Bitlocker Encryption using Intune for On-Premise Machines, save keys in Azure AD, setup in 5 minutes

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone in today's video we will see how to encrypt our on-premise Windows 10 machines using in tune before we go ahead and do that let's look at the ways by which we can encrypt our machines so the first way available to us is using ad on-premise ad in this you set up some group policies and you and trip the machines and save the keys in Active Directory this does not give us any self-service portal or anything this is a free solution the second one is MBM wherein we install mm server we have sequel server database with us where we save the keys and it also provides us the option where user can recover the keys using a self-service portal but it's a paid solution the third one is a zoo ready so in this demo we will save that he's in a zoo ready but this also does not provide us any option where we will have our self service recovery portal the last one is SCCM so now mmm has been deprecated by Microsoft so basically we only have two options either we use as already SCCM sorry three options or ad but with AD we don't get any advantage of self-service portal with SCCM we do get self-service portal and it has a lot of reports as well and already if we are managing our machines and have a CCM client installed so this makes sense in has already the keys saved on as already so it does not give us many options like self service recovery etc but in this demo we will see this option how we're gonna enable it in order to enable BitLocker encryption for our on-premise machines there are some prerequisites first of all the on-premise machine identity has to be synced to a zoo using as already connect so that will be a hybrid a rejoin machine and if it's being managed by SCCM then the device configuration work has to be transferred to in tune let me show you my SCCM server where I have already transferred the device configuration workload for this machine to Indian I have Co management enabled and the workload for device configuration has been transferred for a pilot in June I already have pilot in tune collection created within my PC has been added and if we check on in tune portal under devices all devices this will tend on this is being managed by MDM an config manager so this is my on-prem domain joined machine and the device configuration workload is being managed by in tune manage workflows we will have to create a policy here so we will in in tune we will go to device configuration profiles create profile let's name it big and pressure it's applicable to Windows 10 and later the configuration type would be endpoint protection and windows encryption we will have to enable the first option to encrypt the device these are global settings so we have to select block here warning for other disk encryption to enable silent encryption on the machines without any user intervention we will allow standard users to enable encryption during is already join we can also change the encryption methods this is for the OS drive bit local OS drive settings so we will encrypt only the OS drive so I will make it required I will block the devices with non-compatible TPM chip and I will allow TPM and allow TPM with pin I will disable the startup key options by default it will encrypt using TPM but a user can set up pin as well I will enable a minimum pin length which would be 6 characters we will enable OS device recovery and save the BitLocker recovery information to a zoo ready and store recovery information in is already before enabling the trapper these are the settings for fig stripes then removable drives I don't need them so I believe them as it is so once the policy gets created I will apply to ad group which my Windows 10 machine is part of so I will select Windows so this is my group which my windows 10 machine is part of I will save the policy so these are the only settings which are required from Indian side let me connect to my Windows 10 machine so this is my Windows 10 client machine where I have pushed the encryption currently it is disabled so we don't see a lock icon here if I go under control panel it should show that it's not encrypted so we go to control panel then BitLocker Drive Encryption so it says see BitLocker off so we will wait for a few minutes and see whether the encryption starts or not I will show you the place where you can see that movement IDs as well so you can go under event for your application and services log Microsoft Windows BitLocker API management so this is the place where you can see logs so currently showing BitLocker decryption was started so this is an old entry where I disabled the BitLocker on this so now the drive is unencrypted so we will wait few minutes for the policy to come and see whether it works or not I'm going to pause the video now and come back once the encryption stops now the encryption has started we see that there is a lock icon here and if I go under control panel and BitLocker Drive Encryption it shows that it is encrypting now let us go back to our Azul photo in Azul active directory and see whether we have BitLocker key there or not so I will go to as already devices this is my device when turned on in and it is showing my bit refer key it's showing to BitLocker keys because the other one was previously when I tested it so that's the old one and it is also showing the latest BitLocker recovery key here if you remember we selected enable TPM and enable TPM with pin so by default it's setting up TPM only but if a user want they can set up a pin as well so in control panel BitLocker Drive Encryption we go and click on choose how to unlock drive at startup we select enter pin so we have to enter a pin here which would be minimum 6 characters so I have set the pin here so let me reboot and see whether it asks me for anything or not while it is still encrypting it is asking me for the pin let me enter up in here I will enter our incorrect pin and it should fail I will press escape for BitLocker recovery and copy the key from here and paste it in there let's see whether this key works or not and we are able to recover the system so I'm going to pause the video till the time I tagged this key I have typed the key here let me press ENTER and see whether it works or not yes the key has worked so it is going into my operating system now alright let us check the encryption status the drive is encrypted using showing encrypting here I can change the pin as well so now I can change the pin as well all right I have changed the pin now so this was a small demo on how to enable BitLocker encryption for our hybrid domain joint machines it's very easy as compared to mmm you do not have to set up any servers or any group policies or any sequel database but it has less features like you do not get self service recovery Porter here unlike m-man but mm has now been deprecated we can use SCC m1910 as well to set up BitLocker that will give us the option to have self service recovery portal I hope you liked this video please subscribe and press the bell notification I can on my channel and I will see you in my next video bye bye

Info

Channel: AnubhavinIT

Views: 4,582

Rating: undefined out of 5

Keywords: Bitlocker, Encryption, Intune, On-Premise, Machines, keys, Azure AD, ad, microsoft, azure, profile, sccm 1910, configmgr 1910, sccm, cb, self-service, recovery, mbam, hybrid joined, hybrid, azure ad joined, windows 10, pin, tpm, drive, how to, step-by-step, step by step, demo, training, encrypt, security, group policy, modern management, autopilot

Id: EZuNLPl9wBw

Channel Id: undefined

Length: 10min 32sec (632 seconds)

Published: Tue Feb 25 2020