How do I force SCCM Client to Enforce BitLocker Encryption Policy

Roger Hendrikse 6 Reputation points

We are using Microsoft Endpoint Configuration Manager 2006 to deploy BitLocker Policies to our devices

I have setup the policy such that it allows a 1 day grace period for OS drive before it forces drive to encrypt with BitLocker. On the deployment, the evaluation cycle is set to every 1 hour.

This means that after a machine is built, it should receive the BitLocker policy from SCCM, and once the policy has been reviewed and the OS drive is found to be non compliant, a popup should appear asking user to encrypt the drive. If the user postpones for a day, SCCM will auto encrypt.

I have machines that are not doing the above especially after rebuilding them. Even though I have forced discovery and hard cycles in SCCM Agent multiple times, as well as Machine Policy cycle, the machine is not showing the popup to encrypt. SCCM shows the machine is NOT compliant, yet still there is no prompt. How can I force the client to Enforce the policy and show the popup for encryption ?

I do NOT want to use the BitLocker encryption wizard in windows to do this, because if I do this, then the Recoveyr Key is only saved to AD, and it is not saved to SCCM as well (we are planning on using the MBAM Portal in SCCM for access to recovery Keys

Microsoft Configuration Manager Deployment
Microsoft Configuration Manager Deployment
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Deployment: The process of delivering, assembling, and maintaining a particular version of a software system at a site.
652 questions
No comments
1 vote

1 answer

Sort by: Most helpful
  1. XinGuo-MSFT 5,076 Reputation points


    Please try to run a Task Sequence or Powershell Script.

    Add a Run PowerShell Script step, enter “Invoke-MBamClientDeployment.ps1” as the script name and select the MBAM Deployment Script package. Now enter the following parameters;
    -RecoveryServiceEndpoint “https://%YOURSERVER%/SMS_MP_MBAM/CoreService.svc” -EncryptionMethod “XTSAES256” -EncryptAndEscrowDataVolume -IgnoreEscrowOwnerAuthFailure -IgnoreReportStatusFailure -WaitForEncryptionToComplete


    Monitoring the deployment via the status messages for the deployment, we can see the key was successfully escrowed to the Configuration Manager database.


    For a complete description of the steps mentioned above, check out this article:

    BitLocker Management in Configuration Manager