Keep making videos guys. They're amazingly helpful. Don't be discouraged by numbers. What you're doing is invaluable and with a little time they'll become a go-to reference for IT pros, devs, and hobbyist alike. Ive watched all of them at least three times, teaching myself how to do this stuff.
This is great ! I can say I finally learnt not only how to deploy BitLocker using Intune but also the whole story behind it and all the technicalities. Keep making such videos guys. You are doing a terrific job !
Quick edit as I work through this on my end, it looks like this entire process has changed. Do you think you guys can do an updated video on how the device profiles are now created? there’s a lot more going on that before unless I’m in the wrong section but it looks like they’ve revamped the process. Thanks!
Thanks for sharing the ideas around the wallpaper personalization. We have in the office wall devices that actually play background images as a slideshow with news about the company. I always wondered how to deploy that to user computers. As it seems we can only link one image here: Do you know how often the image will sync (i.e. if we automatically replace an image file on Sharepoint every 30minutes, will it also sync to devices? Then we could mimick a nice slideshow through that.
We have a hybrid environment and enabled BitLocker using Group Policy. We recently auto-enrolled the devices to Intune and want to leverage the BitLocker from Intune. How you would go about it?
@Ben, regarding the BitLocker recovery information, I agree that users should save all their data where they are supposed to save but we all know this is not always the case. And as much as we want this rule to be followed precisely, this won't happen and I think we should just accept it. Also, BitLocker information is really helpful in the case when something messes up on the users laptop for example, and a key is required on the next boot up, how can you reset the PC if you can't physically get hold of the PC? Wouldn't it be easier to read the key over the phone while with the user so they can proceed? It would be interesting to see your opinion about this. Thanks
With OneDrive for Business and Known Folder Migration becoming fairly standard inclusions in most peoples management platforms these days, most users will follow the "rules" without even knowing they are doing the right thing. If someone continues to flout the rules and stores data in non standard locations (root of system etc), it's only going to take a single device error to learn the hard way. In saying that, bitlocker keys are obviously available for recovery. They can be provided however you deem necessary - over email or phone. - Ben
Great video guys. I learn a lot. can you also do podcast about "device security baseline"? I dont realy understand the relationship (if any) between device configuration and the device security baseline.
Guys Hello, Why do I need to create a Wallpaper Policie? I do not understand... but I figure out that in mi case my configuration profile do not encrypt the device automate, meabye it is because I need a restriction policies additional? Hope you can help me.
You don’t need the wallpaper policy. We simply enabled it so that we would have a visual indicator that new policies had successfully applied to the device.
In my organization users have Windows 10 pro. This setup works, according to intune, on Win10 enterprise, education and mobile. I went ahead and tested it con 2 testing computers, but it doesn't work. How do I push this encryption form a central location on win10 pro? I tried with a batch file calling a sp1 (by default laptops cannot run scripts), but I can't find a way to deploy those files fro, a central location, other than using GPO. In my case, GPO won't work since half of the staff works remotely. Any suggestions??
Error: This device can't use a Trusted Platform Module. Your administrator must set the "Allow BitLocker without a compatible TPM" option in the "Required additional authentication at startup" policy for OS volumes. Can this be done thru Intune / Microsoft Endpoint Manager admin center? Or do I have to do it locally thru GPO?
I have "Additional authentication at startup" set to Require. For "BitLocker with non-compatible TPM chip" my options either Block or Not configured. Can you explain the logic behind "Block" and "Not configured"? How do I enable Bitlocker?
Hi guys, spotted this "BitLocker is supported on “Pro” and higher edition (Compliance Policy), but for MDM management for BitLocker configuration (Configuration Policy) is “Business” edition or higher required." What's your opinion on this? I thought 'Pro' was a business edition.
@@IntuneTraining In the comments section at the bottom. Regards blogs.technet.microsoft.com/cbernier/2017/07/11/windows-10-intune-windows-bitlocker-management-yes/
Hi Guys, still battling to get consistent results from Intune. I noticed this too on the Info button on 'Bitlocker Base Settings', 'Base settings are universal BitLocker settings for all types of data drives. These settings only apply to Enterprise, Education, and Mobile versions of Windows 10'. All our systems are Pro, so what affect would this have? Thank you.
How prevalent in your clients that you support - is the installation of Bitlocker? Do you install it by default on all your client devices that support it or just Surface Pro's and Laptops? I've never bothered with it to be honest. Just seemed like an extra layer of something that could go massively wrong. My end users and clients with portable devices don't (or shouldn't!) have any data on them anyway. It's all in Corporate File Shares, CLoud Sync and Sharepoint etc
Every client gets BitLocker added every time. The risk to the company for not using Bitlocker FAR outweighs the management overhead involved with managing BitLocker. We highly recommend using it as soon as possible.
Hi Steve and Adam thanks for yor videos and knowledge session but what i sees is that during Microsoft Store for business video did not covered other tabs like APP protection policy and APPconfiguration policy, It would be easy for everyone to undertsand one topic completely. This is my personal suggestion
Great video guys thanks, the bitlocker is fully configured within intune but despite initiating the sync many times successfully the bitlocker encryption does not kick in unless started from company portal manually at the client end, Any ideas why?
Thank you guys for doing these videos. This has been a great help. You ask if there is anything we would like to see... I have not gone through all of the videos yet, but what would be a great help is we have several sites, and each site has a different printer. Sometimes our Directors and/or CEO goes and visits these sites and they need to print something. How can we add this to Intune so that each computer/user is able to print per site? Thanks guys.
We've been getting some questions recently about printers. They are very unique to your business needs so I'm not sure we will do it justice. Stay tuned.
Are you looking for how to fully migrate from on-prem to AD or just cloud connect and set up a hybrid environment because they are different. Check out our video on Hybrid Key Trust to enable access to on-prem resources with Window Hello for Business to give you an idea of how this can work.
@@IntuneTraining I am looking for an onsite 2008 R2 AD to Azure, about 200 computers. And do you know of an article that would show the benefits of why we want to go to the cloud AD instead of an onsite? To be used for a selling point for the bosses :)
If I don't enable/require the additional authentication at startup, will the C drive still be encrypted? If yes, how can I get the BitLocker encryption key saved to Azure AD? And in what way is the disk actually encrypted?
Not sure about the first question. Enable the 'Save Bitlocker recovery information to Azure Active directory'. This does actually work. Don't know the third one but it must be on the web somewhere.
Tony, did you ever find any elegant solution to this? Our machines come from either Lenovo or Dell and it’d be nice to get a script that removed the junk but everything I’ve seen even til now doesn’t get everything.
The only way you’ll be able to do any de-bloating reliably will be to write custom scripts based on what’s included in each device model build. One other option would be to work with your VAR or OEM to de-bloat before ordering. We have been able to get Lenovo and Dell to do this for us.
I have multiple clients setup with the policy but for the most recent BitLocker Deployment it's asking to encrypt removable media which I have't come across before. Do you know which option in the policy may have caused this? Cheers.
@@IntuneTraining no friends... Just a basic touch about Android Enterprise and how to migrate existing Android devices from enrollment to Android Enterprise. Design and Best practices.. Thank you very much for your great work.. you both are assets to the community
Very good again. Could you make a topic on troubleshooting compliance and enrollment issues (without the company portal app)? And more specific where to look, error codes, and how to interpret/check the MDMDiagReport once you've exported them from the settings menu, because there's so much information in there that in can be overwhelming or too much to troubleshoot.
Yes, this topic is on our list. If you've seen our demo's you've seen that we've run into issues where we need to troubleshoot as well. We hope to have a video or two that covers troubleshooting soon.
Thanks for the awsome video series guys! one question though, how can i prevent that the users have admin rights on windows 10 when not deployed via autopilot?
Hi have 3 questions: 1. Can this process be used for both Windows and MAC devices, and for devices both on premise AD domain joined or not. 2. Do all users need to have E3 or higher licences as minimum. 3. Is it a recommendation to be running 1903 for smoother operation?
here are the answers to your questions: 1. the macOS needs to have its own policies created for there version of BitLocker called FileVault, if the device is hybrid AAD joined these policies will apply, you will need to confirm where the recovery keys end up, as depending on a couple of factors they could end up in AAD or AD 2.to use the BitLocker features the minimum from memory is the E1 series of licences, but always check with your licencing team as I can't give you firm recommendations without knowing your requirements 3. We currently recommend 1903 June 2019 update for the base image as it fixes some issues with the Store for Business applications installing, my rule of thumb is to always move to the latest as soon as you can for new computers as it becomes a great pilot group for the greater deployment to the rest of the fleet.
@@IntuneTraining For testing purposes when devices does not need to be enrolled. I had an issue when I disconnect the device from Azure AD, it had bitlocker still on. I would have to turn it off manually and clear the TPM whenever I reset the device and clean the device entirely .
Does this apply to the machines to be bitlocked at VM level? Because once the VM image is applied to a laptop (with a compatible TPM) the bitlocker should be deployed successfully through intune ? Or do we need this regardless?
You guys are extremely helpful and kind to do this - Thank you would be good to contact you for some advise but apperciate that isnt really the point so thanks for the videos
Pet peeve of mine. Don't call a policy "Win 10" unless you restrict that policy to just Win 10. Always think about what you want the policy to do when the next version of the OS comes out a few years later.
Hi Guys, training and information shared is outstanding. Can you please make your videos in 100% zoom when you show the console and type anything on azure portal. Things are hardly visible even if I do full mode view on. Cheers.
Thanks for the feedback. Some of our early stuff is pretty bad. We just wanted to get the content out hoping folks could follow along. Now that so much has changed in the console, we will likely start re-recording some things to help replace some of the more dated content.
Thanks for your interest in our videos. Unfortunately those topics are a bit out of scope for the channel at this time. Desktop Analytics requires a SCCM backend to provide client data and we aren’t currently doing anything with SCCM on the channel. And Power BI is a whole separate vertical that we likely won’t do justice to compared to others who have great channels on it - check out Guy In A Cube for tons of great Power BI content. If you’ve got any Intune specific topics you’d like to see us cover, please let us know.
What's stopping an employee from putting a flash drive in, setup bitlocker to be able to copy data to the flash drive, then go to a non-work computer putting in the set bitlocker password and copying the data off the flash drive? - Asking for a friend (client)
If you have sketchy enough employees for this to be a problem you'd configure bitlocker policies to make it a requirement for portal drives to be encrypted before write access is allowed. Additionally, bitlocker keys are stored in AAD which most standard users will not have access to the recovery keys. - Ben
Thanks Ben, I have tested this out and while write access to portable drives that are configured with bit locker for that company only is working, when an end user plugs an I configured drive in they get prompted to configure it for bit locker > then all they need to do is copy data, take that portable drive to a non-company pc and put in the password they set when they setup bitlocker, then they can copy the data off. It’s all good and well having the recovery keys, but that doesn’t help in this case. What are your thoughts?
@@Lonsdale6059 So, bitlocker conceptually is not designed to stop sketchy staff - it's designed so that if you leave a laptop or usb on a train and someone picks it up, they can't steal the data. If you don't want your staff to move data around, you'd need to look into better DLP policies and strap on the fun police hat and disable USB write access. - Ben
delete a reg to download the updated settings for wallpaper.. we had this issue in our org.. report to ms.. just create a ps script to delete the reg and it will download and set the wallpaper..
Thanks a lot for making these videos! I just tried to create a test policy and tried to enroll a test windows laptop win10 1803 enterprise, and th3 configuration failed during encrypt device with state details: -2016281112 (Remediation failed). Still trying to find out the root cause!
We found that the default bitlocker settings didn't work consistently on 1803, but from 1809 it was fantastic. I would suggest to use the latest media being 1903 June 2019 update as there are some really awesome updates added around managing devices
@@IntuneTraining Have a ticket opened with intune teqm and one of the things they asked me to do is to upgrade tpm to 2.0 as per them tpm 1.2 is not supported by intune
So I got some more info, and based on that we've summarized the requirements as: 1. TPM 2.0 2. 1809+ 3. Preferred to update BIOS with latest stable version 4. BIOS in UEFI and os disk on UEFI. If you have legacy setup for some reason, use mbr2gpt command for conversion 5. Secure boot enable
@@AmbarishRH Have you made any further progress with this? I have a fairly new model Surface Pro Tablet that meets all of these requirements yet continues to fail to apply the Bitlocker profile. Forums and websites haven't been very helpful as it seems the Intune portal and features seem update as the wind blows. I'm struggling with this one and despite creating an entirely new Bitlocker profile and reimaging the Surface tablet, Bitlocker just does not want to cooperate. Some additional information, though. This is not an autopiloted device but it is Hybrid Azure AD joined. The part that doesn't make sense to me is that other profile settings are applied successfully but the Bitlocker one errors out with the following message and I can't seem to find any leads as to why: "Failed to enable Silent Encryption. Error: Group policy prevents you from backing up your recovery password to Active Directory for this drive type. For more info, contact your system administrator.." I don't have anything explicitly blocking the backup of the recovery password to AD so I'm not really sure what this error message means. If anyone has any ideas I'd appreciate it.
@@Minerva___ could you please share your intune settings for bitlocker? Also, please double check if you have any gpo from AD thats being applied as well?
I really can't see NOT storing recovery keys in Azure AD. Sure, people SHOULD be storing files in OneDrive and all their usual information should be synced to services where recovery is quick and easy, but real world boots-on-the-ground scenarios...we know that there are going to be so many scenarios that are less than ideal. IMO, concerns about Bitlocker recovery keys stored in Azure are the least of my security concerns when the vast majority of security incidents are social engineering or created by user behavior. There is no end to how secure you could make something. This is just not something I think is a big deal and I would absolutely store the recovery keys in Azure...and I do.
Keep making videos guys. They're amazingly helpful. Don't be discouraged by numbers. What you're doing is invaluable and with a little time they'll become a go-to reference for IT pros, devs, and hobbyist alike. Ive watched all of them at least three times, teaching myself how to do this stuff.
This is beautifully said!
This is great ! I can say I finally learnt not only how to deploy BitLocker using Intune but also the whole story behind it and all the technicalities. Keep making such videos guys. You are doing a terrific job !
Quick edit as I work through this on my end, it looks like this entire process has changed. Do you think you guys can do an updated video on how the device profiles are now created? there’s a lot more going on that before unless I’m in the wrong section but it looks like they’ve revamped the process.
Thanks!
Great Video. Is there a new video for the Endpoint security blade? The options look completely different in the new blade.
I really appreciate you're videos, so much great information.
Very useful and easy to manage.. Thanks both..
Thanks for sharing the ideas around the wallpaper personalization. We have in the office wall devices that actually play background images as a slideshow with news about the company. I always wondered how to deploy that to user computers. As it seems we can only link one image here: Do you know how often the image will sync (i.e. if we automatically replace an image file on Sharepoint every 30minutes, will it also sync to devices? Then we could mimick a nice slideshow through that.
whats the difference between applying bitlocker using device config policies and the endpoint disk encryption policies please?
We have a hybrid environment and enabled BitLocker using Group Policy. We recently auto-enrolled the devices to Intune and want to leverage the BitLocker from Intune. How you would go about it?
@Ben, regarding the BitLocker recovery information, I agree that users should save all their data where they are supposed to save but we all know this is not always the case. And as much as we want this rule to be followed precisely, this won't happen and I think we should just accept it. Also, BitLocker information is really helpful in the case when something messes up on the users laptop for example, and a key is required on the next boot up, how can you reset the PC if you can't physically get hold of the PC? Wouldn't it be easier to read the key over the phone while with the user so they can proceed? It would be interesting to see your opinion about this.
Thanks
With OneDrive for Business and Known Folder Migration becoming fairly standard inclusions in most peoples management platforms these days, most users will follow the "rules" without even knowing they are doing the right thing.
If someone continues to flout the rules and stores data in non standard locations (root of system etc), it's only going to take a single device error to learn the hard way.
In saying that, bitlocker keys are obviously available for recovery. They can be provided however you deem necessary - over email or phone.
- Ben
Does the deployment of Bitlocker policies still only apply to Windows 10/11 enterprise? or will pro work too?
Have you guys run into a problem where bitlocker reports as installed but also reports that it could not encrypt the OS drive ?
Great video guys. I learn a lot. can you also do podcast about "device security baseline"? I dont realy understand the relationship (if any) between device configuration and the device security baseline.
Can you help to advise how I can fix the error Failed to enable Silent encryption TPM is not available
Need to check your TPM
Guys Hello, Why do I need to create a Wallpaper Policie? I do not understand... but I figure out that in mi case my configuration profile do not encrypt the device automate, meabye it is because I need a restriction policies additional? Hope you can help me.
You don’t need the wallpaper policy. We simply enabled it so that we would have a visual indicator that new policies had successfully applied to the device.
After I setup Disc Encryption policy and its pushed out to all devices, will it automatically enable on all new devices added later?
Yes it will.
In my organization users have Windows 10 pro. This setup works, according to intune, on Win10 enterprise, education and mobile. I went ahead and tested it con 2 testing computers, but it doesn't work. How do I push this encryption form a central location on win10 pro? I tried with a batch file calling a sp1 (by default laptops cannot run scripts), but I can't find a way to deploy those files fro, a central location, other than using GPO. In my case, GPO won't work since half of the staff works remotely. Any suggestions??
If we deploy the same bitlocker policy from both SCCM & Intune. What would be the behavior?
Error: This device can't use a Trusted Platform Module. Your administrator must set the "Allow BitLocker without a compatible TPM" option in the "Required additional authentication at startup" policy for OS volumes.
Can this be done thru Intune / Microsoft Endpoint Manager admin center? Or do I have to do it locally thru GPO?
I have "Additional authentication at startup" set to Require. For "BitLocker with non-compatible TPM chip" my options either Block or Not configured.
Can you explain the logic behind "Block" and "Not configured"? How do I enable Bitlocker?
Fyi..Device configuration blade is only showing up for me on portal.azure.com and not devicemanagement.microsoft.com
Hi guys, spotted this "BitLocker is supported on “Pro” and higher edition (Compliance Policy), but for MDM management for BitLocker configuration (Configuration Policy) is “Business” edition or higher required."
What's your opinion on this? I thought 'Pro' was a business edition.
Do you a link to where you saw this info listed?
@@IntuneTraining In the comments section at the bottom. Regards blogs.technet.microsoft.com/cbernier/2017/07/11/windows-10-intune-windows-bitlocker-management-yes/
Hi Guys, still battling to get consistent results from Intune. I noticed this too on the Info button on 'Bitlocker Base Settings', 'Base settings are universal BitLocker settings for all types of data drives. These settings only apply to Enterprise, Education, and Mobile versions of Windows 10'. All our systems are Pro, so what affect would this have? Thank you.
Hi Guys. Very good training video. Thank you so much.
Do you know what happens if I apply the Intune policy to one device already encrypted with SCCM?
How prevalent in your clients that you support - is the installation of Bitlocker? Do you install it by default on all your client devices that support it or just Surface Pro's and Laptops?
I've never bothered with it to be honest. Just seemed like an extra layer of something that could go massively wrong. My end users and clients with portable devices don't (or shouldn't!) have any data on them anyway. It's all in Corporate File Shares, CLoud Sync and Sharepoint etc
Every client gets BitLocker added every time. The risk to the company for not using Bitlocker FAR outweighs the management overhead involved with managing BitLocker. We highly recommend using it as soon as possible.
Hi Steve and Adam thanks for yor videos and knowledge session but what i sees is that during Microsoft Store for business video did not covered other tabs like APP protection policy and APPconfiguration policy, It would be easy for everyone to undertsand one topic completely. This is my personal suggestion
Thanks for the time you guys are putting into this, it is an invaluable learning tool!
Do I Need the DMA on, for the Azure BitLocker to Role them out?
Great video guys thanks, the bitlocker is fully configured within intune but despite initiating the sync many times successfully the bitlocker encryption does not kick in unless started from company portal manually at the client end, Any ideas why?
Thank you guys for doing these videos. This has been a great help. You ask if there is anything we would like to see... I have not gone through all of the videos yet, but what would be a great help is we have several sites, and each site has a different printer. Sometimes our Directors and/or CEO goes and visits these sites and they need to print something. How can we add this to Intune so that each computer/user is able to print per site? Thanks guys.
And another would be a video if we have a local AD how to connect everything to the cloud. Going from the old style to the new :) Thanks again
We've been getting some questions recently about printers. They are very unique to your business needs so I'm not sure we will do it justice. Stay tuned.
Are you looking for how to fully migrate from on-prem to AD or just cloud connect and set up a hybrid environment because they are different. Check out our video on Hybrid Key Trust to enable access to on-prem resources with Window Hello for Business to give you an idea of how this can work.
@@IntuneTraining I am looking for an onsite 2008 R2 AD to Azure, about 200 computers. And do you know of an article that would show the benefits of why we want to go to the cloud AD instead of an onsite? To be used for a selling point for the bosses :)
@@IntuneTraining With printers, someone said use xprint?
If I don't enable/require the additional authentication at startup, will the C drive still be encrypted? If yes, how can I get the BitLocker encryption key saved to Azure AD? And in what way is the disk actually encrypted?
Not sure about the first question. Enable the 'Save Bitlocker recovery information to Azure Active directory'. This does actually work. Don't know the third one but it must be on the web somewhere.
Great video gents, really enjoying the series. Do you have anything related to Autopilot that removes bloatware (via policy)?
Tony, did you ever find any elegant solution to this? Our machines come from either Lenovo or Dell and it’d be nice to get a script that removed the junk but everything I’ve seen even til now doesn’t get everything.
The only way you’ll be able to do any de-bloating reliably will be to write custom scripts based on what’s included in each device model build. One other option would be to work with your VAR or OEM to de-bloat before ordering. We have been able to get Lenovo and Dell to do this for us.
I have multiple clients setup with the policy but for the most recent BitLocker Deployment it's asking to encrypt removable media which I have't come across before. Do you know which option in the policy may have caused this? Cheers.
Have you checked under Endpoint Security > Drive Encryption. There's a Removable Drive settings section in the BitLocker policy.
Why use a Device Configuration Profile to manage Bitlcoker as opposed to a Endpoint Security Policy?
Because the EndPoint security feature was just released in June 2020 and the video is almost a year old.
Can you guys please post a video about Android Enterprise and Intune??
We have a few short videos coming in a few weeks on Apple and Android devices. Is there anything specific you are looking for?
@@IntuneTraining no friends... Just a basic touch about Android Enterprise and how to migrate existing Android devices from enrollment to Android Enterprise. Design and Best practices.. Thank you very much for your great work.. you both are assets to the community
@@IntuneTraining Actually this would be most useful for me too as I have a couple of Macs and plenty of phones to bring under Intune 'control'. Thanks
Can you predefine the Pin for bitlocker ? and where is the setting
Very good again. Could you make a topic on troubleshooting compliance and enrollment issues (without the company portal app)? And more specific where to look, error codes, and how to interpret/check the MDMDiagReport once you've exported them from the settings menu, because there's so much information in there that in can be overwhelming or too much to troubleshoot.
Yes, this topic is on our list. If you've seen our demo's you've seen that we've run into issues where we need to troubleshoot as well. We hope to have a video or two that covers troubleshooting soon.
Thanks for the awsome video series guys! one question though, how can i prevent that the users have admin rights on windows 10 when not deployed via autopilot?
Hi have 3 questions:
1. Can this process be used for both Windows and MAC devices, and for devices both on premise AD domain joined or not.
2. Do all users need to have E3 or higher licences as minimum.
3. Is it a recommendation to be running 1903 for smoother operation?
here are the answers to your questions:
1. the macOS needs to have its own policies created for there version of BitLocker called FileVault, if the device is hybrid AAD joined these policies will apply, you will need to confirm where the recovery keys end up, as depending on a couple of factors they could end up in AAD or AD
2.to use the BitLocker features the minimum from memory is the E1 series of licences, but always check with your licencing team as I can't give you firm recommendations without knowing your requirements
3. We currently recommend 1903 June 2019 update for the base image as it fixes some issues with the Store for Business applications installing, my rule of thumb is to always move to the latest as soon as you can for new computers as it becomes a great pilot group for the greater deployment to the rest of the fleet.
After configuring bitlocker, how would you remove it from the device through intune?
Why would you need to remove it? Suspend, I understand, but remove?
- Ben
@@IntuneTraining For testing purposes when devices does not need to be enrolled. I had an issue when I disconnect the device from Azure AD, it had bitlocker still on. I would have to turn it off manually and clear the TPM whenever I reset the device and clean the device entirely .
When creating your VM, make sure it is a Generation 2 VM in Hyper-V. Otherwise, the TPM option will not be available.
Does this apply to the machines to be bitlocked at VM level? Because once the VM image is applied to a laptop (with a compatible TPM) the bitlocker should be deployed successfully through intune ? Or do we need this regardless?
@@cihanakgol5826 You need TPM configured no matter what. Without TPM in the Windows machine, Bitlocker won't go in.
You guys are extremely helpful and kind to do this - Thank you would be good to contact you for some advise but apperciate that isnt really the point so thanks for the videos
Pet peeve of mine. Don't call a policy "Win 10" unless you restrict that policy to just Win 10. Always think about what you want the policy to do when the next version of the OS comes out a few years later.
Why do you have to create a Wallpaper Profile????
You don’t have to. We chose to as a quick visual to show that the policies applied.
@@IntuneTraining Thanks!! I'm having trouble geeting "Encrypt devices reporting -2016281112 (Remediation failed)" Error
Hi Guys, training and information shared is outstanding. Can you please make your videos in 100% zoom when you show the console and type anything on azure portal. Things are hardly visible even if I do full mode view on. Cheers.
Thanks for the feedback. Some of our early stuff is pretty bad. We just wanted to get the content out hoping folks could follow along. Now that so much has changed in the console, we will likely start re-recording some things to help replace some of the more dated content.
I love the videos I would like to see Power Bi and Desktop Analytics Module
Thanks for your interest in our videos. Unfortunately those topics are a bit out of scope for the channel at this time. Desktop Analytics requires a SCCM backend to provide client data and we aren’t currently doing anything with SCCM on the channel. And Power BI is a whole separate vertical that we likely won’t do justice to compared to others who have great channels on it - check out Guy In A Cube for tons of great Power BI content.
If you’ve got any Intune specific topics you’d like to see us cover, please let us know.
What's stopping an employee from putting a flash drive in, setup bitlocker to be able to copy data to the flash drive, then go to a non-work computer putting in the set bitlocker password and copying the data off the flash drive? - Asking for a friend (client)
If you have sketchy enough employees for this to be a problem you'd configure bitlocker policies to make it a requirement for portal drives to be encrypted before write access is allowed. Additionally, bitlocker keys are stored in AAD which most standard users will not have access to the recovery keys.
- Ben
Thanks Ben, I have tested this out and while write access to portable drives that are configured with bit locker for that company only is working, when an end user plugs an I configured drive in they get prompted to configure it for bit locker > then all they need to do is copy data, take that portable drive to a non-company pc and put in the password they set when they setup bitlocker, then they can copy the data off. It’s all good and well having the recovery keys, but that doesn’t help in this case. What are your thoughts?
@@Lonsdale6059 So, bitlocker conceptually is not designed to stop sketchy staff - it's designed so that if you leave a laptop or usb on a train and someone picks it up, they can't steal the data.
If you don't want your staff to move data around, you'd need to look into better DLP policies and strap on the fun police hat and disable USB write access.
- Ben
Guys can we have a reboot video on this, please!
Done!
@@IntuneTraining Muchas Gracias Senor!
Great stuff
Thanks!
delete a reg to download the updated settings for wallpaper.. we had this issue in our org.. report to ms.. just create a ps script to delete the reg and it will download and set the wallpaper..
Thanks a lot for making these videos!
I just tried to create a test policy and tried to enroll a test windows laptop win10 1803 enterprise, and th3 configuration failed during encrypt device with state details: -2016281112 (Remediation failed). Still trying to find out the root cause!
We found that the default bitlocker settings didn't work consistently on 1803, but from 1809 it was fantastic. I would suggest to use the latest media being 1903 June 2019 update as there are some really awesome updates added around managing devices
@@IntuneTraining Have a ticket opened with intune teqm and one of the things they asked me to do is to upgrade tpm to 2.0 as per them tpm 1.2 is not supported by intune
So I got some more info, and based on that we've summarized the requirements as:
1. TPM 2.0
2. 1809+
3. Preferred to update BIOS with latest stable version
4. BIOS in UEFI and os disk on UEFI. If you have legacy setup for some reason, use mbr2gpt command for conversion
5. Secure boot enable
@@AmbarishRH Have you made any further progress with this? I have a fairly new model Surface Pro Tablet that meets all of these requirements yet continues to fail to apply the Bitlocker profile. Forums and websites haven't been very helpful as it seems the Intune portal and features seem update as the wind blows. I'm struggling with this one and despite creating an entirely new Bitlocker profile and reimaging the Surface tablet, Bitlocker just does not want to cooperate.
Some additional information, though. This is not an autopiloted device but it is Hybrid Azure AD joined. The part that doesn't make sense to me is that other profile settings are applied successfully but the Bitlocker one errors out with the following message and I can't seem to find any leads as to why:
"Failed to enable Silent Encryption. Error: Group policy prevents you from backing up your recovery password to Active Directory for this drive type. For more info, contact your system administrator.."
I don't have anything explicitly blocking the backup of the recovery password to AD so I'm not really sure what this error message means. If anyone has any ideas I'd appreciate it.
@@Minerva___ could you please share your intune settings for bitlocker? Also, please double check if you have any gpo from AD thats being applied as well?
I really can't see NOT storing recovery keys in Azure AD. Sure, people SHOULD be storing files in OneDrive and all their usual information should be synced to services where recovery is quick and easy, but real world boots-on-the-ground scenarios...we know that there are going to be so many scenarios that are less than ideal. IMO, concerns about Bitlocker recovery keys stored in Azure are the least of my security concerns when the vast majority of security incidents are social engineering or created by user behavior. There is no end to how secure you could make something. This is just not something I think is a big deal and I would absolutely store the recovery keys in Azure...and I do.
Need an update for 2021. Microsoft keeps changing all their portals.