sdkillo.blogg.se - Bitlocker recovery key windows 10 1709

#BITLOCKER RECOVERY KEY WINDOWS 10 1709 INSTALL#
#BITLOCKER RECOVERY KEY WINDOWS 10 1709 FULL#
#BITLOCKER RECOVERY KEY WINDOWS 10 1709 OFFLINE#

#BITLOCKER RECOVERY KEY WINDOWS 10 1709 FULL#

Short post to go over something I found while researching Bitlocker Full Disk Encryption on Hyper-V virtual machines. Upate 2017.11.29 - Thanks to Paul Smith‏ MrPRSmith for the idea, I was able to get FDE working using a pass-through disk, see bottom of post for more info. REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /V EncryptionMethodWithXtsFdv /T REG_DWORD /D 7 /F Wanted to point out, if you pre-provision bitlocker, currently (1910) and you want to use XTS 256 instead of the default 128, you NEED to set a registry key first.

Full disk encryption (in ConfigMgr 1910) – a closer look on real hardware.

Enabling Full Disk Encryption in Microsoft Endpoint Configuration Manager 1910 in a task sequence.

#BITLOCKER RECOVERY KEY WINDOWS 10 1709 INSTALL#

Conclusionīeing able to retrieve data from Tenant attached devices using Microsoft Endpoint Manager and without needing to install a Configuration Manager Console is a great ability indeed.Įspecially for things like this, BitLocker recovery info when the technician needs to help a user quickly.Two great posts you should check out from Niall

JOIN RecoveryAndHardwareCore_Keys k ON k.VolumeId = v.IdĪfter running that, I checked the MEM console and the recovery info was present, what a result !īig thanks go to the Aaron and all the rest of the Microsoft Product Group for taking the time to investigate this with me. JOIN RecoveryAndHardwareCore_ Volumes v ON v.Id = mv.VolumeId JOIN RecoveryAndHardwareCore_ Machines_Volumes mv ON mv.MachineId = m.Id JOIN RecoveryAndHardwareCore_ Domains d ON m.DomainId = d.Id AND sd.Full_Domain_Name0 IS NOT NULL AND d.DomainName = sd.Full_Domain_Name0 JOIN System_DISC sd ON m.Name = sd.Netbios_Name0 SELECT sd.ItemKey, k.RecoveryKeyId, v.VolumeTypeId FROM RecoveryAndHardwareCore_ Machines m The fix is coming soon via a hotfix, but if you want to resolve this yourself then use the following SQL ALTER VIEW.

#BITLOCKER RECOVERY KEY WINDOWS 10 1709 OFFLINE#

Ok, I worked offline with the Microsoft Product Group (thanks guys) and they identified the issue, long story short, if your tenant attached device is Azure AD joined (like mine was) or hybrid azure ad joined, then the keys would not get uploaded to MEM. clicked on the Recovery keys (preview) but alas, there were no results…

On the Collection object that’s scoped to a collection that includes the device:.

The administrative user needs the following permissions: Next, I launched a web browser to and signed in with an administrative user as described below… Permissions I also confirmed that the BitLocker information was stored in ConfigMgr’s database, and it was there. We did this to verify the results in the Endpoint Management console. Here we can see the BitLocker policy is compliant and the recovery info is revealed on the client via PowerShell. Once done, I confirmed on the client that it had received the BitLocker management policy and had encrypted. Next, I added the device to my tenant attached collection as we see here. Next, I added the device to my BitLocker Management collection in ConfigMgr as you can see here. It got the ConfigMgr client installed (as the client was assigned to that Azure AD group), and the device showed up as in ConfigMgr. I deployed a Windows 10 virtual machine which had the Virtual TPM enabled (hyper-v generation 2 vm) and once the device was in Azure, I added it to my co-managed azure ad devices group. I tested this on an Azure AD joined device, that was co-managed as described in a previous blog post by myself and Paul here.

I tried it out in my lab and here is the result. Apply a Configuration Manager BitLocker management policy to the device.Configuration Manager site version 2107 or later.Microsoft recently added a new preview ability to the production version of ConfigMgr 2107.Īaron tweeted about it here.