Microsoft

Microsoft Endpoint Manager Intune Feedback

Suggestion box powered by UserVoice

Ideas

What features would you like to see?

All of the feedback that you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Microsoft Endpoint Manager Intune, though we can’t promise to reply to all posts.

Standard Disclaimer – our lawyers made us put this here ;-) We have partnered with UserVoice, a third-party service, so you can give us feedback. Please note that the Intune feedback site is moderated and is a voluntary participation-based project. Please send only feature suggestions and ideas to improve Intune. Do not send any novel or patentable ideas, copyrighted materials, samples or demos. Your use of the portal and your submission is subject to the UserVoice Terms of Service & Privacy Policy, including the license terms.


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. BitLocker Recovery Keys in a Hybrid AAD Joined Device

    When configuring Bitlocker through an Endpoint protection policy on a hybrid joined device, the setting "Store Recovery information in Azure Active Directory before enabling BitLocker" appears to set the OSRequireActiveDirectoryBackup_Name OMA-URI, which causes the key to be backed up to the on-prem AD DS and does not store the key in Azure AD.

    The verbiage of this setting should be changed to reflect what it actually does, ideally it would back the key up to both locations for a hybrid joined device.

    415 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    32 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support Endpoint Protection on Windows 10 Pro

    Simple really. Windows 10 Pro supports bitlocker. Therefore if we're paying for Intune, it seems reasonable to be able to manage bitlocker on those devices.

    257 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    30 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  3. Ability to seamlessly deploy BitLocker in the background without prompting the user.

    BitLocker can be deployed currently but the user is prompted for interaction... which is both annoying and unnecessary - it should just happen per the settings defined.
    The current workaround requires this solution: https://blogs.technet.microsoft.com/homeiswhereilaymyhead/2017/06/07/hardware-independent-automatic-bitlocker-encryption-using-aadmdm/

    Ideally this functionality should be embedded within Intune and work regardless of whether the User is a Local Admin or not.

    133 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    5 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Enable use of BitLocker authentication requiring preboot keyboard input on slates

    Hello,
    Would be good to integrate in Endpoint Protection BitLocker setcion an option for "OSEnablePrebootInputProtectorsOnSlates" (Enable use of BitLocker authentication requiring preboot keyboard input on slates),
    Else if you use Tablet, then when the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.

    But to enable this "OSEnablePrebootInputProtectorsOnSlates" need push PowerShell script to devices, as BitLocker-CSP missing this too....

    Or option via BitLocker-CSP to control this setting.

    87 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow Windows 10 Pro Devices to have Bitlocker PIN Enforced

    We can force encryption on Windows 10 1809 Pro devices and store recovery keys to Azure AD but cannot enforce a PIN on startup.

    23 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  6. bitlocker full drive encryption setting

    Seems strange there is no setting or 'toggle' in the profile configuration of Intune to allow for bitlocker full drive encryption. The only default is for used space encryption only. can you please enable this?

    23 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  7. data recovery agent

    Add the ability to add a Bitlocker Data Recovery Agent from internal PKI for AAD joined devices. This will provide ability for enterprise to always be able to recover/unlock the disk if the object has been removed from AAD since the recovery keys stored there get removed if/when the object is removed.

    We currently use the DRA for hybrid/on-prem devices but its delivered via GPO and no way natively to do this with Intune policies. We're working on a scripted workaround to deliver the DRA via LGPO.exe but its obviously not an ideal method.

    21 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  8. Store Bitlocker recovery key for removable device in AAD

    Ability to save Bitlocker recovery key for removable devices to AAD. Today it is only possible to print or save the key locally.

    17 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  9. More options to control BitLocker on removable drives

    Today, the only configuration available for Bitlocker on Removable Drives is "Write access to removable data-drive not protected by BitLocker" and "Write access to devices configured in another organization". In Group Policy, there are settings to control recovery of removable drives, password policy, and allow/disallow smart cards for removable drives. Despite similar policies existing in Intune for OS and Fixed drives, Removable drives do not have these settings in Intune. It would be nice if the same settings were available across the board for all 3 drive types, giving the same options as can be found in Group Policy.

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  10. Enabling possibility to block user from accessing their BitLocker recovery key

    Normally having the user retrive their own BitLocker Recovery keys is a good thing, reduces the stress on help desk. However there are a few cases where you do not want users to be able to do this:

    1) Prevent users from extracting data from their device outside Windows where such actions can be logged and prevented.

    2) Prevent users from modifying files or add data to the device that would otherwise be prevented when in Windows and protected by Windows secyrity features and/or VPN client that can block downloads or other threats.

    I'm just asking for an optional feature…

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  11. Supress certain hardware ID's for Bitlocker to Go Pop-Ups

    We need to suppress certain hardware ID's to prevent Bitlocker To Go from popping up.

    7 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Make CSPs to be permanently enforced settings like GPOs

    When we use CSPs in Intune to configure various settings (example : https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-accounts-renameadministratoraccount, or even BitLocker policies), these settings are applied at enrollment, but not permanently.

    Let me give 2 simple examples :
    - the basic setting in "Policy CSP" to rename Admin account, is ignored after the admin account has been renamed at enrollment. The enduser can rename it back to "Administrator", and the name will remain like this, even after a reboot.
    - even worse : BitLocker CSP starts the disk encryption, but an enduser can disable it afterwards.

    This means, I can have devices in the…

    7 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  13. BitLocker PCR Setting Control (Enable MBAM Capability in InTune)

    It doesn't appear that InTune gives you the ability to control PCR settings, we have had to modify the PCR options in order to get BitLocker to behave properly with our fleet of workstations (I've had to do this with every MBAM deployment I've ever done) Since the granular GPO controls with MBAM are tied to the MBAM client, that means we have to maintain our on-premise MBAM server and deployment even while we work to migrate all our other GPO management to InTune CSPs / MDM. Hopefully there's a plan to allow management of PCR settings natively, if not…

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  14. separate device configuration profiles for Win10 Mobile and Win10 devices

    Currently if you want to enforce BitLocker for user devices there is no way to differentiate between PC/Laptop/Tablet and Smartphone and there fore the phones (unable to use BitLocker) are marked as non-compliant.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  15. Encryption Report -> Doesn't identify when drives were encrypted a different way

    This is a nice new feature, however it only seems to be reporting machines that were able to get encrypted automatically through the use of the endpoint protection policy. We have an issue on various pieces of our equipment where this automatic encryption doesn't work, returning the error 'Un-allowed DMA capable bus/device(s) detected'. We found a way to get this information and add entries to the registry but it's not reasonable trying to do this for every piece of hardware. What has been more reliable is just running a powershell script that checks if bitlocker automatically enabled and if it…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  16. Endpoint protection policy - Need option for SED in Bitlocker config

    I need to be able to enable Bitlocker via MDM to devices with Self Encrypting drives. Policy option in my case should be use hardware if available and fall back to XTS-AES (or whatever).

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  17. Bitlocker Recovery Key iPhone Company Portal

    Bitlocker Recovery Key iPhone Company Portal

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Microsoft Intune
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Bitlocker Management  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base