Forum Discussion

MCT

Jul 22, 2019

Solved

Microsoft Bitlocker Management from Intune

Howdy Folks! I guess everyone is doing well with the Microsoft as all of you might got inspired much from the session last week held in Las Vegas(Microsoft Inspire)!! Though I missed it every...

Bitlocker Encryption

microsoft intune

Oliver Kieselbach
Jul 30, 2019
Hey Mitul Sinha,

then I think your test setup had a different problem because there is no dependency on MFA for BitLocker enablement. To really confirm my statement I verified it in my test tenant right now. I disabled all MFA (AADJ & WHfB), enrolled a device, didn't see any MFA prompt (no MFA at all) and my BitLocker policies in Intune enabled encryption and my AADJ device is encrypted. BitLocker key is in AAD and everything is fine in the Intune portal (green icons - configurations successful applied).

So, again BitLocker has no dependency to MFA and can be enabled without MFA. Your problem in your tests seems to be rooted somewhere else.

Key rotation is currently not available but BitLocker is functional without MFA.

best,

Oliver

Mitul Sinha

MCT

Jul 30, 2019

if you aren't setting up the MFA or Windows PIN which comes by default in Win10 Machines then the Policies which you are pushing for BitLocker Encryption from Intune won't work and it will show errors in Device Compliance and Configuration Policies. This is what I achieved from my Testing on Trial tenants.

For a successful Encryption we must have to set up the Windows 10 PIN. Though we haven't pushed any MFA or PIN policies from Intune.

Oliver Kieselbach

MVP

Jul 30, 2019

Hey Mitul Sinha,

then I think your test setup had a different problem because there is no dependency on MFA for BitLocker enablement. To really confirm my statement I verified it in my test tenant right now. I disabled all MFA (AADJ & WHfB), enrolled a device, didn't see any MFA prompt (no MFA at all) and my BitLocker policies in Intune enabled encryption and my AADJ device is encrypted. BitLocker key is in AAD and everything is fine in the Intune portal (green icons - configurations successful applied).

So, again BitLocker has no dependency to MFA and can be enabled without MFA. Your problem in your tests seems to be rooted somewhere else.

Key rotation is currently not available but BitLocker is functional without MFA.

best,

Oliver

Mitul Sinha
MCT
Jul 31, 2019
Thank you so much Oliver for the response. It's always a pleasure talking with MVP's and I will once again test the same and get back to you if any queries occur.
- Mitul Sinha
  MCT
  Jul 31, 2019
  Oliver So I have tested it out today came up with this screenshot as it always ask this option. Before asking if the Windows Machine has fingerprint I must have to set that as well so I set both the options MFA as well as PIN for Windows and then Encryption done for BitLocker but yes I didn't get any BitLocker PIN to setup as Device Configuration Policies didn't push and got error.
  Windows PIN Setup at Startup
  Windows PIN at Startup
  Device Configuration got failed from Intune but Device Compliance Got Successful
  Device Compliance Success
  Device Compliance Successful
  Device Configuration Failed
  Device Configuration Failed
  
  Please let me know how we can achieve successful Bitlocker encryption with Bitlocker PIN should appear!!
  - Oliver Kieselbach
    MVP
    Jul 31, 2019
    Hey Mitul Sinha,
    
    for silent encryption you have to skip the startup to require PIN settings. PIN can only achieved by using the Wizard which is user driven. Silent auto encryption is TPM-only. Can you please test automatic encryption with the following settings (no additional authentication at startup):
    
    In addition I have a guide here:
    
    Enabling BitLocker on non-HSTI devices with Intune
    
    https://oliverkieselbach.com/2018/10/23/enabling-bitlocker-on-non-hsti-devices-with-intune/
    
    best,
    Oliver