Bitlocker compliance policies and MBAM

Brass Contributor

Hello,

 

For the moment, we use MBAM to manage bitlocker encryption keys.

We would like to use MEM compliance policy to audit encryption of our Windows devices (audit only - no remediation).

 

I would like to know if configuring  "Require encryption of data storage on device." or "Require BitLocker" will try to remediate a non-compliant device. I want to avoid a situation where device is encrypted after remediation and Keys are not stored into MBAM database.

 

 
 
3 Replies

Hi @Le_Michel, Both these are included in the compliance policy, which means that the device will be evaluated on these policies, and based on the conditions configured, actions will be taken.

 

  1. Require BitLocker: If you set it to "Required," it will only check for encryption state at boot time. It can only protect data stored on the drive from unauthorized access when the system is off or hibernates.
  2. Encryption of data storage on a device: Indicates compliance with the enterprise encryption policy for system drives. As it does not require a reboot to evaluate BitLocker compliance so the disadvantage of it is that if you are using conditional access, it may block users from accessing corporate resources until the device is marked as compliant.

As you mentioned, you already have encryption forced through MBAM, so if co-management is enabled, you can use these in-compliance policies to evaluate your compliance. But if you have conditional access, you must proceed with caution. 

Thanks for your answer. My main concern is to avoid that intune will launch any remediation that will not save recovery key in MBAM database. it seems that intune allows to configure remediation actions for android and iOs but not for Windows.
Intune will not do any remediation if you are just using compliance policies. We do have the same scenario where BitLocker is enforced by MBAM and compliance policies in Intune only reporting is done.