This blogpost describes the current Bitlocker experience on Windows 10 1709 and the experience with the Windows 10 1803 Insider Build release (Build number: 17101 and 17107). In this blogpost I’m using Microsoft Intune to configure the Bitlocker settings on the client. Within Microsoft Intune a setting is added to improve the Bitlocker experience. Since this setting only has a different behavior on Windows 10 1803 Insider builds don’t expect any improvements on Windows 10 1709. To be complete in this post I will also describe the experience with Windows 10 1709.
This blog post uses the AllowWarningForOtherDiskEncryption setting of the Bitlocker configuration service provider (CSP), to silently enable Bitlocker on Windows 10 1803 devices. Windows 10 1803 is currently available as Insider Preview build.
To configure Bitlocker on the Windows 10 clients you can use the Endpoint Protection policy within Microsoft Intune. In the past I wrote a blogpost about this policy type which you can find here. Note that the current policy contains more settings than at the time I wrote the blogpost. Recently the following setting has been added to the Bitlocker section of this policy: ‘Warning for other disk encryption’.
When this settings is set to the value Block no additional warnings will be presented to the user. On the Windows Insider builds this will result in a silent enable of Bitlocker. On Windows 10 1709 the user still has to click through a small wizard to enable Bitlocker.
Independent of the configured policy the device should meet the Bitlocker requirements. So If you’re policy is set to Require TPM a compatible TPM chip is needed. Also be aware that the disk partition should be prepared for Bitlocker encryption. Only if all prerequisites are met the Bitlocker process will automatically silently.
Another functionality which has been added to the current Windows Insider release is the support of enabling Bitlocker for users with no administrator rights on their device. In the Windows 10 1709 version administrator rights are needed to activate Bitlocker but in the Windows Insider release this is done automatically without the need of administrator rights. Let’s start with showing the Bitlocker experience on Windows 10 1709 and Windows 10 1803 Insider Preview.
Windows 10 1709 – Users with administrative rights:
After the Bitlocker policy has arrived on the client the user will receive the following notification:
When the user clicks on that notification the following sreens will be presented to the user:
After clicking through these screens the Bitlocker process will start and finish without errors. See below the results:
Windows 10 1709 – User with no administrative rights:
A user with no administrative rights will receive the policy from Intune and will see the same notification but is unable to continue through the wizard because administrative rights are needed to complete the wizard screens.
Windows 10 1803 – Users with administrative rights:
After the user enrolls their device and the policy arrives Bitlocker will be enabled without any notifications. The result will be a Bitlocker encrypted OS Drive.
The Bitlocker encryption will start automatically:
The Bitlocker encryption should complete successfully:
Windows 10 1803 – User with no administrative rights:
Now let’s take a look how this will look like on a device with a user with no administrative rights. I’ve tested multiple Windows 10 Insider builds and with the latest build 17107 both Autopilot and Bitlocker are working as expected. Now after the user enrolls his device and the policy arrives Bitlocker will be enabled without any notifications. The result will be a Bitlocker encrypted OS Drive.
The Bitlocker encryption will start automatically:
The Bitlocker encryption should complete successfully:
On this link you can read more information about this new feature and the updates CSP within Windows 10.
Strange name for the policy tbh. But thanks for sharing. All scripts and scheduled tasks can be removed 🙂 Ps i presume the BL key is automatically written to azure ad ?
Really good post and summary! Especially the differentiation between admin and non-admin! Thanks, good work!
Thanks!
Is this only possible to configure via the BitlockerCSP with Intune or a 3rd Party MDM or is there an equivalent Registry Key I can configure?
Anyone tried that with a Registry Key? Is it possible?
I’ve only used this through the CSP. I’ve not configured this through the registry.
Regards, Arjan
Hi, do you check on which editions of Windows 10 it does apply? Enterprise, Business or Pro? It works on Enterprise, and Business by Intune, but on Pro edition it fails. In CSP documentation is stated that this is not supported in Pro. So, why they advertise that Pro can do BitLocker if management is not there?
Thank You for an informative article.
Can You confirm that this works on “Hybrid Azure AD joined” devices?
I have it working on my “Azure AD joined” devices but the hybrid joined are not being silently encrypted. (Non admin users in both scenarios)
Best regards
Jesper