Part 2 – Enable Silent BitLocker with Intune in Hybrid-Join Scenario

Image result for BitLocker ICO

Part 1 highlighted some of the documents needed and describes the lab environment.

Part 2 will discuss the how to build the lab.

Azure Subscription

As part of the process to create a Hybrid environment. This means you will have a typical on-premises Active Directory Domain Controller that synchronizes user and computer objects to Azure so you can take advantage of cloud technologies such as Intune

For more information on Hybrid Joined Scenarios see the below articles

How To: Plan your hybrid Azure Active Directory join implementation
Configure hybrid Azure Active Directory join for managed domains
Hybrid Azure AD joined devices

Subscribe for an Azure Subscription here
You will need to get and register a custom domain and link this to your Azure Subscription

Add your custom domain name using the Azure Active Directory portal
Managing custom domain names in your Azure Active Directory

Building the Lab

To build a lab you have a couple of choices:

  1. Deploy your virtual machines directly from the Azure Marketplace
  2. Deploy Virtual Machines from a computer with Hyper-V installed.

Note – My lab is based on using Hyper-V and therefore I would recommend the same approach

Install Hyper-V

Hyper-V is Microsoft’s Hypervisor which can be used to deploy virtual machines and deploy a lab. There a few scenarios to deploy Hyper-V depending on what you have available to you in terms of hardware

Install Hyper-V on Windows 10
Install the Hyper-V role on Windows Server

Install Virtual Machines

This document assumes some knowledge of how to install a virtual machine and configure it on Hyper-V

For this lab download the following operating systems
Windows Server 2016,
Windows 10

When building the Windows 10 computer use the following options

  • Generation 2 VM
  • Add a virtual DVD for Windows 10 ISO
  • Enable the virtual TPM

In my lab setup I also installed Windows 10 without a network interface card initially so that it would not ask for an online logon during the install. You can remove these prior to the install or set the status to ‘Not Connected’. Just remember to add them once the build is complete.

Install AD Role on 2016 Server

Use the following guide to create an Active Directory Domain
Install a New Windows Server 2012 Active Directory Forest (Level 200)

Make sure you name you Active Directory Domain the same as the custom domain you have acquired as part of the overview in Part 1.

Create the Organizational Units in AD, these will be synchronized with Azure AD when Hybrid connectivity is configured
Employees
Devices>Windows 10

Join Windows 10 to the Domain

Join a Computer to a Domain

Implement Hybrid Join
  1. On the 2016 Server install AD Connect
  2. Use the following guide to Install AD Connect with Express Settings
    Note – In production you may prefer to use the custom install with dedicated service accounts

    Once you have installed AD Connect you can check the settings and change the configuration if you need to
  3. Open AD Connect from the Desktop
    ‘Configure

4. ‘Configure Device Options>Next’
Required for Hybrid Join

‘Next’

5. Add you Global Admin details for Azure
6. Select ‘Configure Hybrid Azure AD Join’

‘Next’
7. Select ‘Windows 10 or later domain-joined devices’

‘Next’
8. Add the authentication service, Active Directory
9. Add you On-Premises AD Credentials for the account that is an Enterprise Admin

‘Next’

Select ‘Configure’

You can safely ignore the message in the ‘Configuration complete’ window

Check Synchronization is working

In order for users and computers can synchronize successfully to the cloud you should check the AD Connect Synchronization Service

Start>Azure AD Connect>Synchroniztion Service

Make sure all Profile Name and Status are showing success

Note – Once all operating systems are installed and configured remove the installation media from the virtual DVD drives. Removable media will block Silent BitLocker from encrypting the drive

In Part 3 we’ll create the Intune policy for BitLocker

Image result for intune

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s