Share via

Windows Autopilot Hybrid Azure AD join & Bitlocker (co-managed device)

Bojan Zivkovic 461 Reputation points
2021-04-18T20:04:30.057+00:00

Hi, I want to implement Bitlocker encryption during Windows Autopilot (Hybrid Azure AD joined device) - I must note here that during Autopilot Configuration Manager client will be installed as well so device will be co-managed after autopilot completes. Is this doable and what would be end-user experience (how would he/she know PIN for instance ...)?

Any step-by-step walkthrough would come in very handy since I can not test this on VM so real physical desktop will be used (HWID already imported so device is pretty much ready with bitlocker configuration end to be done).

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
472 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Cici Wu-MSFT 1,176 Reputation points
    2021-04-19T08:09:46.773+00:00

    You can refer the official article to manage BitLocker policy for hybrid AD co-management device in Intune. Please note change "Allow standard users to enable encryption during Azure AD Join" to not configured, this policy is for Azure AD device.
    Reference: https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices

    Also, there is a step-by-step guide that written by Nickolaj for silently enable BitLocker for Hybrid Azure AD joined devices using Windows Autopilot.
    https://msendpointmgr.com/2019/10/31/silently-enable-bitlocker-for-hybrid-azure-ad-joined-devices-using-windows-autopilot/

    Note: Non-Microsoft link, just for the reference.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Bojan Zivkovic 461 Reputation points
    2021-04-27T15:16:37.257+00:00

    I tried today (on Hyper-V 2016 Gen 2 VM with vTPM 2.0 enabled) but autopilot errored out - I see in cmd prompt that C: is still unencrypted while application I deployed as required is CM client itself and it failed causing whole deployment to fail. How to troubleshoot this:

    91808-image.png

    91774-image.png

    Both, BitLocker policy and CM client app are assigned to the group containing autopilot devices. Just to point out that I did not have problems with CM client app having made it available to test group containing my user account - I successfully installed it from web company portal on other devices already successfully deployed with autopilot. This is first time I tested BitLocker during Autopilot though.

    I read somewhere that CM client installation could break whole Autopilot but prefer (if that is doable) to install it during autopilot - I want to "map" same pattern as current OSD Task Sequence with MECM where CM client is installed during OSD itself.

    I found these:

    91749-image.png

    91799-image.png

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.