Event banner

Windows Office Hours: May 18, 2023

Event Ended
Thursday, May 18, 2023, 08:00 AM PDT
In-Person

Event details

Get answers to your questions about adopting Windows 11 and managing the Windows devices used by remote, onsite, and hybrid workers across your organization. Get tips on keeping devices up to date ef...
Heather_Poulsen
Updated May 18, 2023
Office Hours
Joe_Lurie's avatar
Joe_Lurie
Icon for Microsoft rankMicrosoft
May 18, 2023

Howdy412 Hi Tyler thanks for reaching out. Encryption is a policy that will not reapply once it shows as successfully applied. Best bet is to create a duplication of the policy and apply the new policy to the device. And to remove admin rights from the user so that they cannot decrypt the drive.

 

You should also create a compliance policy and conditional access policy requiring encryption so that they cannot access resources when decrypted, and possibly a Remediation script (formerly known as Proactive Remediation). With the Remediation script you create a "detection" script checking for encryption, and a "Remediation" script which could run a manage BDE to encrypt if it's not encrypted.

Howdy412's avatar
Howdy412
Occasional Reader
May 18, 2023
Hi Joe, I did try creating a duplicate of the policy. While again it shows it applied to the device, the drive remains unencrypted. Thank you for the tip on compliance policy and conditional access policies.
  • R D's avatar
    R D
    Copper Contributor
    May 18, 2023
    This page has some useful info that might help: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-protection/troubleshoot-bitlocker-policies
Date and Time
May 18, 20238:00 AM - 9:00 AM PDT