To make sure that Windows clients are compliant, we configure compliance policies. Below I will create two. One without BitLocker + some additional settings and one with BitLocker. The reason for creating the BitLocker compliance policy in a separate policy, is the grace period will be longer, because the PC need to have time to encrypt the storage devices. Otherwise, it will be non-compliant. And if you have Conditional access rules that block non-compliant device, then you could have an issue.
These are just examples. Be sure to apply setting according to your company policies!
Compliance with BitLocker
| Navigate to Devices -> Windows -> Compliance policies -> Create policy |  |
| Choose Windows 10 and later -> Click Create |  |
| Enter a name -> Click Next |  |
| Set Require encryption of data storage on device to Require -> Click Next |  |
| Click Next |  |
| Add the Groups that you want this security profile to be applied on. click Next |  |
| Click Create |  |
| Open the policy that you have just created. |  |
| Click Properties -> Edit Actions for noncompliance |  |
| Change Mark device noncompliant from 0 to 1 -> Click Review + save |  |
| Click Save |  |
Compliance without BitLocker
| Navigate to Devices -> Windows -> Compliance policies -> Create policy | |
| Choose Windows 10 and later -> Click Create | |
| Enter a name -> Click Next |  |
| Expand Device Health -> set Secure Boot to Require |  |
| Enable the following setting: – Require a password to unlock mobile devices — Require – Simple passwords — Block – Password type — Alphanumeric – Password Complexity — Require digits, lowercase and uppercase letters – Minimum password length — 8 – Maximum minutes of inactivity before password is required — 15 minutes – Password expiration (days) — 41 – Number of previous passwords to prevent reuse — 24 |  |
| Click Next |  |
| Add the Groups that you want this security profile to be applied on. click Next |  |
| Click Create |  |
Continue to part 6 (Windows Update for Business)
