocker enabled on them. Here is what we do: Uninstall SCCM Client Change OS from education to pro Join to azure with laptop's owner user account backup BitLocker recovery key to cloud Set user as standard user. Most of these laptops are 1803 and we want them to be upgraded via Intune. After 15 successful laptops, a laptop was unable to backup to domain cloud. Checking with google I found out that an event log folder names BitLocker-API contains all the information about the BitLocker encryption process. I found error 846 detailing "Access Denied". My google search found nothing so far. I decided to manually upgrade to 1909 and got the same result in my BitLocker. I than attempted to disconnect from Azure, delete the computer from both Intune and Azure and rejoin to Azure. This time I got both the "Can't backup to domain cloud" and "Your Active Directory domain schema isn't configure" ??? I am at a loss, I can't reset the computer because of the Corona Virus. Any help would be appreciated Rahamim.Bitlocker Encryption still running at 128kb instead of the required 256kb.
Hi Hopefully I have put this in the correct forum 🙂 We use SCCM and have created a Windows 10 deployment which should set bitlocker encryption to 256KB but instead it's setting it to 128KB. The step to change the encryption is set in the build sequence. Its not Group policy that is affecting it as its occuring well before then and at build. Does anyone have any suggestions what it could be? I will post this on the Microsoft Endpoint Manager forum in case its best answered there. Many Thanks
The files under some folders cannot open after re-install OS
I unlocked Bitlocker, under some folders(not all) files are not allow to open, move, copy. Error message tells me no rights to do so, there is a lock icon on those files and folders. I am sure before re-installation of my system I can open all files after inputting Bitlocker password. Update: I am 80% sure these encrypted files were protected by pfx, I have the cert file but I cannot remember the import password. Update: I found the import password too. Problem is solved.
Enforcing Bitlocker via GPO does not prevent users who are local admins from turning this off
I have setup Bitlocker for my AD Domain joined Windows 10 Pro laptop clients to turn on Bitlocker. I have even configured the recovery key to be stored against the machine name in ADUC. However, I have noticed, there is nothing to stop local admins of the laptop from stopping Bitlocker. Has anyone come across this as once stopped , my GPO doesn't seem to force it back on. Any advice would be helpful.
