Can you have both Configuration Policy and Disk Encryption running to make sure devices are covered? I ask because we only set Config Policy and we have machines that are not encrypted or were previously encrypted and Intune did not escrow keys.
31:30 - When you say "By default it saves to Entra ID if it's Entra-joined" regarding the recovery key bacup... Is this referring to non-domain joined systems or will it auto-backup to Entra-ID for hybrid joined systems as well?
20:05 - This is a confusing setting because the tooltip text (pulling from the MS Docs Bitlocker CSP) says that the default setting is the Azure AD-joined devices one (second in the list). The CSP page text reads "1 - Numeric Recovery Passwords Rotation upon use ON for Microsoft Entra joined devices. Default value". Yet the dropdown in the UI says Refresh Off (default). In the CSP doc this value is 0. I don't know what to believe here. Is leaving it at Not Configured going to set it to the Refresh off (default) value or Refresh on for Azure AD-joined devices? The second confusing part is within the tooltip it also says "The Policy will be effective only when Active Directory back up for recovery password is configured to required. For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives" For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives"" Later on in configuring the policy at 31:24 you say no, so it appears that the top level setting at the beginning does not do anything if you don't enable this. There does not seem to be any setting for backing up to Entra and if there aren't any, it would be nice to have tooltip mention "Backing up to Entra is automatic" or something like that.
Have you guys ever seen a device show as encrypted even though its not actually got a Bitlocker policy applied? I have a device that was autopiloted via Self-Deploying thats not got a primary user that this has happened on. The only thing i can think of is that i have wiped and reloaded this device a few times and it may have had a Bitlocker policy applied on a previous autopilot enrolment
How do you guys exclude fixed data drives? I've setup a new policy but couldn't see an option to exclude. Drives are still encrypted even if "Not configured". I have a TrueNAS iSCSI volume which kept wanting to encrypt. MS Support couldn't tell me.
good day i have an issue with my encryption some devices have encrypted successfully some fail yet the operating system and all other settings are the same please help
That’s a private preview feature that would only be in your tenant if someone signed your tenant up for the preview. Technically anything in Private Preview is covered by NDA and we aren’t allowed to produce videos for topics until they are public preview or Generally Available.
At 28:00 you recommend against startup PINs. Is that because there's something problematic about startup PINs, or just because they're pointless extra admin?
They touched on it a bit, but your users will not like entering the pins one bit and will take shortcuts like writing the pin on a sticky note on the computer, undermining any additional security you think you are getting out of it. Like you said, it is also requires more administration and support from your help desk. Should really only be turned on if there is a business complaince requirement.
I'd love to come to MMS, but my employer isn't paying for the transatlantic flight :( Maybe I should throw away my boss's disk encryption keys and hold his data hostage?
Software encryption doesn't appeal to me as it consumes processor resources. Instead, I've enabled hardware OPAL encryption on my SSD, which utilizes a dedicated chip within the drive for encryption.
![Seungmin "그렇게, 천천히, 우리(As we are)" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/kAzmhLHePqU/mqdefault.jpg)
0:00 - Introduction
3:03 - Device Compliance
5:45 - Configuring Device Profiles locations
8:03 - Endpoint Security node (new consolidated location)
8:30 - Disk Encryption (MacOS)
12:56 - MacOS drive encryption demo
15:00 - Remote Lock through Compliance
18:20 - Bitlocker Policy configuration (Windows)
34:00 - Compliance Policy troubleshooting
36:12 - MacOS drive encryption demo resumed
38:05 - Windows Bitlocker demo resumed
44:12 - Bitlocker policy troubleshooting (it didn't work)
48:10 - Fixed it (DVD was mounted)
52:15 - manage-bde cli tool
54:05 - Powershell cmdlets for Bitlocker
55:50 - Managing Bitlocker from Windows UI and Company Portal
57:28 - Recovery Keys
1:00:05 - Entra Administrative Roles for Bitlocker recovery keys
1:03:10 - Encryption Reporting
1:04:06 - Conclusion
Can you have both Configuration Policy and Disk Encryption running to make sure devices are covered? I ask because we only set Config Policy and we have machines that are not encrypted or were previously encrypted and Intune did not escrow keys.
31:30 - When you say "By default it saves to Entra ID if it's Entra-joined" regarding the recovery key bacup... Is this referring to non-domain joined systems or will it auto-backup to Entra-ID for hybrid joined systems as well?
Much Awaited!!
20:05 - This is a confusing setting because the tooltip text (pulling from the MS Docs Bitlocker CSP) says that the default setting is the Azure AD-joined devices one (second in the list). The CSP page text reads "1 - Numeric Recovery Passwords Rotation upon use ON for Microsoft Entra joined devices. Default value". Yet the dropdown in the UI says Refresh Off (default). In the CSP doc this value is 0.
I don't know what to believe here. Is leaving it at Not Configured going to set it to the Refresh off (default) value or Refresh on for Azure AD-joined devices?
The second confusing part is within the tooltip it also says "The Policy will be effective only when Active Directory back up for recovery password is configured to required. For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives" For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives""
Later on in configuring the policy at 31:24 you say no, so it appears that the top level setting at the beginning does not do anything if you don't enable this. There does not seem to be any setting for backing up to Entra and if there aren't any, it would be nice to have tooltip mention "Backing up to Entra is automatic" or something like that.
Have you guys ever seen a device show as encrypted even though its not actually got a Bitlocker policy applied? I have a device that was autopiloted via Self-Deploying thats not got a primary user that this has happened on. The only thing i can think of is that i have wiped and reloaded this device a few times and it may have had a Bitlocker policy applied on a previous autopilot enrolment
How do you guys exclude fixed data drives? I've setup a new policy but couldn't see an option to exclude. Drives are still encrypted even if "Not configured". I have a TrueNAS iSCSI volume which kept wanting to encrypt. MS Support couldn't tell me.
good day i have an issue with my encryption some devices have encrypted successfully some fail yet the operating system and all other settings are the same please help
Please record a quick one on Properties Catalog, just popped up in Configuration Profile.
That’s a private preview feature that would only be in your tenant if someone signed your tenant up for the preview. Technically anything in Private Preview is covered by NDA and we aren’t allowed to produce videos for topics until they are public preview or Generally Available.
@@IntuneTraining Understood, now I know why it's not there in my trial subscription
At 28:00 you recommend against startup PINs. Is that because there's something problematic about startup PINs, or just because they're pointless extra admin?
They touched on it a bit, but your users will not like entering the pins one bit and will take shortcuts like writing the pin on a sticky note on the computer, undermining any additional security you think you are getting out of it. Like you said, it is also requires more administration and support from your help desk. Should really only be turned on if there is a business complaince requirement.
Cracking video as always! How does this work for shared devices if its encrypted in the user context?
Encryption will still work. It’s less about WHO the user is and more about the access the user has on the device (user vs admin).
Adama, I know who you are talking about 😂😂😂. By the way, my issue was a Microsoft issue. My tenant finally fixed it.
Will the drives encrypt before a user has logged on?
Not with policy alone. You would need to deploy a script as described here
call4cloud.nl/2021/10/device-health-attestation-age-of-compliance/
I'd love to come to MMS, but my employer isn't paying for the transatlantic flight :(
Maybe I should throw away my boss's disk encryption keys and hold his data hostage?
vinally
Software encryption doesn't appeal to me as it consumes processor resources. Instead, I've enabled hardware OPAL encryption on my SSD, which utilizes a dedicated chip within the drive for encryption.
First comment!