InstantGo Azure AD Join Encryption / Policy Required

%3CLINGO-SUB%20id%3D%22lingo-sub-175761%22%20slang%3D%22en-US%22%3EInstantGo%20Azure%20AD%20Join%20Encryption%20%2F%20Policy%20Required%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-175761%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJust%20need%20some%20clarification%20here.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt's%20my%20understanding%20that%20InstantGo%20devices%20are%20automatically%20encrypted%20when%20joined%20to%20Azure%20AD.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%20good.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%2C%20would%20there%20be%20a%20need%20to%20have%20a%20Device%20Configuration%20Policy%20for%20BitLocker%20or%20just%20a%20Compliance%20Policy%20to%20check%20that%20the%20encryption%20was%20successful%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EInfo%20greatly%20appreciated.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStuart%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-175761%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-176641%22%20slang%3D%22en-US%22%3ERe%3A%20InstantGo%20Azure%20AD%20Join%20Encryption%20%2F%20Policy%20Required%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176641%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Stuart%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%20they%20are%20encrypted%20but%20If%20you%20like%20to%20control%20things%20like%20removable%20data%20drives%20you%20would%20need%20one.%20In%20addition%20if%20the%20device%20is%20not%20InstantGo%20capable%20but%20an%201803%20version%20of%20Windows%2010%20you%20can%20even%20enforce%20encryption%20(%3CSPAN%3E%22Encrypt%20device%22%20%3D%20Require%3C%2FSPAN%3E)%20in%20silent%20activation%20if%20you%20choose%20the%20new%20setting%20%22Warning%20for%20other%20disk%20encryption%22%20to%20block.%20If%20not%20InstantGo%20and%20pre%201803%20and%20%22Encrypt%20device%22%20%3D%20Require%20you%20will%20get%20an%20Wizard%20to%20guide%20the%20user%20to%20activate%20BitLocker.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECompliance%20is%20always%20good%20for%20reporting%20or%20in%20conjunction%20with%20Conditional%20Access%20a%20requirement.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

Hi All

 

Just need some clarification here.

 

It's my understanding that InstantGo devices are automatically encrypted when joined to Azure AD.

 

All good.

 

So, would there be a need to have a Device Configuration Policy for BitLocker or just a Compliance Policy to check that the encryption was successful?

 

Info greatly appreciated.

 

Stuart

1 Reply

Hi Stuart,

 

Yes they are encrypted but If you like to control things like removable data drives you would need one. In addition if the device is not InstantGo capable but an 1803 version of Windows 10 you can even enforce encryption ("Encrypt device" = Require) in silent activation if you choose the new setting "Warning for other disk encryption" to block. If not InstantGo and pre 1803 and "Encrypt device" = Require you will get an Wizard to guide the user to activate BitLocker.

 

Compliance is always good for reporting or in conjunction with Conditional Access a requirement.

 

best,

Oliver