This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 75%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKT%3C/text%3E%3C/svg%3E)
Hello Team,
We have MECM version 2010 and Co-Management enabled.
Also Windows 10 bare metal deployment Task Sequence deployment is already in place and working fine.
We do prepare the MECM imaging in our store location and then upon system is ready (without encryption as of now), we give it to the end user.
However recently we have completed the Intune BitLocker Encryption testing on Co-Managed systems testing.
Now, we need to give the system with Intune BitLocker encrypted ready to the end user.
I would like to know your suggestions in minimizing the duration of the readiness of the system (Imaged system with TS + Intune BDE)
We see the lot of time and wait period in below steps:
Also in this process, we have doubt - As this process is being completed by engineers domain ID, then post giving the system to end user; will end user can see the recovery keys in https://myaccount.microsoft.com/device-list portal using his login ID and use in case of recovery.
How such scenarios are handled in MECM Co-Management system with Intune Encryption environment.
Thanks in advance.
Thanks and regards,
Kedar
@Kedar Tamboli Thanks for posting in our Q&A.
For intune Bitlocker, there are two method to get recovery password. We can read the following article as a reference.
https://techcommunity.microsoft.com/t5/intune-customer-success/enabling-bitlocker-with-microsoft-endpoint-manager-microsoft/ba-p/2149784
Whether we can get the recovery password in Azure AD, it is related to the setting "Save BitLocker recovery information to Azure Active Directory" in bitlocker profile. And I think the user which has the following roles can view the recovery password.
Global admins
Intune Service Administrators
Security Administrators
Security Readers
Helpdesk Admins
Hope the above information will help.
As this process is being completed by engineers domain ID, then post giving the system to end user; will end user can see the recovery keys in https://myaccount.microsoft.com/device-list portal using his login ID and use in case of recovery.
No. Not unless the primary user for device is changed in Intune. Why is anyone except the end-user logging into the device? What processes need to be completed and why aren't those part of the task sequence?
How such scenarios are handled in MECM Co-Management system with Intune Encryption environment.
What scenarios?
Thanks Jason. So if I understood correctly, if we change the primary user of the device manually (before giving the system to end user), he/ she will be able to access the recovery keys from https://myaccount.microsoft.com/device-list portal using his / her login ID.
We have observed that when system is imaged using MECM and turned into CO-Managed then in Intune Portal, system enroll by user ID is of engineer ID. Our plan is to make systems ready with Co-Managed as well as Intune encrypted and be available in our IT Store. So that once end User request the asset, we can immediately give the asset to end user.
Which task sequence steps you are suggesting here to address above mentioned scenario.
Yes, but as noted, that's just addressing the symptom. Fix the problem by not having others log into the system.
I'm not suggesting adding anything to the task sequence, I'm suggesting that you stop having others log into the systems. Use reports or other, better methods to validate the systems if necessary.
See if this works:
This may allow you to at least have an encrypted device with a recovery password that support staff can get to post build. Then while the end user is working the device can register with Intune and backup the recovery key to AAD in the background.