To make sure that Windows clients are compliant, we configure compliance policies. Below I will create two. One without BitLocker + some additional settings and one with BitLocker. The reason for creating the BitLocker compliance policy in a separate policy, is the grace period will be longer, because the PC need to have time to encrypt the storage devices. Otherwise, it will be non-compliant. And if you have Conditional access rules that block non-compliant device, then you could have an issue.
These are just examples. Be sure to apply setting according to your company policies!
Compliance with BitLocker
Navigate to Devices -> Windows -> Compliance policies -> Create policy | |
Choose Windows 10 and later -> Click Create | |
Enter a name -> Click Next | |
Set Require encryption of data storage on device to Require -> Click Next | |
Click Next | |
Add the Groups that you want this security profile to be applied on. click Next | |
Click Create | |
Open the policy that you have just created. | |
Click Properties -> Edit Actions for noncompliance | |
Change Mark device noncompliant from 0 to 1 -> Click Review + save | |
Click Save |
Compliance without BitLocker
Navigate to Devices -> Windows -> Compliance policies -> Create policy | |
Choose Windows 10 and later -> Click Create | |
Enter a name -> Click Next | |
Expand Device Health -> set Secure Boot to Require | |
Enable the following setting: – Require a password to unlock mobile devices — Require – Simple passwords — Block – Password type — Alphanumeric – Password Complexity — Require digits, lowercase and uppercase letters – Minimum password length — 8 – Maximum minutes of inactivity before password is required — 15 minutes – Password expiration (days) — 41 – Number of previous passwords to prevent reuse — 24 | |
Click Next | |
Add the Groups that you want this security profile to be applied on. click Next | |
Click Create |
Continue to part 6 (Windows Update for Business)