scloud by Florian Salzmann
ende

BitLocker: Cloud Only vs. Hybrid

For me it’s without question that BitLocker belongs on every device. Whether with a PIN or not depends a bit on the scenario.

For some time now, Endpoint Manager offers the “Endpoint security” tab, where you can manage security settings like Defender settings, Firewall and BitLocker.

In several hybrid environments I noticed that many devices have problems with the new configuration and don’t activate BitLocker. Because of this, I started to only use BitLocker via “Endpoint security” in environments where exclusively cloud only devices are used. For hybrid environments (starting with an Azure AD Hybrid Join device) I still use the classic “Endpoint protection” “Configuration profile”.

BitLocker Policy Cloud Only

  • I create the policy under Endpoint security > Disk encryption > Create Policy

  • As a name I choose “WIN BitLocker” or, if the customer has special naming conventions, one according to the concept. With the settings below I’ve had good experience over the past year:

BitLocker Policy Hybrid

  • I create the policy under Devices > Windows > Configuration profiles > Create profile

  • As a name I choose “WIN BitLocker (Classic)” or, if the customer has special naming conventions, one according to the concept. With the settings below, the configuration also works with hybrid devices deployed via Autopilot as well as those enrolled via AD, Hybrid Sync and GPO: