Hey everyone! I'm curious about how to handle BitLocker rollouts when a lot of machines already have manufacturer encryption enabled. I've had success with BitLocker in the past, but now I'm facing a new challenge with a client's clients where the devices come with encryption turned on by the manufacturer. This means there are no protection keys, and devices expect to be linked to Azure or a personal O365 account. I've previously been able to use RMM jobs to disable BitLocker on selected machines, allowing AD policy to take over and save recovery keys in AD, but that's not an option here. I only have Powershell and Group Policy at my disposal. Any insights or scripts you all use in these situations would be super helpful! Thanks!
4 Answers
If you use MDT for redeployments, the manufacturer defaults won't affect you. You can set up BitLocker with key backup to AD during your task sequence, which should streamline the process.
This is actually related to device encryption, which you can disable through a registry tweak. Check msinfo32 with admin rights to confirm that device encryption status is marked as disabled by policy. Here's the link [how to disable it](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker#disable-bitlocker-automatic-device-encryption). But for existing machines, you want to ensure the keys are stored to AD, so be cautious.
I built a full Powershell workflow for this that checks if encryption is applied, verifies its compliance, and ensures a TPM key is enabled on the OS drive. I also set it to auto-unlock fixed data drives and back up recovery passwords to both AD and AAD since it's a hybrid setup. The tricky part was filtering for removable USB storage. The script doesn't track long-term state but fixes issues it finds on the first run. I ran it as a compliance check in SCCM and it nailed about 99% of the typical problems.
I've never dealt with manufacturer encryption before. What brand are you encountering this issue with? I usually just set my policies in Intune or Group Policy, and it runs smoothly from there.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures