Enable Bitlocker on devices without TPM - Standard Users

%3CLINGO-SUB%20id%3D%22lingo-sub-2761587%22%20slang%3D%22en-US%22%3EEnable%20Bitlocker%20on%20devices%20without%20TPM%20-%20Standard%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2761587%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20in%20the%20process%20of%20migrating%20our%20Drive%20Encryption%20solution%20to%20Bitlocker.%20We%20successfully%20migrated%20the%20majority%20of%20our%20clients%20with%20TPM%20to%20Bitlocker%20by%20using%20Intune%20Configuration%20Profiles.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20we%20are%20facing%20now%20is%20that%20we%20need%20to%20enable%20Bitlocker%20on%20devices%20without%20TPM.%20Users%20are%20not%20local%20admins%20so%20they%20cannot%20complete%20the%20Bitlocker%20Wizard.%3C%2FP%3E%3CP%3EI%20have%20played%20around%20with%20different%20Intune%20Profiles%2C%20Encryption%20Policies%20and%20custom%20OMA-URI%20but%20the%20closest%20I%20get%20is%20through%20the%20first%20prompt%20regarding%203rd%20party%20encryption%20and%20then%20I%20get%20UAC%20prompt%20to%20elevate.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20configuration%20that%20allows%20me%20to%20enable%20Bitlocker%20on%20devices%20that%20do%20not%20have%20TPM%2C%20without%20requiring%20IT%20to%20have%20to%20manually%20touch%20each%20device%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20screenshot%20of%20settings%20below...%20I%20have%20tried%20with%20the%20%22Compatible%20TPM%20Startup%22%20as%20Blocker%20%2F%20Not%20Configured%20%2F%20Allowed...%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Gian202b_0-1631906302779.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311196iC5A76828A635B16F%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Gian202b_0-1631906302779.png%22%20alt%3D%22Gian202b_0-1631906302779.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Gian202b_1-1631906417758.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311197i2F54A1BBA9199A75%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Gian202b_1-1631906417758.png%22%20alt%3D%22Gian202b_1-1631906417758.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2761587%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBitLocker%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hello, 

We are in the process of migrating our Drive Encryption solution to Bitlocker. We successfully migrated the majority of our clients with TPM to Bitlocker by using Intune Configuration Profiles. 

The issue we are facing now is that we need to enable Bitlocker on devices without TPM. Users are not local admins so they cannot complete the Bitlocker Wizard.

I have played around with different Intune Profiles, Encryption Policies and custom OMA-URI but the closest I get is through the first prompt regarding 3rd party encryption and then I get UAC prompt to elevate. 

 

Is there a configuration that allows me to enable Bitlocker on devices that do not have TPM, without requiring IT to have to manually touch each device?

 

Some screenshot of settings below... I have tried with the "Compatible TPM Startup" as Blocker / Not Configured / Allowed... 

Gian202b_0-1631906302779.png

Gian202b_1-1631906417758.png

 

2 Replies

@Darkmenance Thanks for your reply, but no these don't really apply to my situation as they are all GPO. 

My specific situation requires Intune policy as well as the fact the users don't have admin rights.

www.000webhost.com