This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 19%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
We are using Microsoft Endpoint Configuration Manager 2006 to deploy BitLocker Policies to our devices
I have setup the policy such that it allows a 1 day grace period for OS drive before it forces drive to encrypt with BitLocker. On the deployment, the evaluation cycle is set to every 1 hour.
This means that after a machine is built, it should receive the BitLocker policy from SCCM, and once the policy has been reviewed and the OS drive is found to be non compliant, a popup should appear asking user to encrypt the drive. If the user postpones for a day, SCCM will auto encrypt.
I have machines that are not doing the above especially after rebuilding them. Even though I have forced discovery and hard cycles in SCCM Agent multiple times, as well as Machine Policy cycle, the machine is not showing the popup to encrypt. SCCM shows the machine is NOT compliant, yet still there is no prompt. How can I force the client to Enforce the policy and show the popup for encryption ?
I do NOT want to use the BitLocker encryption wizard in windows to do this, because if I do this, then the Recoveyr Key is only saved to AD, and it is not saved to SCCM as well (we are planning on using the MBAM Portal in SCCM for access to recovery Keys
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 92%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
Hi,
Please try to run a Task Sequence or Powershell Script.
Add a Run PowerShell Script step, enter “Invoke-MBamClientDeployment.ps1” as the script name and select the MBAM Deployment Script package. Now enter the following parameters;
-RecoveryServiceEndpoint “https://%YOURSERVER%/SMS_MP_MBAM/CoreService.svc” -EncryptionMethod “XTSAES256” -EncryptAndEscrowDataVolume -IgnoreEscrowOwnerAuthFailure -IgnoreReportStatusFailure -WaitForEncryptionToComplete
Monitoring the deployment via the status messages for the deployment, we can see the key was successfully escrowed to the Configuration Manager database.
For a complete description of the steps mentioned above, check out this article: