Bitlocker Compliance/Configuration/Endpoint Security Policy Confusion

%3CLINGO-SUB%20id%3D%22lingo-sub-1579889%22%20slang%3D%22en-US%22%3EBitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1579889%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20relatively%20new%20to%20endpoint%20management%20and%20AutoPilot%20is%20my%20second%20foray%20into%20it%20(after%20MAM%2FAPP).%26nbsp%3B%20I'm%20confused%20as%20to%20the%20difference%20between%20Compliance%20and%20Configuration%20Policies%2C%20and%20Endpoint%20Security%20policies%20adds%20more%20confusion.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20are%20some%20of%20my%20questions%2C%20particularly%20when%20the%20same%20types%20of%20settings%20are%20available%20in%20different%20types%20of%20policies%3A%3C%2FP%3E%3CUL%3E%3CLI%3EIf%20I%20want%20to%20enforce%20a%20settings%20(configure%20the%20setting%20and%20either%20prevent%20changes%20or%20ensure%20the%20configuration%20is%20reverted%20to%20the%20desired%20configuration)%2C%20do%20I%20use%20Configuration%20Policies%3F%3C%2FLI%3E%3CLI%3EWhen%20would%20I%20use%20Compliance%20Policy%20vs%20Configuration%20Policy%3F%3C%2FLI%3E%3CLI%3EWhen%20would%20I%20use%20Endpoint%20Security%20Policy%3C%2FLI%3E%3CLI%3ESpecific%20to%20Bitlocker%2C%20which%20of%20the%20three%20is%20the%20best%20place%20to%20configure%20Bitlocker%20(to%20automatically%20enable%20and%20enforce%20the%20configuration).%3C%2FLI%3E%3CLI%3EWhats%20the%20best%20way%20to%20handle%20computers%20that%20might%20not%20have%20TPM%20chips%2C%20but%20we'd%20like%20to%20have%20a%20default%20Bitlocker%20policy%3F%26nbsp%3B%20Would%20I%20have%20to%20explicitly%20exclude%20a%20group%20of%20computers%20that%20do%20not%20have%20TPM%20from%20the%20policy%20where%20Bitlocker%20is%20enforced%3F%3C%2FLI%3E%3CLI%3EFor%20AutoPilot%2C%20which%20type%20of%20policy%20is%20best%20to%20enable%20Bitlocker%20at%20OOBE%3F%3C%2FLI%3E%3CLI%3EIn%20a%20scenario%20where%20Bitlocker%20(and%20the%20TPM%20requirement)%20are%20required%20by%20a%20policy%2C%20but%20a%20target%20machine%20does%20not%20have%20a%20TPM%20chip%2C%20what%20should%20I%20expect%20in%20terms%20of%20full%20functionality%20when%20accessing%20company%20resource%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThanks%20in%20advance%20for%20helping%20me%20learn!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1579889%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1580022%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1580022%22%20slang%3D%22en-US%22%3EHi%20Bryan%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20will%20try%20to%20answer%20all%20the%20questions%2C%20pretty%20sure%20that%20my%20colleagues%20will%20have%20more%20to%20add.%3CBR%20%2F%3E%3CBR%20%2F%3ECompliance%20Policy%3A%20It%E2%80%99s%20the%20policies%20that%20will%20decide%20your%20devices%20Compliant%20with%20EndPoint%20or%20NOT.%20If%20the%20device%20is%20not%20Compliant%2C%20Config%20Policies%20and%20others%20will%20not%20get%20applied.%3CBR%20%2F%3E%3CBR%20%2F%3EConfig%20Policies%2C%20Policies%20that%20you%20can%20make%20changes%20to%20your%20devices%20similar%20to%20any%20other%20vendor%20MDM%20policies.%3CBR%20%2F%3E%3CBR%20%2F%3ESecurity%20Baseline%2C%20I%20describe%20it%20to%20my%20customers%20as%20GPO%20or%20recommended%20settings%2C%20they%20get%20updated%20with%20new%20release%20of%20Windows%20version.%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20I%20would%20use%20Config%20Policy%2F%20Administrative%20Templates.%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20You%20use%20Config%20Policy%20when%20devices%20are%20Compliant%20with%20your%20Compliance%20Policies.%3CBR%20%2F%3E%3CBR%20%2F%3E3.%20Use%20it%20if%20you%20can%20find%20setting%20not%20available%20in%20Config%20Policy.%3CBR%20%2F%3E%3CBR%20%2F%3E4.%20I%20like%20to%20use%20Silent%20Encryption%2C%20Config%20Policy%20and%20specifically%20this%20url%20for%20setup%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.inthecloud247.com%2Fwindows-10-failed-to-enable-silent-encryption%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.inthecloud247.com%2Fwindows-10-failed-to-enable-silent-encryption%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E5.%20You%20certainly%20can%E2%80%99t%20silent%20encrypt%20devices%20without%20TPM%202.0%20using%20Intune.%3CBR%20%2F%3E%3CBR%20%2F%3E6.%20Config%20policy%2C%20same%20article%20shared%20above.%3CBR%20%2F%3E%3CBR%20%2F%3E7.%20It%20will%20prompt%20them%20to%20encrypt%20their%20PCs%20then%20they%20go%20there%20and%20see%20Red%20X.%20I%20would%20exclude%20PCs%20without%20TPMs.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20answers%20the%20questions!%3CBR%20%2F%3EMoe%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1583394%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1583394%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3Bfor%20taking%20the%20time%20to%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EDo%20compliance%20policies%20actually%20make%2Fenforce%20changes%20or%20do%20they%20only%20check%20if%20the%20configuration%20is%20set%3F%3C%2FLI%3E%3CLI%3EIf%20a%20device%20is%20receiving%20a%20config%20for%20the%20same%20device%20setting%20through%20both%20Compliance%20and%20Configuration%20policies%2C%20I%20understand%20that%20Compliance%20policies%20take%20precedence.%26nbsp%3B%20If%20that's%20the%20case%2C%20what%20is%20the%20best%20method%20to%20ensure%20that%20a%20device%20is%20%3CEM%3Econfigured%3C%2FEM%3E%20with%20the%20appropriate%20settings%20(via%20Intune)%20%3CEM%3Eand%26nbsp%3B%3C%2FEM%3Eensure%20compliance%3F%26nbsp%3B%20If%20the%20device%20fails%20the%20Compliance%20policy%20from%20the%20start%2C%20can%20the%20Configuration%20policy%20for%20that%20item%20still%20get%20applied%3F%3C%2FLI%3E%3C%2FOL%3E%3CP%3EThanks%20again%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1585592%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1585592%22%20slang%3D%22en-US%22%3EHi%20Bryan%2C%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20Compliance%20policies%20are%20just%20rules%20and%20settings%20that%20devices%20must%20meet%20to%20be%20compliant.%20It%20doesn%E2%80%99t%20force%20config%20setting%20on%20devices.%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20Config%20and%20other%20policies%20get%20applied%20on%20Compliant%20devices%20only%2C%20so%20you%20need%20to%20setup%20your%20Compliance%20Policy%20and%20have%20the%20devices%20marked%20as%20compliant%20then%20start%20to%20apply%20your%20config%20policies.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3E%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1585919%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1585919%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20this%20definitely%20helps!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERe%3A%20%232%2C%20how%20would%20such%20timing%20be%20put%20into%20practice%3F%26nbsp%3B%20Say%2C%20in%20an%20AutoPilot%20scenario%2C%20where%20we'd%20like%20to%20ultimately%2Feventually%20apply%20both%20configurations%20and%20require%20compliance%2C%20how%20could%20we%20configure%20the%20device%26nbsp%3B%3CEM%3Ebefore%26nbsp%3B%3C%2FEM%3Erequiring%20compliance%20%3CEM%3Eautomatically%3F%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20manual%20way%20would%20seem%20to%20be%20add%20the%20computers%20to%20a%20group%20that%20the%20Compliance%20Policy%20is%20applied%20to%20only%26nbsp%3B%3CEM%3Eafter%3C%2FEM%3E%20the%20configurations%20have%20been%20applied.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1586430%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1586430%22%20slang%3D%22en-US%22%3EHi%20Bryan%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20won%E2%80%99t%20worry%20about%20the%20timing%20piece.%20Create%20Compliance%20policy%20that%20suits%20your%20environment%20so%20you%20know%20all%20your%20devices%20will%20be%20compliant%20after%20Enrollment.%20Intune%20will%20evaluate%20the%20device%20at%20Enrollment%20stage%20and%20then%20start%20applying%20policies.%20It%20should%20be%20quick!%3CBR%20%2F%3E%3CBR%20%2F%3EThanks!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1594688%22%20slang%3D%22en-US%22%3ERe%3A%20Bitlocker%20Compliance%2FConfiguration%2FEndpoint%20Security%20Policy%20Confusion%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1594688%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20help!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I'm relatively new to endpoint management and AutoPilot is my second foray into it (after MAM/APP).  I'm confused as to the difference between Compliance and Configuration Policies, and Endpoint Security policies adds more confusion.

 

Here are some of my questions, particularly when the same types of settings are available in different types of policies:

  • If I want to enforce a settings (configure the setting and either prevent changes or ensure the configuration is reverted to the desired configuration), do I use Configuration Policies?
  • When would I use Compliance Policy vs Configuration Policy?
  • When would I use Endpoint Security Policy
  • Specific to Bitlocker, which of the three is the best place to configure Bitlocker (to automatically enable and enforce the configuration).
  • Whats the best way to handle computers that might not have TPM chips, but we'd like to have a default Bitlocker policy?  Would I have to explicitly exclude a group of computers that do not have TPM from the policy where Bitlocker is enforced?
  • For AutoPilot, which type of policy is best to enable Bitlocker at OOBE?
  • In a scenario where Bitlocker (and the TPM requirement) are required by a policy, but a target machine does not have a TPM chip, what should I expect in terms of full functionality when accessing company resource?

Thanks in advance for helping me learn!

6 Replies
Highlighted
Hi Bryan,

I will try to answer all the questions, pretty sure that my colleagues will have more to add.

Compliance Policy: It’s the policies that will decide your devices Compliant with EndPoint or NOT. If the device is not Compliant, Config Policies and others will not get applied.

Config Policies, Policies that you can make changes to your devices similar to any other vendor MDM policies.

Security Baseline, I describe it to my customers as GPO or recommended settings, they get updated with new release of Windows version.

1. I would use Config Policy/ Administrative Templates.

2. You use Config Policy when devices are Compliant with your Compliance Policies.

3. Use it if you can find setting not available in Config Policy.

4. I like to use Silent Encryption, Config Policy and specifically this url for setup:

https://www.inthecloud247.com/windows-10-failed-to-enable-silent-encryption/

5. You certainly can’t silent encrypt devices without TPM 2.0 using Intune.

6. Config policy, same article shared above.

7. It will prompt them to encrypt their PCs then they go there and see Red X. I would exclude PCs without TPMs.

Hope this answers the questions!
Moe



Highlighted

Thanks @Moe_Kinani for taking the time to reply.

 

  1. Do compliance policies actually make/enforce changes or do they only check if the configuration is set?
  2. If a device is receiving a config for the same device setting through both Compliance and Configuration policies, I understand that Compliance policies take precedence.  If that's the case, what is the best method to ensure that a device is configured with the appropriate settings (via Intune) and ensure compliance?  If the device fails the Compliance policy from the start, can the Configuration policy for that item still get applied?

Thanks again

 

Highlighted
Hi Bryan,

1. Compliance policies are just rules and settings that devices must meet to be compliant. It doesn’t force config setting on devices.

2. Config and other policies get applied on Compliant devices only, so you need to setup your Compliance Policy and have the devices marked as compliant then start to apply your config policies.

Hope this helps!

Moe
Highlighted

@Moe_Kinani 

 

Thanks, this definitely helps!

 

Re: #2, how would such timing be put into practice?  Say, in an AutoPilot scenario, where we'd like to ultimately/eventually apply both configurations and require compliance, how could we configure the device before requiring compliance automatically?

 

The manual way would seem to be add the computers to a group that the Compliance Policy is applied to only after the configurations have been applied.

Highlighted
Hi Bryan,

I won’t worry about the timing piece. Create Compliance policy that suits your environment so you know all your devices will be compliant after Enrollment. Intune will evaluate the device at Enrollment stage and then start applying policies. It should be quick!

Thanks!
Moe
Highlighted