Bitlocker D drive and Recovery after Restart
Hello, I am starting to create an Intune policy to encrypt devices with full disk encryption using BitLocker. So far, The policy works fine for the C drive but not the D drive. Second issue is that upon restart for an encrypted device, A recovery screen shows up and user should use the recovery key to use the device. I need some more understanding about the policy template settings to see what could be causing those behaviors. Current policy settings for reference: BitLocker Require Device Encryption Enabled Allow Warning For Other Disk Encryption Disabled Allow Standard User Encryption Enabled Configure Recovery Password Rotation Refresh on for both Azure AD-joined and hybrid-joined devices Administrative Templates Windows Components > BitLocker Drive Encryption Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) Enabled Select the encryption method for removable data drives: AES-CBC 128-bit (default) Select the encryption method for operating system drives: XTS-AES 128-bit (default) Select the encryption method for fixed data drives: XTS-AES 128-bit (default) Provide the unique identifiers for your organization Not configured Windows Components > BitLocker Drive Encryption > Operating System Drives Enforce drive encryption type on operating system drives Enabled Select the encryption type: (Device) Full encryption Require additional authentication at startup Disabled Configure minimum PIN length for startup Not configured Allow enhanced PINs for startup Not configured Disallow standard users from changing the PIN or password Not configured Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. Not configured Enable use of BitLocker authentication requiring preboot keyboard input on slates Not configured Choose how BitLocker-protected operating system drives can be recovered Enabled Omit recovery options from the BitLocker setup wizard False Allow data recovery agent False Allow 256-bit recovery key Configure storage of BitLocker recovery information to AD DS: Store recovery passwords and key packages Do not enable BitLocker until recovery information is stored to AD DS for operating system drives True Save BitLocker recovery information to AD DS for operating system drives True Configure user storage of BitLocker recovery information: Allow 48-digit recovery password Configure pre-boot recovery message and URL Enabled Select an option for the pre-boot recovery message: Use default recovery message and URL Custom recovery URL option: Custom recovery message option: Windows Components > BitLocker Drive Encryption > Fixed Data Drives Enforce drive encryption type on fixed data drives Enabled Select the encryption type: (Device) Full encryption Choose how BitLocker-protected fixed drives can be recovered Enabled Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives True Allow data recovery agent True Configure storage of BitLocker recovery information to AD DS: Backup recovery passwords and key packages Allow 256-bit recovery key Save BitLocker recovery information to AD DS for fixed data drives True Omit recovery options from the BitLocker setup wizard True Configure user storage of BitLocker recovery information: Allow 48-digit recovery password Deny write access to fixed drives not protected by BitLocker Not configured Windows Components > BitLocker Drive Encryption > Removable Data Drives Control use of BitLocker on removable drives Not configured Deny write access to removable drives not protected by BitLocker Not configured Review + save
BNU, Client Machine not Retrieve IP but can from WDS PXE
I have been trying to troubleshoot BitLocker Network Unlock on my infrastructure but cannot seem to get it to work. On the client system I receive Event ID 24584 and on the WDS server I do not receive any event logs notifying of the client trying to use the certificate to network unlock. The odd part is that, if try to PXE boot on the client, it can receive and IP and go through the steps as if it is going to do an image install using WDS. I followed the steps in the documentation, GPOs have been applied, Certs have been properly placed, it just seems bootmgr cannot retrieve and IP but can from WDS. In addition, IP helper has been setup on the switch. System Info: Virtualized Windows 10 21H2 Machine running on VMWare with a vTPM Virtualized Windows 2022 Server Running on VMWare; same VLAN as the client machine Physical Domain Controller Windows 2016 Server; located on different VLAN than the WDS Server and Client Machine
Not getting prompted to save Bitlocker key to cloud?
I have a newly built Windows 10 Business machine, that has been associated to my Microsoft 365 Azure AD domain. The machine has TPM enabled. When I attempt to encrypt the only options I'm given for unlocking the drive at boot up are (image attached): Insert a USB Drive Enter a password I'm used to seeing an option of Save my BitLocker key to my Microsoft Office cloud account (Azure AD), so I'm not sure what I'm missing in order get this option, should I need to restore the key? Any idea why I would be getting this option when attempting to enable BitLocker? OS: Windows 10 Business (64-bit)
BitLocker backup to cloud domain error id 846 access denied
Hi everyone, Weird story: We have close to 100 workgroup laptops which are managed in SCCM (ICBM). We want to move them to Intune only without CMG. They all have BitLocker enabled on them. Here is what we do: Uninstall SCCM Client Change OS from education to pro Join to azure with laptop's owner user account backup BitLocker recovery key to cloud Set user as standard user. Most of these laptops are 1803 and we want them to be upgraded via Intune. After 15 successful laptops, a laptop was unable to backup to domain cloud. Checking with google I found out that an event log folder names BitLocker-API contains all the information about the BitLocker encryption process. I found error 846 detailing "Access Denied". My google search found nothing so far. I decided to manually upgrade to 1909 and got the same result in my BitLocker. I than attempted to disconnect from Azure, delete the computer from both Intune and Azure and rejoin to Azure. This time I got both the "Can't backup to domain cloud" and "Your Active Directory domain schema isn't configure" ??? I am at a loss, I can't reset the computer because of the Corona Virus. Any help would be appreciated Rahamim.BitLocker network unlock issue
Hi, I'm struggling a bit with Bitlocker network unlock deployment in my environment. I'm following this guide: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock#bkmk-installnufeature And I have 2 issues overall. First one is the certificate request to CA. I'm able to request certificate and issue it w/o problems. The issue appears later on - the cert looks like it's selfsigned (certificate on the first screenshot is revoked beacuse I didn't want it to stay there since it didn't work like it should). Certificate on the second screenshot is the cert that's popping up in certmgr.msc on the machine that I was sending the cert request from. It is the same cert - yet it is not? It should end up in Personal container signed by CA but instead it goes to Pending container and it looks like its selfsigned.. Am I missing something? I'll be honest - I do not have an experience with CA. I simply followed the guide. I made a workaround by doing a selfsigned in the next part, so it is not that big of a problem - although I'd like to have a signed cert there. The real problem is - GPO settings. I've tried everything. Updated the .ADMX files in SysVol manually, cleared GPO cache on the client machine, tried setting the GPO's from the guide to the multiple containers, even on the root domain level itself (just for testing puropses) - no luck. The policy simply do not apply. There is no error in RSOP or in gpresult. I've tested it on multiple machines and user accounts with Security filtering and without. I tied to split it to 3 separate policies to check if maybe one of them is problematic. None of these 3 policies applied even once. Other poclies are applied without any problems or issues. What should I do now? Anyone had similar issue?Microsoft Bitlocker Management from Intune
Howdy Folks! I guess everyone is doing well with the Microsoft as all of you might got inspired much from the session last week held in Las Vegas(Microsoft Inspire)!! Though I missed it everyone badly as I didn't get chance to visit but the questions keep peeping on my head!! Now with the BitLocker issue where I guess someone can answer this as well, So my query is straight as I need to disable or hide this option of getting the Recovery Keys from the End User level as it is a vulnerable for the Admins to provide the Recovery Keys for OS Encryption Disk like given below with an example Bitlocker Keys Available from end user level using my apps.microsoft.com Is there any option from the administrator level from Azure Portal to hide this Keys from the end user side?? Please help me out as customer is seeking help for this!!
