Skip to content

Commit d3b33da

Browse files
BrendunsBrenduns
committed
Adding warning of potential conflict due to defualt configuration of the MDE Security Baseline
1 parent e87dd48 commit d3b33da

1 file changed

Lines changed: 6 additions & 2 deletions

File tree

memdocs/intune/protect/encrypt-devices.md

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -149,8 +149,7 @@ Depending on the type of policy that you use to silently enable BitLocker, confi
149149
- **Warning for other disk encryption** = *Block*.
150150
- **Allow standard users to enable encryption during Azure AD Join** = *Allow*
151151

152-
153-
> [!TIP]
152+
> [!TIP]
154153
> While the setting labels and options in the following two policy types are different from each other, they both apply the same configuration to Windows encryption CSPs that manage BitLocker on Windows devices.
155154
156155
#### TPM startup PIN or key
@@ -175,6 +174,11 @@ Following are the relevant settings for each profile type:
175174
- **Compatible TPM startup key** - This setting must not be set to *Require startup key with TPM*
176175
- **Compatible TPM startup key and PIN** - This setting must not be set to *Require startup key and PIN with TPM*
177176

177+
> ![WARNING]
178+
> While neither the endpoint security or device configuration policies configure the TPM settings by default, the [security baseline for Microsoft Defender for Endpoint](../protect/security-baselines.md#available-security-baselines) does configure both *Compatible TPM startup PIN* and *Compatible TPM startup key*, and might configure these settings in a way that blocks silent enablement of BitLocker.
179+
>
180+
> If you deploy this baseline to devices on which you want to silently enable BitLocker, review the baselines configuration for possible conflicts. To remove conflicts, either reconfigure the settings in the baseline to remove them, or remove applicable devices from receiving the baseline instances that configure the TPM settings that block silent enablement of BitLocker.
181+
178182
### View details for recovery keys
179183

180184
Intune provides access to the Azure AD blade for BitLocker so you can view BitLocker Key IDs and recovery keys for your Windows 10/11 devices, from within the Microsoft Endpoint Manager admin center. Support to view recovery keys can also [extend to your tenant-attached devices](#view-recovery-keys-for-tenant-attached devices).

0 commit comments

Comments
 (0)