MECM or Endpoint Manager(Intune) for the BitLocker

Dilan Nanayakkara 1,111 Reputation points
2021-08-08T16:32:11.467+00:00

Hi All,

I have a requirement of setting up Bitlocker on 200+ laptops and has to be silent encryption. So I was wondering whether I should go with MECM or Intune. We have both MECM and Intune but to co-managed yet. so I have below concerns. appreciate if anyone can help.

  • I would appreciate the recommendations for best approach of Implementing BitLocker.
  • If I go with MECM, should I have PKI/HTTPS in place?
  • If I go with Intune, Can be configured through below options, do we have any advantages over another policy?
    1 Endpoint protection profile
    2 Disk encryption profile
    3 Security baseline
    4 CSPs
  • Can I configured BitLocker either Hybrid or AAD standalone joined devices?

Thanks,
Dilan

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,751 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,489 questions
Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Jarvis Sun-MSFT 10,176 Reputation points Microsoft Vendor
    2021-08-09T07:17:42.04+00:00

    @Dilan Nanayakkara Thanks for posting in our Q&A.

    I noticed that we are deploying BitLocker silently, A device must meet the following conditions to be eligible for silently enabling BitLocker:

    If end users log in to the devices as Administrators, the device must run Windows 10 version 1803 or later.
    If end users log in to the the devices as Standard Users, the device must run Windows 10 version 1809 or later.
    The device must be Azure AD Joined or Hybrid Azure AD Joined.
    Device must contain TPM (Trusted Platform Module) 2.0
    The BIOS mode must be set to Native UEFI only.

    For more points to note, please refer to https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices#silently-enable-bitlocker-on-devices

    Regarding the several options you mentioned. 1 and 2 are built-in functions, and 2 (Disk encryption profile) is more recommended for simplicity and efficiency, and 3 and 4 are not recommended.

    1, endpoint protection policy: BitLocker settings are one of the available settings categories for Windows 10 endpoint protection.
    2, Disk encryption profile: The BitLocker profile in Endpoint security is a focused group of settings that is dedicated to configuring BitLocker.
    3, Security baseline: It can be achieved but not recommended, and Microsoft doesn't recommend using preview versions of security baselines in a production environment.
    4, CSPs: BitLocker CSP is supported on Windows 10 version 1703 and later, and for Windows 10 Pro version 1809 and later.

    Can I configured BitLocker either Hybrid or AAD standalone joined devices? Yes, both are OK.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful