Home

InstantGo Azure AD Join Encryption / Policy Required

%3CLINGO-SUB%20id%3D%22lingo-sub-175761%22%20slang%3D%22en-US%22%3EInstantGo%20Azure%20AD%20Join%20Encryption%20%2F%20Policy%20Required%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-175761%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJust%20need%20some%20clarification%20here.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt's%20my%20understanding%20that%20InstantGo%20devices%20are%20automatically%20encrypted%20when%20joined%20to%20Azure%20AD.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%20good.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%2C%20would%20there%20be%20a%20need%20to%20have%20a%20Device%20Configuration%20Policy%20for%20BitLocker%20or%20just%20a%20Compliance%20Policy%20to%20check%20that%20the%20encryption%20was%20successful%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EInfo%20greatly%20appreciated.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStuart%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-175761%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-176641%22%20slang%3D%22en-US%22%3ERe%3A%20InstantGo%20Azure%20AD%20Join%20Encryption%20%2F%20Policy%20Required%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176641%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Stuart%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%20they%20are%20encrypted%20but%20If%20you%20like%20to%20control%20things%20like%20removable%20data%20drives%20you%20would%20need%20one.%20In%20addition%20if%20the%20device%20is%20not%20InstantGo%20capable%20but%20an%201803%20version%20of%20Windows%2010%20you%20can%20even%20enforce%20encryption%20(%3CSPAN%3E%22Encrypt%20device%22%20%3D%20Require%3C%2FSPAN%3E)%20in%20silent%20activation%20if%20you%20choose%20the%20new%20setting%20%22Warning%20for%20other%20disk%20encryption%22%20to%20block.%20If%20not%20InstantGo%20and%20pre%201803%20and%20%22Encrypt%20device%22%20%3D%20Require%20you%20will%20get%20an%20Wizard%20to%20guide%20the%20user%20to%20activate%20BitLocker.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECompliance%20is%20always%20good%20for%20reporting%20or%20in%20conjunction%20with%20Conditional%20Access%20a%20requirement.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi All

 

Just need some clarification here.

 

It's my understanding that InstantGo devices are automatically encrypted when joined to Azure AD.

 

All good.

 

So, would there be a need to have a Device Configuration Policy for BitLocker or just a Compliance Policy to check that the encryption was successful?

 

Info greatly appreciated.

 

Stuart

1 Reply

Hi Stuart,

 

Yes they are encrypted but If you like to control things like removable data drives you would need one. In addition if the device is not InstantGo capable but an 1803 version of Windows 10 you can even enforce encryption ("Encrypt device" = Require) in silent activation if you choose the new setting "Warning for other disk encryption" to block. If not InstantGo and pre 1803 and "Encrypt device" = Require you will get an Wizard to guide the user to activate BitLocker.

 

Compliance is always good for reporting or in conjunction with Conditional Access a requirement.

 

best,

Oliver

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies