BitLocker Silent Configuration via Microsoft Endpoint Manager

In Microsoft Endpoint Manager, at https://endpoint.microsoft.com/ , there is a simple function to implement easily BitLocker in our environvemt, also on a very large company.

The new function is integrated in “Endpoint Security“>”Disk Encryption“(before we had to implement BitLocker via “Configuration Profiles“).

Disk Encryption Setting

Policy Creation is Very Simple:
We need to click on “Create Policy” and, at the right of the page, appears a window where we can choose which platform and profile we want to apply Encryption. The Platform that we can choose, at the moment, are Windows 10 and later ad Mac OS (via FileVault). For the scope of this guide, we choose BitLocker

Profile Creation

Now, we must fill “Name” form, that is mandatory, in the Basics of our policy.

Profile – “Basics” Page

Then, we finally enter in the heart of BitLocker Configuration: now we begin with Base Settings section. I had highlighted two fundamental settings that help us to silent enable BitLocker on our machines. This settings are “Hide prompt about third-party encryption” and “Allow standard users to enable encryption during Autopilot“.
My personal advise is to verify the presence in place of other encryption solution: the better way is to disable the other solution and then proceed to encrypt via BitLocker.

BitLocker – Base Settings

Now we are in the second section, “Fixed Drive Settings“. The settings to consider in our silent implementation are fundamentally three: “Recovery key File Creation“, “Require Device to back up recovery information to Azure AD“, and “Hide recovery options during BitLocker setup
Also take care of the “Configure Encryption Method for fixed data-drives“: Microsoft recommends to use XTS-AES algorithm for fixed drives and CBC-AES for removable drives. The other thing to consider is the bit level of encryption: on low spec hardware, a 256 bit encryption may impacts negatively on machine performance, but is very more secure than 128 bit.

BitLocker – Fixed Drive Settings

Now we can proceed to “OS Drive Settings“: also there, we have some settings that we should consider in silent deployment: we must require a startup authentication, but only via compatible TPM module. We need to block other types of authentication: configure TPM and PIN, TPN and Password etc, requires user intervention during BitLocker deployment.
We also had the possibility to show a message and a URL during recovery process in preboot environment, to help users to contact Company Help-Desk

BitLocker OS Drive Settings – First Part

During second part of “OS Drive Settings” configuration we find similar parameters explained in “Fixed Drive Settings” section: we must configure policy as shown in the image below, to obtain no users interaction during encryption process.

BitLocker OS Drive Settings – Second Part

Now, there is the last section: “Removable Drive Settings“. The only important thing to remember, as said few lines higher, is to set Encryption Method to CBC-AES.

BitLocker – Removable Drive Settings

Then, our configuration is complete and we can proceed to scope tagging.

Scope Tagging

Now, we proceed to “Assignments” page. My advise is to create a specific group (with a speaking name) where put only desidered machine: especially on our first configuration it’s not a wise decision to encrypt all our company machines (Azure AD-Joined or Hybrid Joined machines. This configuration is not applicable to AD Registered Machines).

Assignments

And Finally we are in the “Review + Create” page. Please be careful and double check your configurations!

Final Review

Start of BitLocker encryption on Endpoints isn’t really immediate: in my experience client takes up one hour to begin the process and the duration depends by machines hardware and drives size.
It’s also necessary to configure all drives type policy with an encryption method, otherwise we cannot finalize configuration.

PLEASE NOTE
We cannot change encryption types on an already encrypted drive: we should proceed to decrypt then encrypt with new parameters.
Maybe I presumed that you know this, but of course to take advantage of this feature you need to own Intune license.

And now, have fun with this beautiful and simple MEM feature!

Michele

One thought on “BitLocker Silent Configuration via Microsoft Endpoint Manager

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s