Configuring BitLocker encryption with Endpoint security - Link
Create the BitLocker Profile
Endpoint Security - Disk Encryption
Create Policy -
Click the drop down arrow - Select - Windows 10 and later
Under Profile, select BitLocker.
Create
Create
Create Profile -
Name - Windows 10 - BitLocker
Next
Read this guide to fully understand the configuration options - Link
Settings below are as per Microsoft Best Practice in the above guide
In this tutorial, I am choosing Silent Encryption to ensure devices are encrypted with no user interaction.
BitLocker - Base Settings
Notes from the Microsoft Guide above -
- It’s important not to target devices that are using third-party encryption. Enabling BitLocker on those devices can render them unusable and result in data loss.
- If your users are not local administrators on the devices, you will need to configure the Allow standard users to enable encryption during autopilot setting so that encryption can be initiated for users without administrative rights.
- The policy cannot have settings configured that will require user interaction.
BitLocker - Fixed Drive Settings
I am leaving this to the default - Not Configured
BitLocker - OS Drive Settings.
Note - If you select Yes and configure the section - Startup Authentication required - This will force user interaction and will not silently enable BitLocker.
Once again, more information can be found in the Microsoft Guide - Link
As I want to silently encrypt the drives, I am leaving the setting to - Not Configured
BitLocker - Removable Drive Settings -
As I want to silently encrypt the drives, I am leaving the setting to - Not Configured
As an overview - Below are the settings I have configured for Silent Encryption
Next
Scope tags - Ignore
Assignments -
This is where we assign a group of devices or users that we want targeted.
In my scenario, I want to target Windows 10 devices only.
Click - Add groups
Search for and select the Device group.
In my instance, I am targeting all Autopiloted devices.
Next
Review the configurations
Create
The policy has been created
====================================================================
Monitoring the policy
Select the Policy - Monitor - to review the status of the deployment
Here we can see that Intune advises the device - Admin-408258845 - has successfully be assigned the policy
Checking the BitLocker configuration of the device however shows nothing has been applied yet
====================================================================
Testing -
Hyper-V Virtual Machine settings
Must be Generation 2
On the properties of the VM - Select Security TPM enabled.
Ensure Enable Secure Boot is ticked.
Select - Encryption Support - Enable Trusted Platform Module
=====================================================================
The policy has been created
====================================================================
Monitoring the policy
Select the Policy - Monitor - to review the status of the deployment
Here we can see that Intune advises the device - Admin-408258845 - has successfully be assigned the policy
Checking the BitLocker configuration of the device however shows nothing has been applied yet
====================================================================
Testing -
Hyper-V Virtual Machine settings
Must be Generation 2
On the properties of the VM - Select Security TPM enabled.
Ensure Enable Secure Boot is ticked.
Select - Encryption Support - Enable Trusted Platform Module
=====================================================================
No comments:
Post a Comment