Windows Device Management and Bitlocker

arussell · 04-27-2023 12:29 PM

Hello,
I've read through all the material I can. I am struggling to understand what is supposed to happen when you have Bitlocker settings enabled for the system drive.

Here is our situation. We are not joining the computers to a domain and users do not have a microsoft account. When they log into windows GCPW gives them a standard user account. On my two test machines despite having the settings enabled nothing happens regarding Bitlocker. Coming from a domain encironment I am already fairly familiar with Bitlocker so I assume this is because there is nowhere to store the recovery key and likely because they are not an administrative user.

Should we just be enabling Bitlocker using the local admin account before distributing the computer?
Will it report in the admin console correctly if it is done this way?
What is everyone else doing in regards to Bitlocker?

emreknlk

Hi, when you enable bitlocker on the Admin console, the device should prompt the user with a dialog box to enable bitlocker. This is a Windows feature and built-in Windows dialogue for Bitlocker.

If you are not seeing this, can you verify that the device is successfully enrolled with advanced Windows management? You can check if device is enrolled from the settings app. You can also create logs and look at bitlocker value. https://learn.microsoft.com/en-us/windows/client-management/mdm-collect-logs

arussell

Would it prompt them if they are a standard user? Standard users normally can't enable bitlocker. I have an open ticket with support and am waiting to see what they say. In the meantime I added a second test computer, same behavior. Nothing happens all other policies seem to be working.

emreknlk

Ah that could be the problem. Just looking into Microsoft's documentation, there seems to be new settings enabled in the OS that can make this possible. Can you use Custom settings section of Admin console to enable these settings in addition to the bitlocker settings?

https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#allowstandarduserencry... set to 1

https://learn.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp#allowwarningforotherdi... set to 0

Let me know if these make a difference? You can trigger a sync from the device using the Setting app once you add these settings in the Admin console.

arussell

I don't mind turning bitlocker on with the local administrator account. However, on my test machine when I enable bitlocker with the local administrator account, the admin console still reports that the device is unencrypted.

arussell

From what I can tell If you enable bitlocker before enrolling the device to a user the admin portal will never correctly report the device as encrypted. This creates a catch 22. You have to enroll the device before the user gets it to enable bitlocker.

The policies you listed state that they are only for Azure Active Directory Joined devices.

GiacomoA

I had the same issue.
Researching for days and studying the detail of every single policy to be applied brought me to one solution:

the local Admin account, which is censused in the Admin console in the GCPW settings, have to enable Bitlocker manually and save elsewhere the recovery key.
The key can't be stored on the same drive, but a GDrive-enabled folder (Google Drive for Desktop) does the trick.

The testing machine I'm using is now "Encrypted" and "BL-compliant" in the Admin console