Forum Discussion

Bryan Hall's avatar
Bryan Hall
Brass Contributor
Aug 11, 2020

Bitlocker Compliance/Configuration/Endpoint Security Policy Confusion

I'm relatively new to endpoint management and AutoPilot is my second foray into it (after MAM/APP).  I'm confused as to the difference between Compliance and Configuration Policies, and Endpoint Security policies adds more confusion.

 

Here are some of my questions, particularly when the same types of settings are available in different types of policies:

  • If I want to enforce a settings (configure the setting and either prevent changes or ensure the configuration is reverted to the desired configuration), do I use Configuration Policies?
  • When would I use Compliance Policy vs Configuration Policy?
  • When would I use Endpoint Security Policy
  • Specific to Bitlocker, which of the three is the best place to configure Bitlocker (to automatically enable and enforce the configuration).
  • Whats the best way to handle computers that might not have TPM chips, but we'd like to have a default Bitlocker policy?  Would I have to explicitly exclude a group of computers that do not have TPM from the policy where Bitlocker is enforced?
  • For AutoPilot, which type of policy is best to enable Bitlocker at OOBE?
  • In a scenario where Bitlocker (and the TPM requirement) are required by a policy, but a target machine does not have a TPM chip, what should I expect in terms of full functionality when accessing company resource?

Thanks in advance for helping me learn!

  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor
    Hi Bryan,

    I will try to answer all the questions, pretty sure that my colleagues will have more to add.

    Compliance Policy: It’s the policies that will decide your devices Compliant with EndPoint or NOT. If the device is not Compliant, Config Policies and others will not get applied.

    Config Policies, Policies that you can make changes to your devices similar to any other vendor MDM policies.

    Security Baseline, I describe it to my customers as GPO or recommended settings, they get updated with new release of Windows version.

    1. I would use Config Policy/ Administrative Templates.

    2. You use Config Policy when devices are Compliant with your Compliance Policies.

    3. Use it if you can find setting not available in Config Policy.

    4. I like to use Silent Encryption, Config Policy and specifically this url for setup:

    https://www.inthecloud247.com/windows-10-failed-to-enable-silent-encryption/

    5. You certainly can’t silent encrypt devices without TPM 2.0 using Intune.

    6. Config policy, same article shared above.

    7. It will prompt them to encrypt their PCs then they go there and see Red X. I would exclude PCs without TPMs.

    Hope this answers the questions!
    Moe



    • Bryan Hall's avatar
      Bryan Hall
      Brass Contributor

      Thanks Moe_Kinani for taking the time to reply.

       

      1. Do compliance policies actually make/enforce changes or do they only check if the configuration is set?
      2. If a device is receiving a config for the same device setting through both Compliance and Configuration policies, I understand that Compliance policies take precedence.  If that's the case, what is the best method to ensure that a device is configured with the appropriate settings (via Intune) and ensure compliance?  If the device fails the Compliance policy from the start, can the Configuration policy for that item still get applied?

      Thanks again

       

      • Moe_Kinani's avatar
        Moe_Kinani
        Bronze Contributor
        Hi Bryan,

        1. Compliance policies are just rules and settings that devices must meet to be compliant. It doesn’t force config setting on devices.

        2. Config and other policies get applied on Compliant devices only, so you need to setup your Compliance Policy and have the devices marked as compliant then start to apply your config policies.

        Hope this helps!

        Moe

Resources