Re: Bitlocker Windows 11 Ssd
Mirthe Luria
Hello,
I've read through all the material I can. I am struggling to understand what is supposed to happen when you have Bitlocker settings enabled for the system drive.
Here is our situation. We are not joining the computers to a domain and users do not have a microsoft account. When they log into windows GCPW gives them a standard user account. On my two test machines despite having the settings enabled nothing happens regarding Bitlocker. Coming from a domain encironment I am already fairly familiar with Bitlocker so I assume this is because there is nowhere to store the recovery key and likely because they are not an administrative user.
Should we just be enabling Bitlocker using the local admin account before distributing the computer?
Will it report in the admin console correctly if it is done this way?
What is everyone else doing in regards to Bitlocker?
If you are not seeing this, can you verify that the device is successfully enrolled with advanced Windows management? You can check if device is enrolled from the settings app. You can also create logs and look at bitlocker value. -us/windows/client-management/mdm-collect-logs
Would it prompt them if they are a standard user? Standard users normally can't enable bitlocker. I have an open ticket with support and am waiting to see what they say. In the meantime I added a second test computer, same behavior. Nothing happens all other policies seem to be working.
Ah that could be the problem. Just looking into Microsoft's documentation, there seems to be new settings enabled in the OS that can make this possible. Can you use Custom settings section of Admin console to enable these settings in addition to the bitlocker settings?
I don't mind turning bitlocker on with the local administrator account. However, on my test machine when I enable bitlocker with the local administrator account, the admin console still reports that the device is unencrypted.
From what I can tell If you enable bitlocker before enrolling the device to a user the admin portal will never correctly report the device as encrypted. This creates a catch 22. You have to enroll the device before the user gets it to enable bitlocker.
The policies you listed state that they are only for Azure Active Directory Joined devices.
the local Admin account, which is censused in the Admin console in the GCPW settings, have to enable Bitlocker manually and save elsewhere the recovery key.
The key can't be stored on the same drive, but a GDrive-enabled folder (Google Drive for Desktop) does the trick.
I would like to protect my Windows 11 Pro desktop and laptop with Bitlocker and password/pin. Here's my struggle after I encryped the drive and want to protect the drives in the case the entire pc is stolen. Thanks for you help.
Do I setup password using bitlocker boot pin? I've read it's no longer available on Windows 11.Do I setup password using windows login? I've read that it can be reset by booting from usb.Do I setup admin and power-on passwords from BIOS? What happens to TPM chip when CMOS is reset on desktop? For laptop there's website that'll provide password reset for locked BIOS.I used local account setup on all the machines.
This guide is more of a reflection on the steps I took to publish the BitLocker recovery keys of machines deployed on an Active Directory domain. Microsoft has gobs and gobs of information on this subject which can be a tad overwhelming,...
I would first focus on getting your users on to the domain enviroment, and working correctly. Then i would start looking at bitlocker, GPO and other domain bells and whistles afterwards. Do your project one step at a time, focus on the domain, that will be your foundation for anything else you decide to do. The better your foundation, the simpler everything else will be.
AD is most important to get working correctly. BitLocker is its own beast. I would start with a test group of computers and make sure it works the way you want it. Nothing sucks more than encrypting all your hard drives and losing the decryption key.
d3342ee215