How can I configure BitLocker settings on Windows 10 devices managed by Intune

Posted on July 4, 2017 by ncbrady

Introduction

Security is a big focus for many companies, especially when it comes to data leakage (company data). Encrypting data on Windows 10 devices using BitLocker means that data is protected. Microsoft Intune got yet more updates on June 30th, 2017, one of which was the ability to configure BitLocker settings detailed here. This ability was initially raised as a uservoice item.

  Quote

You can now configure BitLocker settings for Windows 10 devices using a new Intune device profile. For example, you can require that devices are encrypted, and also configure further settings that are applied when BitLocker is turned on. For more information, see Endpoint protection settings for Windows 10 and later.

So let’s take a look at how it works.

Step 1. Create a Device Configuration Profile

In the Azure Portal, navigate to Intune, and select Device Configuration, then click on Profiles and then click on Create Profile, and fill in the following details:

  • Name: Configure BitLocker Settings
  • Platform: Windows 10 and later
  • Profile type: Endpoint Protection

Note: Endpoint Protection is the profile type for BitLocker configuration, not to be confused with System Center Endpoint Protection.

as shown below.

create-bitlocker-profile.gif

Step 2. Configure Settings in the profile

Next, in the Windows Encryption pane that appears, make your choices for Windows Settings,

Set the Require devices to be encrypted (Desktop only) option to Enable.

Enable BitLocker.png

Make note of the note (the ‘i’, you can hover over it to see the info it contains), and I’ve bolded part of that statement below:

  Quote

Selecting “Yes” will prompt end users to enable device encryption. End users will be asked to confirm there is no third party device encryption in use on their device. Turning on Windows encryption while third party encryption is in use will render device unstable.

So by requiring BitLocker encryption, your users will need to confirm the above prior to encryption taking place. Hopefully in the future we’ll be able to automate it 100% so that no user interaction is required.

For BitLocker base settings, set Configure encryption methods to Enable and then set the desired encryption level via the drop down menus for each drive connected.

bitlocker base settings.png

For BitLocker OS drive settings make your choices after setting Require additional authentication at startup  to Enable.

bitlocker os drive settings.png

For BitLocker fixed data-drive settings, you can deny write access to drives not BitLockered by enabling the option.

bitlocker fixed drive settings.png

 

And for BitLocker removable data-drive settings, make your choices.

bitlocker removable data drive settings.png

Once you’ve finished configuring the settings, click on OK and then click on Create, to Create the device configuration profile.

create profile.png

Step 3. Assign the profile to a group

Now that you’ve created the profile, you need to deploy it (assign it) to a Group containing Windows 10 devices.  Select the profile created above, and click on Assignments, next click on Select groups to Include.

assign and select.png

Select a previously created Group (or groups if you wish), I selected one which I previously created called BitLocker Configuration but you can select whichever Group you want, and then click on the Select button at the bottom of that pane, if it’s not visible, zoom out (browser zoom).

 

read the rest @ windows-noob.com here

This entry was posted in BitLocker, Intune. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.