How to Configure BitLocker for Machines with Manufacturer Encryption?

0
4
Asked By TechWizard42 On

Hey everyone! I'm curious about how to handle BitLocker rollouts when a lot of machines already have manufacturer encryption enabled. I've had success with BitLocker in the past, but now I'm facing a new challenge with a client's clients where the devices come with encryption turned on by the manufacturer. This means there are no protection keys, and devices expect to be linked to Azure or a personal O365 account. I've previously been able to use RMM jobs to disable BitLocker on selected machines, allowing AD policy to take over and save recovery keys in AD, but that's not an option here. I only have Powershell and Group Policy at my disposal. Any insights or scripts you all use in these situations would be super helpful! Thanks!

4 Answers

Answered By MDTmaster345 On

If you use MDT for redeployments, the manufacturer defaults won't affect you. You can set up BitLocker with key backup to AD during your task sequence, which should streamline the process.

Answered By RegistryRanger On

This is actually related to device encryption, which you can disable through a registry tweak. Check msinfo32 with admin rights to confirm that device encryption status is marked as disabled by policy. Here's the link [how to disable it](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker#disable-bitlocker-automatic-device-encryption). But for existing machines, you want to ensure the keys are stored to AD, so be cautious.

Answered By PowershellNinja99 On

I built a full Powershell workflow for this that checks if encryption is applied, verifies its compliance, and ensures a TPM key is enabled on the OS drive. I also set it to auto-unlock fixed data drives and back up recovery passwords to both AD and AAD since it's a hybrid setup. The tricky part was filtering for removable USB storage. The script doesn't track long-term state but fixes issues it finds on the first run. I ran it as a compliance check in SCCM and it nailed about 99% of the typical problems.

Answered By GadgetGuru88 On

I've never dealt with manufacturer encryption before. What brand are you encountering this issue with? I usually just set my policies in Intune or Group Policy, and it runs smoothly from there.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.