Intune Manage Windows 10 Encryption without admin rights

Copper Contributor

Recently I've started working a lot more with Intune by itself to manage out an environment. I'm running into an issue where if I require devices to be encrypted with BitLocker the end user is getting a UAC prompt where an admin need to sign in to allow them to start encryption. Is there any way around this, especially if I'm sending out a remote device utilizing Autopilot?

11 Replies

Yea, noticed that too when I was playing around with AutoPilot and Compliance Policy.

To start the encryption I had to type my GA credentials, not even the AutoPilot admin account works.

Quite unexpected I would say.


 

I've been working with a few colleagues to get further on this. Right now we are testing a few ways to work around this. One method is having a device auto encrypt during Azure AD join. To do this though you need to have InstantGo, the following linked TechNet blog covered it well. Otherwise for devices without this I'm testing Intune Powershell which automatically encrypts a device. This seems to work with a user assignment but not with device assignments. I'll be opening a support case with Microsoft around that policy enforcement. I can update this later if that helps otherwise I'll write a post on it.

Douglas, this is something that we are looking at also, and the UAC prompt is annoying! ha.

 

Powershell is what I was thinking, but let us know how you get on with your support case, may be worth seeing if you can get a Design Change Request (DCR) completed for this as I'm assuming there are numerous others wanting to do this seamlessly

 

Hi,

it seems you are looking for a solution like this:

Hardware independent automatic Bitlocker encryption using AAD/MDM

https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2017/06/07/hardware-independent-auto...

 

This can run in standard user configurations also.

But maybe we will get something in Win10 Version 1803 for BitLocker... did you check the latest Insider Preview?

Information regarding a change in behavior of BitLocker and next Windows 10 Version is available on docs:

https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp

 

AllowWarningForOtherDiskEncryption

Allows the Admin to disable the warning prompt for other disk encryption on the user machines.

Important

Starting in Windows 10, next major update, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.

@Oliver Kieselbach

 

 

If AllowWarningForOtherDiskEncryption is set to 0 on a 1803 enterprise device, will it assume defaults for the other settings?

 

Also does this value being 0 have any relationship to computers wanted to reset TPM after the upgrade to 1803?

Hi Neil,

 

yes it will assume defaults for the other settings.

Regarding a reset of TPM after 1803 upgrade I'm not sure I didn't test it extensively and my tests were on 1709. So no experience with this setting after an upgrade. But for a logical conclusion I would assume it shouldn't impact the TPM during upgrade. As you normally start from a 1709 BitLocker enabled device and the upgrade is BitLocker aware and does only a suspend and re-enable. Imho this setting should not influence an upgrade but I can't say for sure.

 

best,

Oliver

@Oliver Kieselbach

 

I would have uploaded more details but I had to freeze 1803 updates because of Edge crashing.

 

I am 95% sure its because of a bug with Edge when Windows Defender Application control is set to:

->  audit

-> "Trust apps with good reputation"

 

https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/17343551/

 

As soon as I can start rolling 1803 again i'll upload more info on this TPM issue

 

 

FYI

BitLocker CSP added functionality...

https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp

 

AllowStandardUserEncryption
Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.

 

Note

This policy is only supported in Azure AD accounts.

 

"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced.

 

If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.

 

The expected values for this policy are:

  • 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
  • 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive.

Additional notice regarding: AllowStandardUserEncryption,

it's scheduled for the next major Windows Version aka RS5 aka 1809

see BitLocker CSP article diagram in the beginning.

Hi,

 

in the meanwhile Windows 10 version 1809 and the new BitLocker CSP is available. I implemented and tested BitLocker with the Intune configuration policies without any PowerShell script and documented it here: https://oliverkieselbach.com/2018/10/23/enabling-bitlocker-on-non-hsti-devices-with-intune/

 

best,

Oliver