Dec 22 2017 07:49 AM
Recently I've started working a lot more with Intune by itself to manage out an environment. I'm running into an issue where if I require devices to be encrypted with BitLocker the end user is getting a UAC prompt where an admin need to sign in to allow them to start encryption. Is there any way around this, especially if I'm sending out a remote device utilizing Autopilot?
Dec 29 2017 07:43 AM
Yea, noticed that too when I was playing around with AutoPilot and Compliance Policy.
To start the encryption I had to type my GA credentials, not even the AutoPilot admin account works.
Quite unexpected I would say.
Dec 29 2017 09:13 AM
I've been working with a few colleagues to get further on this. Right now we are testing a few ways to work around this. One method is having a device auto encrypt during Azure AD join. To do this though you need to have InstantGo, the following linked TechNet blog covered it well. Otherwise for devices without this I'm testing Intune Powershell which automatically encrypts a device. This seems to work with a user assignment but not with device assignments. I'll be opening a support case with Microsoft around that policy enforcement. I can update this later if that helps otherwise I'll write a post on it.
Jan 12 2018 03:23 AM
Douglas, this is something that we are looking at also, and the UAC prompt is annoying! ha.
Powershell is what I was thinking, but let us know how you get on with your support case, may be worth seeing if you can get a Design Change Request (DCR) completed for this as I'm assuming there are numerous others wanting to do this seamlessly
Jan 28 2018 11:23 AM
Hi,
it seems you are looking for a solution like this:
Hardware independent automatic Bitlocker encryption using AAD/MDM
This can run in standard user configurations also.
But maybe we will get something in Win10 Version 1803 for BitLocker... did you check the latest Insider Preview?
Jan 28 2018 01:25 PM
Information regarding a change in behavior of BitLocker and next Windows 10 Version is available on docs:
https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp
AllowWarningForOtherDiskEncryption
Allows the Admin to disable the warning prompt for other disk encryption on the user machines.
Important
Starting in Windows 10, next major update, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.
May 14 2018 05:24 PM
If AllowWarningForOtherDiskEncryption is set to 0 on a 1803 enterprise device, will it assume defaults for the other settings?
Also does this value being 0 have any relationship to computers wanted to reset TPM after the upgrade to 1803?
May 16 2018 03:12 AM
Hi Neil,
yes it will assume defaults for the other settings.
Regarding a reset of TPM after 1803 upgrade I'm not sure I didn't test it extensively and my tests were on 1709. So no experience with this setting after an upgrade. But for a logical conclusion I would assume it shouldn't impact the TPM during upgrade. As you normally start from a 1709 BitLocker enabled device and the upgrade is BitLocker aware and does only a suspend and re-enable. Imho this setting should not influence an upgrade but I can't say for sure.
best,
Oliver
Jun 05 2018 12:28 PM
I would have uploaded more details but I had to freeze 1803 updates because of Edge crashing.
I am 95% sure its because of a bug with Edge when Windows Defender Application control is set to:
-> audit
-> "Trust apps with good reputation"
https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/17343551/
As soon as I can start rolling 1803 again i'll upload more info on this TPM issue
Jul 17 2018 12:47 AM
FYI
BitLocker CSP added functionality...
https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp
AllowStandardUserEncryption
Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
Note
This policy is only supported in Azure AD accounts.
"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced.
If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
The expected values for this policy are:
Jul 17 2018 06:09 AM
Additional notice regarding: AllowStandardUserEncryption,
it's scheduled for the next major Windows Version aka RS5 aka 1809
see BitLocker CSP article diagram in the beginning.
Oct 24 2018 04:28 AM
Hi,
in the meanwhile Windows 10 version 1809 and the new BitLocker CSP is available. I implemented and tested BitLocker with the Intune configuration policies without any PowerShell script and documented it here: https://oliverkieselbach.com/2018/10/23/enabling-bitlocker-on-non-hsti-devices-with-intune/
best,
Oliver