This part of the blog series is how to configure Windows encryption. Within Microsoft Intune is it possible to enable encryption on a Windows 10 device. You have to create a profile which specifies the settings for the device. The profile will configure the settings on the device and turn on Bit locker.
Ok, I have forgotten that Windows 10 Hyper-V TPM chipset supports. So, I have turned this feature on. Now I can encrypt my virtual drives on my Windows 10 virtual machine. Let’s try this with a device configuration.
Go to the Intune portal -> Device Configuration -> Profiles
Click Create Profile
Give the profile a name and choose as Platform Windows 10 or later and Profile type Endpoint Protection. You will see more settings at the right.
The ones in purple are changed. This my default configuration for Bit locker. Click Ok(twice) and then for create.
The profile is created.
Go to Assignments and include here the user group. Then click on the Save button. Now we have to wait for a few minutes.
The profile has been applied to the device and the drive is encrypted. If the status shows an error, then you have might a bootable disk or USB-stick connected to your device. You have to unplug your ISO, DVD or USB before device continues with encrypting.
You see that the C: drive (the OS drive) is encrypted, pushed by device configuration profile.
Oh, and de recovery key is stored in Azure AD. You can find the key MS Intune portal -> Devices -> Azure AD Devices -> click on a device for more information.
Here you see the recovery key for Bit locker. This is needed if Bit locker won’t work and ask for a recovery key.