Question on Intune BitLocker Encryption and MECM imaging scenario

Kedar Tamboli 166 Reputation points
2021-05-21T07:35:16.26+00:00

Hello Team,

We have MECM version 2010 and Co-Management enabled.

Also Windows 10 bare metal deployment Task Sequence deployment is already in place and working fine.

We do prepare the MECM imaging in our store location and then upon system is ready (without encryption as of now), we give it to the end user.

However recently we have completed the Intune BitLocker Encryption testing on Co-Managed systems testing.

Now, we need to give the system with Intune BitLocker encrypted ready to the end user.

I would like to know your suggestions in minimizing the duration of the readiness of the system (Imaged system with TS + Intune BDE)

We see the lot of time and wait period in below steps:

  1. Complete the online imaging from MECM Task Sequence
  2. Wait till the system becomes Co-Managed
  3. Add the system into "Co-Management BitLocker Workload Collection" (as we don't want BDE for all Co-Managed systems, hence separate pilot collection created))
  4. Add the hostname into "BitLocker Encryption Policy" security group in Intune
  5. Wait for the encryption policy to sync and complete the encryption

Also in this process, we have doubt - As this process is being completed by engineers domain ID, then post giving the system to end user; will end user can see the recovery keys in https://myaccount.microsoft.com/device-list portal using his login ID and use in case of recovery.

How such scenarios are handled in MECM Co-Management system with Intune Encryption environment.

Thanks in advance.

Thanks and regards,
Kedar

Microsoft Configuration Manager Deployment
Microsoft Configuration Manager Deployment
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Deployment: The process of delivering, assembling, and maintaining a particular version of a software system at a site.
858 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,056 questions
Microsoft Configuration Manager
{count} votes

3 answers

Sort by: Most helpful
  1. Jason Sandys 31,121 Reputation points Microsoft Employee
    2021-05-21T14:49:55.187+00:00

    As this process is being completed by engineers domain ID, then post giving the system to end user; will end user can see the recovery keys in https://myaccount.microsoft.com/device-list portal using his login ID and use in case of recovery.

    No. Not unless the primary user for device is changed in Intune. Why is anyone except the end-user logging into the device? What processes need to be completed and why aren't those part of the task sequence?

    How such scenarios are handled in MECM Co-Management system with Intune Encryption environment.

    What scenarios?


  2. Jason Sandys 31,121 Reputation points Microsoft Employee
    2021-06-01T17:54:23.347+00:00

    Yes, but as noted, that's just addressing the symptom. Fix the problem by not having others log into the system.

    I'm not suggesting adding anything to the task sequence, I'm suggesting that you stop having others log into the systems. Use reports or other, better methods to validate the systems if necessary.

    0 comments No comments

  3. Colin Ford 1,026 Reputation points
    2021-06-01T20:46:53.72+00:00

    See if this works:

    • Enable BitLocker and store recovery password to AD in TS like a typical on-prem scenario
    • Push down the following PowerShell command from Intune BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId ((Get-BitLockerVolume -MountPoint $env:SystemDrive ).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId

    This may allow you to at least have an encrypted device with a recovery password that support staff can get to post build. Then while the end user is working the device can register with Intune and backup the recovery key to AAD in the background.

    0 comments No comments