Bitlocker device encryption notification
Posted by gingerpantman@reddit | sysadmin | View on Reddit | 6 comments
Hi all,
We are currently transitioning from bitlocker managed by Sophos to bitlocker policies in Intune. Sophos done a god job at prompting the user/techs to create a pin and actually encrypt the device. (requirement for a pin is a must). How are people achieving this with intune policies? I need to make sure my techs get devices encrypted before they leave the building? Thanks all. Happy Monday!
Ok_Rip_5338@reddit
i enrolled in intune last year. all PC's automatically get encrypted. users never notice, nor are they expected to ever touch bitlocker.
PCs that I deem as "high risk" are manually added to a group prior to autopilot provisioning. This group is exempt from the standard policy, and instead gets a slightly modified policy with an additional script added (link below). you can derive a startup pin from serial number (service tag), UUID, mac address, or some combination of the 3. https://katystech.blog/mem/bitlocker-with-pin
I try to avoid startup PIN where I can though, it's rough on users given that automatic windows updates cannot fully complete.
gingerpantman@reddit (OP)
Unfortunately our Secops team have the final say on bitlocker pins, so its on for everyone.
Ok_Rip_5338@reddit
i understand why. depends on your environment but maybe you could talk them down to just laptops? desktops less likely to get stolen.
MeetJoan@reddit
Intune's Endpoint Security > Disk Encryption blade is the right place - avoid the old Device Configuration path, it's clunkier and escrow visibility is worse.
For the PIN requirement, set "Configure TPM startup PIN" to Required in the BitLocker CSP. Silent encryption won't prompt for one on its own.
To enforce before the device leaves: Compliance Policy flagging unencrypted devices as non-compliant + Conditional Access blocking them from resources. Techs are motivated pretty quickly when their device can't hit anything useful.
OkEmployment4437@reddit
We went through a similar migration last year. The way we handle it now is through an Intune device configuration profile that enforces BitLocker with a startup PIN. Pair that with an Enrollment Status Page policy so the device cannot really be used until encryption kicks off during provisioning. The key escrow to Entra ID happens automatically once the policy applies, so you can verify the recovery key is stored before the tech hands it off.
For the technician workflow side, we added a simple checklist step: before the device leaves the bench, the tech confirms encryption status in Intune and verifies the recovery key is escrowed. You can also set a compliance policy so devices stay non-compliant until encryption is on, which gives you reporting visibility and lets you gate access if you want to be strict about it.
SVD_NL@reddit
Encrypt Windows devices with BitLocker using Intune | MS Learn
Choose the options you need, and test it out. I'd recommend against migrating active devices from Sophos to Intune policies if you can help it, but if you properly test it, it shouldn't be an issue.
You can't really force them to set up BitLocker before they leave the building, but you can limit access to company resources using compliance policies and conditional access.
There are a couple of good suggestions in this thread on how to apply this in practice, some of them suggest enabling with TPM first to at least encrypt the drive, and then use scripts to force a password change or application later.