One of my top recommendations is to always encrypt fixed drives. This recommendation is even more relevant in a world where a large percentage of the workforce is mobile and carries around laptops with access to corporate data, or even worse has corporate data on their laptops. For this article we will focus on a new set of tools provided through Microsofts intune but remember that encryption is also relevant on fixed disks on servers.
I have spent a lot of time deploying bitlocker using various tools like MBAM (Microsoft Bitlocker Administration and Management), intune endpoint protection policies and various scripts, all of them can to some degree ease the deployment but I would argue that none of them are perfect, because zero touch is very hard to achieve. Meaning that the end-user always must do something, or the laptop needs to be configured by a helpdesk technician. Not very satisfying if you are striving to deliver end-user experiences that requires very little intervention.
With Windows 10 version 1809 and later Microsoft has addressed this issue and made it possible to enable bitlocker on devices that are Azure AD Joined. This requires an endpoint protection policy from intune and even this has been made slightly easier to configure too.
First of make sure that the device is at the correct level and is Azure AD Joined – We were struggling with some clients that were MDM joined and wouldn’t work, so this is very important.
Let´s take a look at the configuration needed.
Go to the Microsoft Endpoint Manager Admin Center at Https://endpoint.microsoft.com to enable the bitlocker policy.
Choose Disk Encryption in the left pane
Press Create Policy and select platform as windows 10 and later and profile as Bitlocker
Press Create to create a policy
Name the new policy and add a description if needed
In Bitlocker – Base settings set the following:
Enable full disk encryption… to Yes
Hide prompt about thirdparty… to Yes (if this is not set, it cannot continue past the warning prompt)
Allow standard users to… to Yes (if you use autopilot installation of devices)
Enable client-driven recovery… to Yes (if you want your users to be able to selfservice)
In Bitlocker – OS Drive Settings set the following:
Configure encryption method… to Yes
If you use scope tags set them here
Under Assignments select which groups it should be assigned to.
Check that everything is correct, and press Create
On a device that is a member of the group press Sync under MDM settings or wait for the automatic sync cycle.
This will enable bitlocker drive encryption without user intervention required and after a while you should have a lock at the c-drive – like magic .