To make sure that Windows clients are compliant, we configure compliance policies. Below I will create two. One without BitLocker + some additional settings and one with BitLocker. The reason for creating the BitLocker compliance policy in a separate policy, is the grace period will be longer, because the PC need to have time to encrypt the storage devices. Otherwise, it will be non-compliant. And if you have Conditional access rules that block non-compliant device, then you could have an issue.

These are just examples. Be sure to apply setting according to your company policies!

Compliance with BitLocker

Navigate to Devices -> Windows -> Compliance policies -> Create policy
Choose Windows 10 and later -> Click Create
Enter a name -> Click Next
Set Require encryption of data storage on device to Require -> Click Next
Click Next
Add the Groups that you want this security profile to be applied on.

click Next
Click Create
Open the policy that you have just created.
Click Properties -> Edit Actions for noncompliance
Change Mark device noncompliant from 0 to 1 -> Click Review + save
Click Save

Compliance without BitLocker

Navigate to Devices -> Windows -> Compliance policies -> Create policy
Choose Windows 10 and later -> Click Create
Enter a name -> Click Next
Expand Device Health -> set Secure Boot to Require
Enable the following setting:

– Require a password to unlock mobile devices
— Require

– Simple passwords
— Block

– Password type
— Alphanumeric

– Password Complexity
— Require digits, lowercase and uppercase letters

– Minimum password length
— 8

– Maximum minutes of inactivity before password is required
— 15 minutes

– Password expiration (days)
— 41

– Number of previous passwords to prevent reuse
— 24
Click Next
Add the Groups that you want this security profile to be applied on.

click Next
Click Create

Continue to part 6 (Windows Update for Business)

twitterlinkedin

By Claus