Intune – Denying access to Windows 10 without Bitlocker enabled

This blog post will show how you can deny access to Exchange Online and SharePoint Online to Windows 10 machines without Bitlocker enabled, using Conditional Access.

This is a lab environment, conditional access requires some planning as you can potentially deny access to all machines if you deploy the conditional access policy to all users.

First I will create the compliance policy for Windows 10 to require encryption.

In https://portal.azure.com go to Intune, then Device compliance, then Policies, then Create Policy

Condaccbit01

Give the policy a name, and select Windows 10 and later for the platform then click Configure. Under System Security, you will see down the bottom Encryption of data storage on device, click Require. 

Condaccbit02

Create the policy, then assign the policy to a group. In my testing, I have a group called Intune.

Condaccbit02_2

Next I will create the Conditional Access policy to require Windows devices to be compliant to access Exchange Online and SharePoint online. Be careful about who you deploy the policy to. I am using a group with some test users here, rather than all users so I don’t block access to all unenrolled Windows machines.

Click on Azure Active Directory, then click on Conditional Access

Condaccbit03

Under Users and groups, I selected a pilot group with a few users. You could create a group with Windows 10 machines included to deploy the conditional access policy to.

I have given it a name “Windows 10 – Bitlocker required”. For the Cloud apps I have selected Exchange Online and SharePoint online”

Condaccbit04

I have selected Windows as the platform.

Condaccbit05

I have selected Browser and Mobile apps and Desktop clients.

Condaccbit06

Under Grant,  have selected Require device to be marked as compliant. This means the device needs to be enrolled in Intune, and also compliant.

Condaccbit07

Now, this is the user experience on my Windows 10 Pro machine. I have not enrolled it in Intune. When I go to https://outlook.office365.com using either Edge or IE11, I am presented with the message below:

Condaccbit08

Once I have MDM enrolled by Windows 10 machine into Intune, you can see the popup in the bottom right hand corner saying Encryption needed. The user needs to select this to kick off the encryption.

Condaccbit09

Once I have clicked on Encryption needed, I will follow the prompts:

Condaccbit10

Condaccbit11

Condaccbit12

Condaccbit13

Once the encryption has finished, I can now access Exchange Online and SharePoint Online.

Condaccbit14

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s