I have always been passionate about IT and have the last 10 + years worked with Management and Automation within Microsoft technology. I am a technology enthusiast working as a consultant for the consultant company CTGlobal. Strong commitment to System Center User Group Norway as co-founder and current leader Great belief that sharing experience within fellow peers is key to creating a sustainable society Passion for Community Driven work, volunteering within Microsoft technology Microsoft Enterprise Client Management Evangelist with: 10+ years experience within Microsoft System Management SolutionsĮxtensive experience across Private and Public Sector
BITLOCKER MANAGEMENT MANUAL
It works and it simply does the same as the manual step above. If you want to experiment with PowerShell here is the script I created. As far as I know only with Windas the PowerShell commandlet BackupToAAD-BitLockerKeyProtector which you need to save the recovery key to AAD, is only in 1703 and up. But I hope we at some point will be able to execute PowerShell scripts, where we could automate the process. There is no way to automate the Encryption process from Intune. Go to Users and Groups and search for the user.Īnd there you Go. You can do the same in Azure Active Directory by going to. To retrieve the recovery key go to the following link and login with your corporate credentials (Work/School-account):įind your computer by name and click on retrieve Bitlocker-keys Well the key is stored in AAD and can be recovered easily by the end-user itself or by an administrator. But how do we recover the drive in the case where we loose access to it.
Now the encryption process is done and your data is secure. This can take some time… But know that you can work as normal alongside the encryption process.Ĭonfirm that the encryption process is complete.
You will be notified that the recovery key is saved.Ĭhoose the new Encryption mode (which is Xts Aes 128) Make sure that you save the recovery key to your cloud account.
BITLOCKER MANAGEMENT SOFTWARE
Make sure you do not have any other Device Encryption software installed and click Yes. Click on the notification to start Encryption process. Now, from the user side, they will receive a notification that their device is not compliant with company policy and that Encryption is needed. In this scenario we have configured a Device Compliance Policy in Intune where we require Encryption of data storage on devices and sent the policy to all Mobile Users. So this blog post is both for the end-user and IT-pro I guess. However in the case that Bitlocker is disabled this is how you enable Bitlocker, save the Bitlocker Key Protector to ADD (also known as the recovery key) and recover the key in the case you need it. If you have not used MBAM standalone in the past, you will need to set up the solution first to get your hands on the necessary files.Ĭopy the “Administration Service” folder from “c:\inetpub\Microsoft BitLocker Management Solution” on the old standalone MBAM server to the same location on the server running the > Portals > Add Application > appSettings with the FQDN of the server running the service.When joining a computer to AAD either manually or by using a provisioning package, Bitlocker will be enabled automatically if your device has the necessary prerequisites. However unsupported there is a way to get it back by manually copy it from an existing standalone installation. This table indicates what is missing in the integrated implementation.Īs we can see the integrated solution lacks the “Administration Service”, some of us needs it and it is safe to say this loss is a significant drawback. If you are configuring integrated BitLocker management and have not used the admin service in a previous MBAM standalone installation, this information is probably of little, if any, value to you. The method should be considered temporary, to bridge the gap until Microsoft eventually decides to include the functionality (we still hope for that). This article describes a simple hack, that is in no way endorsed or supported by Microsoft and consequently implemented at own risk, to get the service endpoint back.
This endpoint is, most cases, crucial if you are using any kind of automation, management system, custom helpdesk tool or such. This is all well and fine except one detail it does not include the Administration Service Endpoint available in MBAM standalone. Starting in ConfigMgr Current branch 1910 integrated BitLocker management (MBAM) is supported.