More and more we have clients who are getting all they need from Office 365 services. They no longer need servers or Active Directory. We often see the need to deploy BitLocker to these machines, which is currently a fairly manual process. I'd like InTune Standalone to be able to deploy and manage BitLocker without Active Directory or an Enterprise Agreement. Even if we had to pay a couple extra bucks per user, it would be 100% worth it. The other supposed cloud-based full disk encryption products are not very good, so I think it's a big opportunity to make a big change in the security world.
Today’s release gives you the ability to manage BitLocker settings as part of Windows 10 Endpoint Protection.
Stefan Peters commented
Please let Intune fully manage bitlocker, and allow Intune Admins to enforce Bitlocker instead of giving suggestions to end users to enable bitlocker. End user actions for this is undesired. It will cause a lot of service desk calls.
Also please allow Intune Admins to enable bitlocker on AzureAD joined devices where end-users are not admin.
Thanks @Cathy Moya.
The new Endpoint Protection settings look promising, however, it seems like these only work for Windows 10 Enterprise and not Pro (feedback from Intune Support team, after months of trying to get to work and numerous escalations).
Do we know if and when this will be resolved and made available for Windows 10 Pro devices?
Paul O Connor commented
I have proposed a workaround to automate Bitlocker enablement and key escrow to AAD for all devices which has been endorced by Microsoft. The details are available here:
Ronan Moriarty commented
Bitlocker CSP does not fully automate Bitlocker Setup - Customers are looking for a method that will automatically enable Bitlocker on non Connected Standby / Instant Go devices. The Redstone 2 CSP .. almost automates Bitlocker setup via MDM but, falls short from complete automation.
CSP Documentation: https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp
1. no way to automatically initiate Bitlocker setup using MDM OMA-URI. user must take action on Toast "Encryption Needed"
2. no way to set the value for "Choose which encryption mode to use"
3. no way to start the encryption
Ronan Moriarty commented
Need Ability to specify encryption method for Bitlocker with Azure AD Join - When using Azure AD Join with Connected Standby / Instant Go devices Bitlocker is automatically initiated and key escrowed to Azure AD. While this is a great feature, the encryption method used is XTS-AES 128, customers would like to have the stronger encryption standard (256)
Totally agree. This is critical piece of requirement considering enterprise security when managing devices via Intune. Appreciate if MS can hasten some work in this area
Yes! We have a cloud first model, and integrating MBAM features with Intune/Azure would be excellent.
Whole disk encryption is very high on our list of requirements for endpoint compliance, and with no way to accomplish this with Intune we are forced to look elsewhere for the time being.
Chris Moore commented
Agreed... Merging the functionality of MBAM into Intune with AAD would be perfect for this.
Make this happen ASAP.
Losing in a potentially valuable space.
Dmitry Gladyshev commented
Thanks for posting a link, really cool solution.
Do you have any progress with packing to MSI?
If yes - please share how to, would be very appreciated.
Alan Dooley commented
A workaround here...
Not tested yet as I need to wrap the PS into an MSI in order to make it work with W10 MDM only.
Alan Dooley commented
Appalling that this is not possible now. Even though manage-bde cannot write to AAD it wouldn't be that hard for the Intune agent to gather the recovery key and store it somewhere. I'd like to move to MDM for about 1,000 laptops but without this I cannot do it. Barely any devices support instant go and I'm struggling to understand why it is a pre-req.
We need both the manage-bde or other ways to enable bitlocker when we join aad and intune if we do nto have intstantgo
This is much needed, both to enforce bitlocker and monitor compliance of all PCs. That's really feel strange when we can do it for non-microsoft mobile devices but not with their own OS.
We've implemented Azure AD Join with automatic BitLocker encryption. This automatically writes the recovery key into Azure AD for the user. Unfortunately this is only possible for at least "InstantGo" devices.
The manage-bde.exe (which is the command line utility for BitLocker management) has no option to write the Recovery key to Azure AD, otherwise we were able to do this for non-InstantGo devices also.
This is a feature we are after too. We are comparing InTune with Meraki who offers this service for FileValt and we love it. I would like to see InTune step up and at least provide encryption support through Bitlocker. I would also like FileValt but that may be another thread.
We currently have MBAM for key management but it would be extremely nice to support this for off-site clients.
Aaron Houdeshell commented
We have a requirement that all of our laptops have bitlocker encryption turned on. It would be nice if Intune could report to us which devices for some reason have it turned off, without the device having to be enrolled into Intune as mobile device. Bitlocker is a Microsoft product, why cant the Intune client already installed on the devices report this? This would make Intune the one stop application for us. Thanks
Marc V commented
We are in Trial using Intune and so far we are liking the product as well as support but this is the first major drawback we hope gets added in.
We currently use SCCM/AD to monitor and mange bitlocker. We use AD to store our bitlocker keys but we use SCCM to create custom collections/reports to monitor and act on managed devices that are compliant or non-compliant.
We are a smaller organization so we are trying to just use Intune standalone by itself to manage our devices without a SCCM hybrid solution and a bitlocker management feature would greatly help in doing that.
We hope it gets added!
Ryan Sheldon commented
While we currently utilize BitLocker with Active Directory, being able to lessen our dependence on the on-premises servers and move these features to the cloud would help. Having BitLocker integration with Intune would allow us to maintain encryption on our remote endpoints without worrying about key storage/recovery or encryption compliance.