Forum Discussion

Douglas Wilson's avatar
Douglas Wilson
Copper Contributor
Dec 22, 2017

Intune Manage Windows 10 Encryption without admin rights

Recently I've started working a lot more with Intune by itself to manage out an environment. I'm running into an issue where if I require devices to be encrypted with BitLocker the end user is gettin...
Intune
mobile device management (mdm)
Oliver Kieselbach's avatar
Oliver Kieselbach
MVP
Jan 28, 2018

Information regarding a change in behavior of BitLocker and next Windows 10 Version is available on docs:

https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp

 

AllowWarningForOtherDiskEncryption

Allows the Admin to disable the warning prompt for other disk encryption on the user machines.

Important

Starting in Windows 10, next major update, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.

Neil Goldstein's avatar
Neil Goldstein
Iron Contributor
May 14, 2018

Oliver Kieselbach

 

 

If AllowWarningForOtherDiskEncryption is set to 0 on a 1803 enterprise device, will it assume defaults for the other settings?

 

Also does this value being 0 have any relationship to computers wanted to reset TPM after the upgrade to 1803?

  • Oliver Kieselbach's avatar
    Oliver Kieselbach
    MVP
    May 16, 2018

    Hi Neil,

     

    yes it will assume defaults for the other settings.

    Regarding a reset of TPM after 1803 upgrade I'm not sure I didn't test it extensively and my tests were on 1709. So no experience with this setting after an upgrade. But for a logical conclusion I would assume it shouldn't impact the TPM during upgrade. As you normally start from a 1709 BitLocker enabled device and the upgrade is BitLocker aware and does only a suspend and re-enable. Imho this setting should not influence an upgrade but I can't say for sure.

     

    best,

    Oliver

    • Neil Goldstein's avatar
      Neil Goldstein
      Iron Contributor
      Jun 05, 2018

      Oliver Kieselbach

       

      I would have uploaded more details but I had to freeze 1803 updates because of Edge crashing.

       

      I am 95% sure its because of a bug with Edge when Windows Defender Application control is set to:

      ->  audit

      -> "Trust apps with good reputation"

       

      https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/17343551/

       

      As soon as I can start rolling 1803 again i'll upload more info on this TPM issue

       

       

      • Oliver Kieselbach's avatar
        Oliver Kieselbach
        MVP
        Jul 17, 2018

        FYI

        BitLocker CSP added functionality...

        https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp

         

        AllowStandardUserEncryption
        Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.

         

        Note

        This policy is only supported in Azure AD accounts.

         

        "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced.

         

        If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.

         

        The expected values for this policy are:

        • 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
        • 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive.

Resources