Updated Bitlocker Experience with Windows 10 Insider and Intune

Standard

This blogpost describes the current Bitlocker experience on Windows 10 1709 and the experience with the Windows 10 1803 Insider Build release (Build number: 17101 and 17107). In this blogpost I’m using Microsoft Intune to configure the Bitlocker settings on the client. Within Microsoft Intune a setting is added to improve the Bitlocker experience. Since this setting only has a different behavior on Windows 10 1803 Insider builds don’t expect any improvements on Windows 10 1709. To be complete in this post I will also describe the experience with Windows 10 1709.

This blog post uses the AllowWarningForOtherDiskEncryption setting of the Bitlocker configuration service provider (CSP), to silently enable Bitlocker on Windows 10 1803 devices. Windows 10 1803 is currently available as Insider Preview build.

To configure Bitlocker on the Windows 10 clients you can use the Endpoint Protection policy within Microsoft Intune. In the past I wrote a blogpost about this policy type which you can find here. Note that the current policy contains more settings than at the time I wrote the blogpost. Recently the following setting has been added to the Bitlocker section of this policy: ‘Warning for other disk encryption’.

imageWhen this settings is set to the value Block no additional warnings will be presented to the user. On the Windows Insider builds this will result in a silent enable of Bitlocker. On Windows 10 1709 the user still has to click through a small wizard to enable Bitlocker.

Independent of the configured policy the device should meet the Bitlocker requirements. So If you’re policy is set to Require TPM a compatible TPM chip is needed. Also be aware that the disk partition should be prepared for Bitlocker encryption. Only if all prerequisites are met the Bitlocker process will automatically silently.

Another functionality which has been added to the current Windows Insider release is the support of enabling Bitlocker for users with no administrator rights on their device. In the Windows 10 1709 version administrator rights are needed to activate Bitlocker but in the Windows Insider release this is done automatically without the need of administrator rights. Let’s start with showing the Bitlocker experience on Windows 10 1709 and Windows 10 1803 Insider Preview.

Windows 10 1709 – Users with administrative rights:

After the Bitlocker policy has arrived on the client the user will receive the following notification:

Capture_1

When the user clicks on that notification the following sreens will be presented to the user:

Capture_2Capture_3

After clicking through these screens the Bitlocker process will start and finish without errors. See below the results:

Capture_4

Windows 10 1709 – User with no administrative rights:

A user with no administrative rights will receive the policy from Intune and will see the same notification but is unable to continue through the wizard because administrative rights are needed to complete the wizard screens.

Windows 10 1803 – Users with administrative rights:

After the user enrolls their device and the policy arrives Bitlocker will be enabled without any notifications. The result will be a Bitlocker encrypted OS Drive.

The Bitlocker encryption will start automatically:

Capture_5

The Bitlocker encryption should complete successfully:

Capture_6

Windows 10 1803 – User with no administrative rights:

Now let’s take a look how this will look like on a device with a user with no administrative rights. I’ve tested multiple Windows 10 Insider builds and with the latest build 17107 both Autopilot and Bitlocker are working as expected. Now after the user enrolls his device and the policy arrives Bitlocker will be enabled without any notifications. The result will be a Bitlocker encrypted OS Drive.

The Bitlocker encryption will start automatically:

Capture_7

The Bitlocker encryption should complete successfully:

Capture_8

On this link you can read more information about this new feature and the updates CSP within Windows 10.

8 thoughts on “Updated Bitlocker Experience with Windows 10 Insider and Intune

  1. Rkast

    Strange name for the policy tbh. But thanks for sharing. All scripts and scheduled tasks can be removed 🙂 Ps i presume the BL key is automatically written to azure ad ?

  2. Is this only possible to configure via the BitlockerCSP with Intune or a 3rd Party MDM or is there an equivalent Registry Key I can configure?

    Anyone tried that with a Registry Key? Is it possible?

    • Arjan Vroege

      I’ve only used this through the CSP. I’ve not configured this through the registry.

      Regards, Arjan

  3. Hi, do you check on which editions of Windows 10 it does apply? Enterprise, Business or Pro? It works on Enterprise, and Business by Intune, but on Pro edition it fails. In CSP documentation is stated that this is not supported in Pro. So, why they advertise that Pro can do BitLocker if management is not there?

  4. jespernohr2015

    Thank You for an informative article.

    Can You confirm that this works on “Hybrid Azure AD joined” devices?

    I have it working on my “Azure AD joined” devices but the hybrid joined are not being silently encrypted. (Non admin users in both scenarios)

    Best regards
    Jesper

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.