Encrypt Windows devices with BitLocker in Intune Enabling BitLocker with Intune Configuring BitLocker in Microsoft Intune Step-by-Step Guide to enable BitLocker How do I enable BitLocker with Intune? Where is the BitLocker key in Intune? What is BitLocker key rotation Intune? Automatically enable Bitlocker encryption with Microsoft Intune Create an Intune BitLocker policy for Windows 10 devices How to enable Silent Bitlocker with Intune Bitlocker management via Intune Intune - Bitlocker silent and automatic Encryption Settings Managing Windows Bitlocker Compliance Policy Using Intune
Hi paddy I have configure bitlocker policy with save recovery key to azureAD option but in while encryption its not giving option for save to your azure AD account- I am using hybrid azure AD environment
Hi Paddy First I would like to thank you for sharing such enriching videos, they help me a lot in my daily life and I am a big fan. But well, I have a peculiar situation. I need to enable bitlocker for computers that do not have the TPM automatically and without user interaction, as I used your video as a guide and went to other sources so that I could carry out this work. First I had to create a policy of Configuration Profiles > Templates > Administrative Templates > Computer Configuration > Windows Components > BitLocker Drive Encryption > Operating System Drives and enabled the option "Require additional authentication at startup" and checked the checkbox "Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)" to allow the computer to accept activating bitlocker on a computer without a TPM, then I created the script below: $OSVolume = Get-BitlockerVolume | Where {$_.VolumeType -eq "OperatingSystem"} if ($OSVolume.VolumeStatus -eq "FullyDecrypted") { $PIN = ConvertTo-SecureString "123456789" -AsPlainText -Force Add-BitlockerKeyProtector -MountPoint $OSVolume.MountPoint -RecoveryPasswordProtector Enable-BitLocker -MountPoint $OSVolume.MountPoint -Pin $PIN -TPMandPinProtector BackupToAAD-BitLockerKeyProtector -MountPoint $OSVolume.MountPoint -KeyProtectorId ((Get-BitLockerVolume -MountPoint $OSVolume.MountPoint).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId } But it appears the error "Enable-BitLocker : An external key or password protector is required to enable BitLocker on an operating system volume without a valid TPM." when I try to run in Powershell ISE. I'm running it on an individual computer to apply it to one, as soon as I can solve it I'll send it via script through Intune. Do you have another idea on how to solve this problem or have you already encountered a scenario like this?
It looks like you're trying to enable BitLocker on a computer without a Trusted Platform Module (TPM) using a PowerShell script. It appears that you're encountering an error when you try to run the script, stating that an external key or password protector is required to enable BitLocker in this scenario. One potential solution to this problem could be to include the "-KeyProtector" parameter in your call to the "Enable-BitLocker" cmdlet and specify a password or startup key as the key protector. For example: $OSVolume = Get-BitlockerVolume | Where {$.VolumeType -eq "OperatingSystem"} if ($OSVolume.VolumeStatus -eq "FullyDecrypted") { $PIN = ConvertTo-SecureString "123456789" -AsPlainText -Force $KeyProtector = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "user", (ConvertTo-SecureString "password" -AsPlainText -Force) Enable-BitLocker -MountPoint $OSVolume.MountPoint -Pin $PIN -KeyProtector $KeyProtector BackupToAAD-BitLockerKeyProtector -MountPoint $OSVolume.MountPoint -KeyProtectorId ((Get-BitLockerVolume -MountPoint $OSVolume.MountPoint).KeyProtector | where {$.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId } This will specify a password as the key protector, which should allow you to enable BitLocker on a computer without a TPM. You can also use a startup key by specifying the path to the key file as the key protector. I hope this helps! Let me know if you have any other questions.
Thank you. We have Bit locker policy in place. now i want to create a policy which allow user to connect USB without enforcing the USB encryption. i've created new policy from disk encryption enabling full disk encryption leaving everything else not configured created new group and added required device on it. Will it work?
Thank you for your question. Yes, this should work. You will need to create a new policy from the disk encryption and enable full disk encryption. Then, you can create a new group and add the required device to it.
Thank you for your feedback. We value all customer feedback and appreciate you taking the time to share your opinion. We will take your feedback into consideration and make necessary changes to our website. If you have any other suggestions or feedback, we would love to hear from you. Thank you again for your feedback.
Encrypt Windows devices with BitLocker in Intune
Enabling BitLocker with Intune
Configuring BitLocker in Microsoft Intune
Step-by-Step Guide to enable BitLocker
How do I enable BitLocker with Intune?
Where is the BitLocker key in Intune?
What is BitLocker key rotation Intune?
Automatically enable Bitlocker encryption with Microsoft Intune
Create an Intune BitLocker policy for Windows 10 devices
How to enable Silent Bitlocker with Intune
Bitlocker management via Intune
Intune - Bitlocker silent and automatic Encryption Settings
Managing Windows Bitlocker Compliance Policy Using Intune
Hi paddy
I have configure bitlocker policy with save recovery key to azureAD option but in while encryption its not giving option for save to your azure AD account- I am using hybrid azure AD environment
Thanks for that detailed explanation Paddy, Your work is really appreciated, Appreciate sharing the knowledge likewise....
Hi Paddy
First I would like to thank you for sharing such enriching videos, they help me a lot in my daily life and I am a big fan.
But well, I have a peculiar situation. I need to enable bitlocker for computers that do not have the TPM automatically and without user interaction, as I used your video as a guide and went to other sources so that I could carry out this work.
First I had to create a policy of Configuration Profiles > Templates > Administrative Templates > Computer Configuration > Windows Components > BitLocker Drive Encryption > Operating System Drives and enabled the option "Require additional authentication at startup" and checked the checkbox "Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)" to allow the computer to accept activating bitlocker on a computer without a TPM, then I created the script below:
$OSVolume = Get-BitlockerVolume | Where {$_.VolumeType -eq "OperatingSystem"}
if ($OSVolume.VolumeStatus -eq "FullyDecrypted") {
$PIN = ConvertTo-SecureString "123456789" -AsPlainText -Force
Add-BitlockerKeyProtector -MountPoint $OSVolume.MountPoint -RecoveryPasswordProtector
Enable-BitLocker -MountPoint $OSVolume.MountPoint -Pin $PIN -TPMandPinProtector
BackupToAAD-BitLockerKeyProtector -MountPoint $OSVolume.MountPoint -KeyProtectorId ((Get-BitLockerVolume -MountPoint $OSVolume.MountPoint).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId
}
But it appears the error "Enable-BitLocker : An external key or password protector is required to enable BitLocker on an operating system volume without a valid TPM." when I try to run in Powershell ISE. I'm running it on an individual computer to apply it to one, as soon as I can solve it I'll send it via script through Intune.
Do you have another idea on how to solve this problem or have you already encountered a scenario like this?
It looks like you're trying to enable BitLocker on a computer without a Trusted Platform Module (TPM) using a PowerShell script. It appears that you're encountering an error when you try to run the script, stating that an external key or password protector is required to enable BitLocker in this scenario.
One potential solution to this problem could be to include the "-KeyProtector" parameter in your call to the "Enable-BitLocker" cmdlet and specify a password or startup key as the key protector. For example:
$OSVolume = Get-BitlockerVolume | Where {$.VolumeType -eq "OperatingSystem"}
if ($OSVolume.VolumeStatus -eq "FullyDecrypted") {
$PIN = ConvertTo-SecureString "123456789" -AsPlainText -Force
$KeyProtector = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "user", (ConvertTo-SecureString "password" -AsPlainText -Force)
Enable-BitLocker -MountPoint $OSVolume.MountPoint -Pin $PIN -KeyProtector $KeyProtector
BackupToAAD-BitLockerKeyProtector -MountPoint $OSVolume.MountPoint -KeyProtectorId ((Get-BitLockerVolume -MountPoint $OSVolume.MountPoint).KeyProtector | where {$.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId
}
This will specify a password as the key protector, which should allow you to enable BitLocker on a computer without a TPM. You can also use a startup key by specifying the path to the key file as the key protector.
I hope this helps! Let me know if you have any other questions.
Thank you Sir
You Made my day
Keep going...great work
After I setup Disc Encryption policy and its pushed out to all devices, will it automatically enable on all new devices added later?
Awesome is the word for your uploads
Thank you so much for your kind words! I'm glad you think my uploads are awesome. I appreciate your support!
Thank you.
We have Bit locker policy in place. now i want to create a policy which allow user to connect USB without enforcing the USB encryption.
i've created new policy from disk encryption
enabling full disk encryption
leaving everything else not configured
created new group and added required device on it.
Will it work?
Thank you for your question. Yes, this should work. You will need to create a new policy from the disk encryption and enable full disk encryption. Then, you can create a new group and add the required device to it.
@@PaddyMaddy26 Thank you for the prompt response and vote of confidence. You’re videos have help me a lot… Thanks again.
What about Bitlocker compliance policy (Require Bitlocker) ? Will Compliance policy enforce bitlocker or will it just say if it is configured or not ?
The compliance policy will enforce Bitlocker if it is configured.
Nice video, but not clear on how to enroll devices to intune, which i beleieve to be the first step.
It has covered very detailed..
@@PaddyMaddy26 what about the setup in hybrid mode
Your logo in the corner flashing all the time is distracting.
This feedback as taken in the new videos are do not have this problem
Thank you for your feedback. We value all customer feedback and appreciate you taking the time to share your opinion. We will take your feedback into consideration and make necessary changes to our website. If you have any other suggestions or feedback, we would love to hear from you. Thank you again for your feedback.