cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Bitlocker Compliance/Configuration/Endpoint Security Policy Confusion

%3CLINGO-SUB%20id%3D%22lingo-sub-1579889%22%20slang%3D%22en-US%22%3EBitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1579889%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20relatively%20new%20to%20endpoint%20management%20and%20AutoPilot%20is%20my%20second%20foray%20into%20it%20(after%20MAM%2FAPP).%26nbsp%3B%20I'm%20confused%20as%20to%20the%20difference%20between%20Compliance%20and%20Configuration%20Policies%2C%20and%20Endpoint%20Security%20policies%20adds%20more%20confusion.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20are%20some%20of%20my%20questions%2C%20particularly%20when%20the%20same%20types%20of%20settings%20are%20available%20in%20different%20types%20of%20policies%3A%3C%2FP%3E%3CUL%3E%3CLI%3EIf%20I%20want%20to%20enforce%20a%20settings%20(configure%20the%20setting%20and%20either%20prevent%20changes%20or%20ensure%20the%20configuration%20is%20reverted%20to%20the%20desired%20configuration)%2C%20do%20I%20use%20Configuration%20Policies%3F%3C%2FLI%3E%3CLI%3EWhen%20would%20I%20use%20Compliance%20Policy%20vs%20Configuration%20Policy%3F%3C%2FLI%3E%3CLI%3EWhen%20would%20I%20use%20Endpoint%20Security%20Policy%3C%2FLI%3E%3CLI%3ESpecific%20to%20Bitlocker%2C%20which%20of%20the%20three%20is%20the%20best%20place%20to%20configure%20Bitlocker%20(to%20automatically%20enable%20and%20enforce%20the%20configuration).%3C%2FLI%3E%3CLI%3EWhats%20the%20best%20way%20to%20handle%20computers%20that%20might%20not%20have%20TPM%20chips%2C%20but%20we'd%20like%20to%20have%20a%20default%20Bitlocker%20policy%3F%26nbsp%3B%20Would%20I%20have%20to%20explicitly%20exclude%20a%20group%20of%20computers%20that%20do%20not%20have%20TPM%20from%20the%20policy%20where%20Bitlocker%20is%20enforced%3F%3C%2FLI%3E%3CLI%3EFor%20AutoPilot%2C%20which%20type%20of%20policy%20is%20best%20to%20enable%20Bitlocker%20at%20OOBE%3F%3C%2FLI%3E%3CLI%3EIn%20a%20scenario%20where%20Bitlocker%20(and%20the%20TPM%20requirement)%20are%20required%20by%20a%20policy%2C%20but%20a%20target%20machine%20does%20not%20have%20a%20TPM%20chip%2C%20what%20should%20I%20expect%20in%20terms%20of%20full%20functionality%20when%20accessing%20company%20resource%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThanks%20in%20advance%20for%20helping%20me%20learn!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1579889%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1580022%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1580022%22%20slang%3D%22en-US%22%3EHi%20Bryan%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20will%20try%20to%20answer%20all%20the%20questions%2C%20pretty%20sure%20that%20my%20colleagues%20will%20have%20more%20to%20add.%3CBR%20%2F%3E%3CBR%20%2F%3ECompliance%20Policy%3A%20It%E2%80%99s%20the%20policies%20that%20will%20decide%20your%20devices%20Compliant%20with%20EndPoint%20or%20NOT.%20If%20the%20device%20is%20not%20Compliant%2C%20Config%20Policies%20and%20others%20will%20not%20get%20applied.%3CBR%20%2F%3E%3CBR%20%2F%3EConfig%20Policies%2C%20Policies%20that%20you%20can%20make%20changes%20to%20your%20devices%20similar%20to%20any%20other%20vendor%20MDM%20policies.%3CBR%20%2F%3E%3CBR%20%2F%3ESecurity%20Baseline%2C%20I%20describe%20it%20to%20my%20customers%20as%20GPO%20or%20recommended%20settings%2C%20they%20get%20updated%20with%20new%20release%20of%20Windows%20version.%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20I%20would%20use%20Config%20Policy%2F%20Administrative%20Templates.%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20You%20use%20Config%20Policy%20when%20devices%20are%20Compliant%20with%20your%20Compliance%20Policies.%3CBR%20%2F%3E%3CBR%20%2F%3E3.%20Use%20it%20if%20you%20can%20find%20setting%20not%20available%20in%20Config%20Policy.%3CBR%20%2F%3E%3CBR%20%2F%3E4.%20I%20like%20to%20use%20Silent%20Encryption%2C%20Config%20Policy%20and%20specifically%20this%20url%20for%20setup%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.inthecloud247.com%2Fwindows-10-failed-to-enable-silent-encryption%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.inthecloud247.com%2Fwindows-10-failed-to-enable-silent-encryption%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E5.%20You%20certainly%20can%E2%80%99t%20silent%20encrypt%20devices%20without%20TPM%202.0%20using%20Intune.%3CBR%20%2F%3E%3CBR%20%2F%3E6.%20Config%20policy%2C%20same%20article%20shared%20above.%3CBR%20%2F%3E%3CBR%20%2F%3E7.%20It%20will%20prompt%20them%20to%20encrypt%20their%20PCs%20then%20they%20go%20there%20and%20see%20Red%20X.%20I%20would%20exclude%20PCs%20without%20TPMs.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20answers%20the%20questions!%3CBR%20%2F%3EMoe%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1583394%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1583394%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3Bfor%20taking%20the%20time%20to%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EDo%20compliance%20policies%20actually%20make%2Fenforce%20changes%20or%20do%20they%20only%20check%20if%20the%20configuration%20is%20set%3F%3C%2FLI%3E%3CLI%3EIf%20a%20device%20is%20receiving%20a%20config%20for%20the%20same%20device%20setting%20through%20both%20Compliance%20and%20Configuration%20policies%2C%20I%20understand%20that%20Compliance%20policies%20take%20precedence.%26nbsp%3B%20If%20that's%20the%20case%2C%20what%20is%20the%20best%20method%20to%20ensure%20that%20a%20device%20is%20%3CEM%3Econfigured%3C%2FEM%3E%20with%20the%20appropriate%20settings%20(via%20Intune)%20%3CEM%3Eand%26nbsp%3B%3C%2FEM%3Eensure%20compliance%3F%26nbsp%3B%20If%20the%20device%20fails%20the%20Compliance%20policy%20from%20the%20start%2C%20can%20the%20Configuration%20policy%20for%20that%20item%20still%20get%20applied%3F%3C%2FLI%3E%3C%2FOL%3E%3CP%3EThanks%20again%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1585592%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1585592%22%20slang%3D%22en-US%22%3EHi%20Bryan%2C%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20Compliance%20policies%20are%20just%20rules%20and%20settings%20that%20devices%20must%20meet%20to%20be%20compliant.%20It%20doesn%E2%80%99t%20force%20config%20setting%20on%20devices.%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20Config%20and%20other%20policies%20get%20applied%20on%20Compliant%20devices%20only%2C%20so%20you%20need%20to%20setup%20your%20Compliance%20Policy%20and%20have%20the%20devices%20marked%20as%20compliant%20then%20start%20to%20apply%20your%20config%20policies.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3E%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1585919%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1585919%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20this%20definitely%20helps!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERe%3A%20%232%2C%20how%20would%20such%20timing%20be%20put%20into%20practice%3F%26nbsp%3B%20Say%2C%20in%20an%20AutoPilot%20scenario%2C%20where%20we'd%20like%20to%20ultimately%2Feventually%20apply%20both%20configurations%20and%20require%20compliance%2C%20how%20could%20we%20configure%20the%20device%26nbsp%3B%3CEM%3Ebefore%26nbsp%3B%3C%2FEM%3Erequiring%20compliance%20%3CEM%3Eautomatically%3F%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20manual%20way%20would%20seem%20to%20be%20add%20the%20computers%20to%20a%20group%20that%20the%20Compliance%20Policy%20is%20applied%20to%20only%26nbsp%3B%3CEM%3Eafter%3C%2FEM%3E%20the%20configurations%20have%20been%20applied.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1586430%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1586430%22%20slang%3D%22en-US%22%3EHi%20Bryan%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20won%E2%80%99t%20worry%20about%20the%20timing%20piece.%20Create%20Compliance%20policy%20that%20suits%20your%20environment%20so%20you%20know%20all%20your%20devices%20will%20be%20compliant%20after%20Enrollment.%20Intune%20will%20evaluate%20the%20device%20at%20Enrollment%20stage%20and%20then%20start%20applying%20policies.%20It%20should%20be%20quick!%3CBR%20%2F%3E%3CBR%20%2F%3EThanks!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1594688%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1594688%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20help!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Bryan Hall
Occasional Contributor

‎Aug 10 2020 05:53 PM

‎Aug 10 2020 05:53 PM

Bitlocker Compliance/Configuration/Endpoint Security Policy Confusion

I'm relatively new to endpoint management and AutoPilot is my second foray into it (after MAM/APP).  I'm confused as to the difference between Compliance and Configuration Policies, and Endpoint Security policies adds more confusion.

 

Here are some of my questions, particularly when the same types of settings are available in different types of policies:

  • If I want to enforce a settings (configure the setting and either prevent changes or ensure the configuration is reverted to the desired configuration), do I use Configuration Policies?
  • When would I use Compliance Policy vs Configuration Policy?
  • When would I use Endpoint Security Policy
  • Specific to Bitlocker, which of the three is the best place to configure Bitlocker (to automatically enable and enforce the configuration).
  • Whats the best way to handle computers that might not have TPM chips, but we'd like to have a default Bitlocker policy?  Would I have to explicitly exclude a group of computers that do not have TPM from the policy where Bitlocker is enforced?
  • For AutoPilot, which type of policy is best to enable Bitlocker at OOBE?
  • In a scenario where Bitlocker (and the TPM requirement) are required by a policy, but a target machine does not have a TPM chip, what should I expect in terms of full functionality when accessing company resource?

Thanks in advance for helping me learn!

954 Views
0 Likes
6 Replies
Reply
6 Replies
Moe_Kinani

‎Aug 10 2020 06:58 PM

‎Aug 10 2020 06:58 PM

Re: Bitlocker Compliance/Configuration/Endpoint Security Policy Confusion

Hi Bryan,

I will try to answer all the questions, pretty sure that my colleagues will have more to add.

Compliance Policy: It’s the policies that will decide your devices Compliant with EndPoint or NOT. If the device is not Compliant, Config Policies and others will not get applied.

Config Policies, Policies that you can make changes to your devices similar to any other vendor MDM policies.

Security Baseline, I describe it to my customers as GPO or recommended settings, they get updated with new release of Windows version.

1. I would use Config Policy/ Administrative Templates.

2. You use Config Policy when devices are Compliant with your Compliance Policies.

3. Use it if you can find setting not available in Config Policy.

4. I like to use Silent Encryption, Config Policy and specifically this url for setup:

https://www.inthecloud247.com/windows-10-failed-to-enable-silent-encryption/

5. You certainly can’t silent encrypt devices without TPM 2.0 using Intune.

6. Config policy, same article shared above.

7. It will prompt them to encrypt their PCs then they go there and see Red X. I would exclude PCs without TPMs.

Hope this answers the questions!
Moe



0 Likes
Reply
Bryan Hall

‎Aug 11 2020 10:02 PM

‎Aug 11 2020 10:02 PM

Re: Bitlocker Compliance/Configuration/Endpoint Security Policy Confusion

Thanks @Moe_Kinani for taking the time to reply.

 

  1. Do compliance policies actually make/enforce changes or do they only check if the configuration is set?
  2. If a device is receiving a config for the same device setting through both Compliance and Configuration policies, I understand that Compliance policies take precedence.  If that's the case, what is the best method to ensure that a device is configured with the appropriate settings (via Intune) and ensure compliance?  If the device fails the Compliance policy from the start, can the Configuration policy for that item still get applied?

Thanks again

 

0 Likes
Reply
Moe_Kinani

‎Aug 12 2020 04:08 PM

‎Aug 12 2020 04:08 PM

Re: Bitlocker Compliance/Configuration/Endpoint Security Policy Confusion

Hi Bryan,

1. Compliance policies are just rules and settings that devices must meet to be compliant. It doesn’t force config setting on devices.

2. Config and other policies get applied on Compliant devices only, so you need to setup your Compliance Policy and have the devices marked as compliant then start to apply your config policies.

Hope this helps!

Moe
1 Like
Reply
Bryan Hall

‎Aug 12 2020 10:01 PM

‎Aug 12 2020 10:01 PM

Re: Bitlocker Compliance/Configuration/Endpoint Security Policy Confusion

@Moe_Kinani 

 

Thanks, this definitely helps!

 

Re: #2, how would such timing be put into practice?  Say, in an AutoPilot scenario, where we'd like to ultimately/eventually apply both configurations and require compliance, how could we configure the device before requiring compliance automatically?

 

The manual way would seem to be add the computers to a group that the Compliance Policy is applied to only after the configurations have been applied.

0 Likes
Reply
Moe_Kinani

‎Aug 13 2020 03:50 AM

‎Aug 13 2020 03:50 AM

Re: Bitlocker Compliance/Configuration/Endpoint Security Policy Confusion

Hi Bryan,

I won’t worry about the timing piece. Create Compliance policy that suits your environment so you know all your devices will be compliant after Enrollment. Intune will evaluate the device at Enrollment stage and then start applying policies. It should be quick!

Thanks!
Moe
0 Likes
Reply
Bryan Hall

‎Aug 17 2020 04:51 PM

‎Aug 17 2020 04:51 PM

Re: Bitlocker Compliance/Configuration/Endpoint Security Policy Confusion

@Moe_Kinani thanks for your help!

0 Likes
Reply