Bitlocker D drive and Recovery after Restart
Hello, I am starting to create an Intune policy to encrypt devices with full disk encryption using BitLocker. So far, The policy works fine for the C drive but not the D drive. Second issue is that upon restart for an encrypted device, A recovery screen shows up and user should use the recovery key to use the device. I need some more understanding about the policy template settings to see what could be causing those behaviors. Current policy settings for reference: BitLocker Require Device Encryption Enabled Allow Warning For Other Disk Encryption Disabled Allow Standard User Encryption Enabled Configure Recovery Password Rotation Refresh on for both Azure AD-joined and hybrid-joined devices Administrative Templates Windows Components > BitLocker Drive Encryption Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) Enabled Select the encryption method for removable data drives: AES-CBC 128-bit (default) Select the encryption method for operating system drives: XTS-AES 128-bit (default) Select the encryption method for fixed data drives: XTS-AES 128-bit (default) Provide the unique identifiers for your organization Not configured Windows Components > BitLocker Drive Encryption > Operating System Drives Enforce drive encryption type on operating system drives Enabled Select the encryption type: (Device) Full encryption Require additional authentication at startup Disabled Configure minimum PIN length for startup Not configured Allow enhanced PINs for startup Not configured Disallow standard users from changing the PIN or password Not configured Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. Not configured Enable use of BitLocker authentication requiring preboot keyboard input on slates Not configured Choose how BitLocker-protected operating system drives can be recovered Enabled Omit recovery options from the BitLocker setup wizard False Allow data recovery agent False Allow 256-bit recovery key Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages Do not enable BitLocker until recovery information is stored to AD DS for operating system drives True Save BitLocker recovery information to AD DS for operating system drives True Configure user storage of BitLocker recovery information: Allow 48-digit recovery password Configure pre-boot recovery message and URL Enabled Select an option for the pre-boot recovery message: Use default recovery message and URL Custom recovery URL option: Custom recovery message option: Windows Components > BitLocker Drive Encryption > Fixed Data Drives Enforce drive encryption type on fixed data drives Enabled Select the encryption type: (Device) Full encryption Choose how BitLocker-protected fixed drives can be recovered Enabled Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives True Allow data recovery agent True Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages Allow 256-bit recovery key Save BitLocker recovery information to AD DS for fixed data drives True Omit recovery options from the BitLocker setup wizard True Configure user storage of BitLocker recovery information: Allow 48-digit recovery password Deny write access to fixed drives not protected by BitLocker Not configured Windows Components > BitLocker Drive Encryption > Removable Data Drives Control use of BitLocker on removable drives Not configured Deny write access to removable drives not protected by BitLocker Not configured Review + save
Microsoft Bitlocker Management from Intune
Howdy Folks! I guess everyone is doing well with the Microsoft as all of you might got inspired much from the session last week held in Las Vegas(Microsoft Inspire)!! Though I missed it everyone badly as I didn't get chance to visit but the questions keep peeping on my head!! Now with the BitLocker issue where I guess someone can answer this as well, So my query is straight as I need to disable or hide this option of getting the Recovery Keys from the End User level as it is a vulnerable for the Admins to provide the Recovery Keys for OS Encryption Disk like given below with an example Bitlocker Keys Available from end user level using my apps.microsoft.com Is there any option from the administrator level from Azure Portal to hide this Keys from the end user side?? Please help me out as customer is seeking help for this!!
