chaosisbliss

If the device is already encrypted, the issue here would be the escrowing of the key. At this time, if you have MBAM integration with MECM policies, it is telling the device to escrow into the MECM DB. I prefer to keep the computer object and the key separate from one another. However, you can create an intune script deployment to tell the machine to escrow the key to AAD. You would need to exclude this collection, for testing, from any on-premise bitlocker policies. You can use the site below to incorporate the PS script to escrow the key in AAD/Intune. Microsoft was telling me that we had to decrypt and re-encrypt to do so. This is 100% not true. Keep your encryption, and sanity, because decrypting leaves you vulnerable and uses nearly 100% of the disk if you are FDE and not used-spaced only. I've tested this, and it does work. I just prefer to keep them on-premise. How to Migrate Bitlocker to Azure AD - MSEndpointMgr

These are fantastic articles. I've compiled a 40 page document from various YouTube videos including Justin's. I have referenced multiple official Microsoft documents on top of the videos as well. Nowhere did any of those mention anything about your Step 5 Configure Trusted Root Certificates. I even went back to Justin's video to confirm lol. So, thank you for that. I have updated my documentation to include this particular step. I do have custom boot images as we use Adaptiva. I'll have to update it with the OSDCert.crt manually. They provide a wonderful powershell script to accomplish this task. Thanks for your work.