BIT-LOCKER ENCRYPTION USING INTUNE (NEW FEATURES)
Aahh...This topic I guess everyone is aware off but still I usually play around or dig myself to get to know more in deep -dive level to understand what exactly Encryption play in day to day life with each and everyone's device. Let me recall the one which I shared recently upon the MacOS Encryption which also generally available from Intune Portal naming File Vault Encryption! If you haven't looked my previous post then please find the link to learn more on How to achieve MacOS Encryption!
Before proceeding with Microsoft Intune to achieve Bit-Locker Encryption let me go back to basics about the Encryption.
Encryption is a process that encodes a message or file so that it can be only be read by certain people. Encryption uses an algorithm to scramble, or encrypt, data and then uses a key for the receiving party to unscramble, or decrypt, the information.
The message contained in an encrypted message is referred to as plain-text. In its encrypted, unreadable form it is referred to as cipher-text. Basic forms of encryption may be as simple as switching letters.
So if we are looking for Device Encryption then it is not a one-stop solution for protecting all of your data and information from prying eyes, especially when you are sending data over the internet. Instead, device encryption converts all of the data stored on your phone into a form that can only be read with the correct credentials.
To let you know more on how Microsoft handles device encryption please go through Use Device Encryption By Microsoft Intune
Coming Back to Microsoft Intune which deals with all these Device Encryption, Restriction, Enrollment, Configuration etc - Here's the good news for everyone: This feature has already came up from End Point management i.e. your Fixed Data Drives Encryption and the Removable Drives as well. (Earlier we were having only OS Disk Drive Encryption settings with minimal setup)
Now we have all types of Settings from Device Configuration on Windows 10 or later Clients to apply Bit-Locker Base Settings, OS Disk Drive settings, Fixed Data Drive settings, and Removable Drive Settings.
Removable Data Drives can also be encrypted using Microsoft Intune running on Windows 10 or Later clients
This article will cover your Windows 10 Clients Pro/Enterprise Bit-Locker Encryption how we can achieve Bit-Locker from Intune without using SCCM or AD in-place.
PRE-REQUISITES ON ACHIEVING BIT-LOCKER ENCRYPTION:
For All the devices whether be MacOS or Windows 10 or later machines kindly go through using this Pre-requisites for Bit-Locker Encryption on every Devices
So according to this article here for Windows 10 or later clients it requires Windows 10 Pro 1809 or later client version and Windows 10 Enterprise it works on every version.
NOTE: You must have the Microsoft Intune Licenses assigned to the specified users and policy will be pushed based on Azure AD Domain Join Machines.
STEPS TO ACHIEVE BIT-LOCKER ENCRYPTION USING INTUNE
Let's start with the policies which needs to be created in Azure Portal and so to do that you must have the Intune Licenses or EM+S E3 or E5 Licenses. Before setting up the Compliance & Configuration policies first to assign the License to a targeted user and also to keep this user as in a Targeted Group (In this case New-BitLocker Group)
BIT-LOCKER COMPLIANCE POLICIES
Let us start with the Bit-Locker compliance policies where you need to go to the Azure Portal to start with -
Creation of Compliance Policies for BitLocker Encryption using Azure Portal
Here we will be setting-up only the BitLocker functions from the compliance perspective as given below:
Setting up Device Health from Device Compliance
Setting up the Encryption policy from System Security in Compliance Policy
BIT-LOCKER CONFIGURATION POLICIES
Configuration policies can be achieved by accessing the Microsoft Intune Tab to open the device configuration policies and set the profile using the Endpoint Management.
Configuration Policy for Windows 10 Clients
Setting up the Bit-locker Policy from Windows Encryption
Setting-up the Windows Encryption Policies from Endpoint Protection using Azure Portal
NOTE: Bit-Locker Encryption policies mainly if you are looking for Startup PIN to appear then need a setup from Compatible TPM Startup PIN type
You can even set the Fixed Data Drives (OS partition drives) and Removable Drives for encryption
Easy to setup the Fixed-Data Drive and Removable data-drive from Endpoint Management
Sometimes when the policy doesn't workout the way administrators require, at that time you must have to setup the policy enforcement to be done from Azure Active Directory perspective:
Clicking on to the Microsoft Intune to setup the MDM scope or MAM scope from Mobility Tab to enforce the policy
Applies on to Respective Group (New-Test Bit-locker) to enforce the Policy
Now time to see the results how after creating the policies from Microsoft Intune and getting the output to end clients (Pushing the policy will work only when you do Azure AD Domain Join Machines)
END RESULTS:
Joining the Devices as Azure Active Directory to make Azure AD Domain Join
Once the device is made as Azure AD Domain Join then it will be connected like this given below:
Connected with "heath@M365x490507.onmicrosoft.com" for Azure AD Domain Join
Once it got connected with the mentioned user then you need to login with the same user as a new profile!
NOTE: No need to setup the Fingerprint or the Windows PIN option which comes by default once you login and creating new profile!
And after signing-in with the Login and Credential you will start getting a prompt like this given below:
Bit-Locker Encryption require option reflects on Azure AD Domain Join Machine
So once you click on this option then you will get to start with the BitLocker Encryption by providing some inputs such as like given below:
Dialog Box coming up asking for Disk encryption option to be done on Windows machine
BitLocker initialises the drive
Based on the setup from Azure Portal BitLocker PIN will be registered first
Asking for recovery key to back up where exactly user wants to backup
For Demo purpose I have saved the Recovery Key in Cloud Domain Account.
BitLocker asking for selection of disk used space or entire drive encryption
Once all the setup done then it will start with the encryption happening and then once it get completed then you can reboot or restart the machine again to see the first option to come up as a BitLocker PIN and finally it will show the start screen
Encrypting the Drive using BitLocker pushed from Intune
Start with BitLocker PIN to continue login with Windows Screen
By this way you can setup the BitLocker Encryption using the Intune and you Can also set the policies and look for successful results from the Dashboard itself.
There is one more way to setup the BitLocker PIN with the PowerShell Script using this Setting the BitLocker PIN using Device Configuration! (Connect with me if any doubt occurs in Intune)
