Configure Endpoint Protection (Bitlocker) with Intune on Windows 10

Standard

In this blogpost I want show you how to use the Endpoint Protection (Bitlocker) policy within Intune to configure Bitlocker on Windows 10. With Endpoint Protection policies you can configure and enforce Bitlocker on your Windows 10 devices. With the old policies we could already enforce Bitlocker but not enforce the settings of Bitlocker. With Windows 10 1703 the user interface for the end user was already improved but still the user needs to select the Bitlocker settings themselves. There are some settings where the user need to make the right decision and probably not all users know the consequences of some of the settings. The setting about saving the recovery key is for me to most important one. In a MDM scenario I want to enforce that the key will be saved in AzureAD an not locally on a USB drive. So most of the time I want to enforce this setting and more ideal I just want to enable it for the user without disturbing the user.

Based on my tests this policy is a huge improvement to enable Bitlocker on your users Windows 10 device. But let’s take a look in this policy and see what information we can configure in the Endpoint Protection policy in Intune:

  • Require Bitlocker settings;
  • Bitlocker encryption settings for operating system, fixed and removable drives;
  • Bitlocker OS Drive settings like TPM, Recovery Key, Pre-Recovery Key information;
  • Fixed Drive settings like blocking Write Access to unprotected drives, Recovery Key;
  • Removable Drive settings like blocking Write Access to unprotected drives.

If you want to get the details on above list you can check this documentations link: https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10. Now we know what settings we can configure let’s create an policy and show how this policy will look like in Intune and on Windows 10 1607 and 1703. Let’s first take a look how to create the Endpoint Protection policy in Intune

  1. Go to https://portal.azure.com and open the Intune section;
  2. Select Device Configuration and then Profiles. In the Profiles Overview click on Create Profile
  3. Fill in the Profile Name, Select Windows 10 and later as Platform and then select Endpoint Protection as profile type;
  4. First we’re going to enforce bitlocker on Windows 10 by configuring the Windows settings in the policy:

  5. Next step is to configure the Bitlocker Base settings within the profile:

  6. Now let’s configure the Bitlocker OS Drive Settings:

    I’ve marked 3 parts of the configuration in the screenshot. The first marked rectangle is about the TPM settings, the second rectangle is about the Recovery Key settings with you can enforce for your users. Note that I’ve configured to save the key in the AD DS. Since I’m in a MDM scenario the key will be saved in AzureAD instead. The last marked rectangle is about the custom recovery message which you can configure. The end user will see this message when the recovery key needs to be entered.

  7. Next step is to configure the Bitlocker settings for fixed and removable drives. In my policy I don’t configure them but you could do it. See below the possible settings:

  8. Now save the policy and assign it to your users.

Windows 10 – 1703 (Creators Update):

For this blogpost I installed a fresh new Windows 10 1703 machine. The first sign of the policy is the following message:

When clicking on the message the following screen will be showed:

The user needs to select the first option and then click on Yes. After this message the encryption will start after clicking on Start Encrypting:

The encryption process will run:

and when finished you will see the following message:

When looking in AzureAD we see the recovery key of the device:

Finally let’s check if the custom Bitlocker Recovery message is showed:

So that’s all working as expected! In the release information of this policy it was not clear if this policy also worked for Windows 10 – 1607. So I tried it and see below my results:

Windows 10 – 1607

For this blogpost I installed a fresh new Windows 10 1607 machine. The user logged on to Windows 10 will not receive a notification that encryption is needed. So let’s check the Company Portal to see the state of the device:

With Windows 10 1607 the user needs to enable Bitlocker by themselves by opening the Bitlocker settings by searching for encrypt:

And then Turn Bitlocker on (as you can see on the screens, the policy is not working or enforcing on Windows 10 1607) :

    

The user needs to go through the whole process of screens:

The encryption process will run:

and when finished you will see the following message:

So the conclusion is that there’s no difference when activating Bitlocker on Windows 10 1607 compared to the options we had in the Device Restrictions policy. Also the custom message is not applied:

Leave a Reply