none
bitlocker and win10 pro 1903 , hybrid domain RRS feed

  • Question

  • Hello, I want to encrypt my computers, Windows 10 Pro (1903 version), but Intune not do anything...

    My domain is Hybrid Domain

    I have tried with intune policies and with CSP, but it doesn´t work. Microsoft docs says is possible with win10 Pro 1809 and later

    What can i do? Is possible encrypt with bitlocker in this environment...hybrid domain, windows pro 1903?

    Thanks

    Thursday, November 14, 2019 8:54 AM

All replies

  • Yes. What is the status  in the Intune BitLocker reports? https://docs.microsoft.com/en-us/intune/protect/encryption-monitor

    What were the exact settings you used in Intune to enable BitLocker?

    Can you see errors in the Event Logs in Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics > Admin?

    Do you have the latest Cumulative Updates installed for Windows 10 1903?


    Thursday, November 14, 2019 9:56 PM
  • Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. BitLocker Device Encryption status can be queried from managed machines via the Policy Configuration Settings Provider (CSP), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for Conditional Access to services like Exchange Online and SharePoint Online.

    This is applicable to Azure Hybrid AD as well.

    https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises

    Best regards,

    Cici Wu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 15, 2019 7:23 AM
  • Yes. What is the status  in the Intune BitLocker reports? https://docs.microsoft.com/en-us/intune/protect/encryption-monitor

    The encryption method of the operating system volume does not match the BitLocker policy.
    - The operating system volume is not protected ..
    - To encrypt drives, the BitLocker policy requires the user to log in as an administrator, or, if the device is attached to Azure AD, the AllowStandardUserEncryption directive must be set to 1 ..

    What were the exact settings you used in Intune to enable BitLocker?

    Encrypt device....

    xts-aes 256 bits

    allow tpm ...

    Can you see errors in the Event Logs in Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics > Admin?

    Do you have the latest Cumulative Updates installed for Windows 10 1903?

    Yes



    Friday, November 15, 2019 9:37 AM
  • Are you using Autopilot with standard users?

    Do you have "Allow standard users to enable encryption during Azure AD Join" in your BitLocker profile?
    Sunday, November 17, 2019 10:27 PM
  • No, I´m not using Autopilot

    Yes, I have enable that option.

    Tuesday, November 19, 2019 11:13 AM