Configure BitLocker on Intune Enrolled Windows 10 Devices

BitLocker can be managed in several ways in the enterprise. GPOs, MBAM, ConfigMgr are the most common methods. But what if you don't have Microsoft EA to bring in MBAM or you have Windows 10 Professional devices? And you have mobile Windows 10 devices that does not joined to ADDS. To overcome above issues, there's a possibility to manage BitLocker through Microsoft Intune and Azure AD. But to keep in mind this method does not provide funtionality as MBAM. In the end of this post I will describe limitations of this method.

Following are the steps to configure BitLocker through Intune and AAD. I have tested this on a Azure AD joined Windows 10 (1703) machine that directly enrolled in Intune as MDM.

Block Apps on Intune Enrolled Samsung Devices through OMA-URI Settings

Recently one of our customers had a requirement to use Samsung Galaxy Tabs as Kiosk devices. These devices are shared devices that have enrolled to Intune using a Device Enrollment Manager (DEM) account which only used to run a specific LOB application.

The issue that we faced was this specific tab model, Samsung Galaxy Tab E 9.6 (SM-T561) does not have full KNOX capability baked into the OS. Simply there's no KNOX version information in Settings > About device. Because of this, none of the KNOX required policies didn't work on the device because Intune requires Samsung KNOX capable devices.

Since "Kiosk policy" didn't work on this device, the only method to achieve this was block apps from running through OMA-URI settings.