Automatic bitlocker installation on Windows 10

Automatic bitlocker installation on Windows 10

 

One of my top recommendations is to always encrypt fixed drives. This recommendation is even more relevant in a world where a large percentage of the workforce is mobile and carries around laptops with access to corporate data, or even worse has corporate data on their laptops. For this article we will focus on a new set of tools provided through Microsofts intune but remember that encryption is also relevant on fixed disks on servers.

I have spent a lot of time deploying bitlocker using various tools like MBAM (Microsoft Bitlocker Administration and Management), intune endpoint protection policies and various scripts, all of them can to some degree ease the deployment but I would argue that none of them are perfect, because zero touch is very hard to achieve. Meaning that the end-user always must do something, or the laptop needs to be configured by a helpdesk technician. Not very satisfying if you are striving to deliver end-user experiences that requires very little intervention.

With Windows 10 version 1809 and later Microsoft has addressed this issue and made it possible to enable bitlocker on devices that are Azure AD Joined. This requires an endpoint protection policy from intune and even this has been made slightly easier to configure too.

First of make sure that the device is at the correct level and is Azure AD Joined – We were struggling with some clients that were MDM joined and wouldn’t work, so this is very important.

Let´s take a look at the configuration needed.

Go to the Microsoft Endpoint Manager Admin Center at Https://endpoint.microsoft.com to enable the bitlocker policy.

 

Choose Disk Encryption in the left pane

1

 

Press Create Policy and select platform as windows 10 and later and profile as Bitlocker

Press Create to create a policy

2

 

Name the new policy and add a description if needed

Press Next

3

 

In Bitlocker – Base settings set the following:

Enable full disk encryption… to Yes

Hide prompt about thirdparty… to Yes (if this is not set, it cannot continue past the warning prompt)

Allow standard users to… to Yes (if you use autopilot installation of devices)

Enable client-driven recovery… to Yes (if you want your users to be able to selfservice)

In Bitlocker – OS Drive Settings set the following:

Configure encryption method… to Yes

Press Next

4

 

If you use scope tags set them here

Press Next

5

 

Under Assignments select which groups it should be assigned to.

Press Next

6

 

Check that everything is correct, and press Create

7

 

On a device that is a member of the group press Sync under MDM settings or wait for the automatic sync cycle.

8

 

This will enable bitlocker drive encryption without user intervention required and after a while you should have a lock at the c-drive – like magic Winking smile.

9

Table of Contents

Share this post
Search blog posts
Authors
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.
Modern Workplace consultant and a Microsoft MVP in Windows and Devices for IT.

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

Passionate IT professional with 20+ experience in IT architecture, consulting, and design. 

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

M.Sc Cybersecurity student specializing in Microsoft Sentinel Solutions

M.Sc Cybersecurity student specializing in Microsoft Sentinel Solutions

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

follow us in feedly
Categories

Follow on SoMe