Forum Discussion

AhmedSHMK's avatar
AhmedSHMK
Brass Contributor
May 23, 2024

Bitlocker D drive and Recovery after Restart

Hello, I am starting to create an Intune policy to encrypt devices with full disk encryption using BitLocker. So far, The policy works fine for the C drive but not the D drive. 
Second issue is that upon restart for an encrypted device, A recovery screen shows up and user should use the recovery key to use the device.
I need some more understanding about the policy template settings to see what could be causing those behaviors.
 
Current policy settings for reference:
 
BitLocker
Require Device Encryption
 
 
Enabled
 
Allow Warning For Other Disk Encryption
 
 
Disabled
 
Allow Standard User Encryption
 
 
Enabled
 
Configure Recovery Password Rotation
 
 
Refresh on for both Azure AD-joined and hybrid-joined devices
 
Administrative Templates
Windows Components > BitLocker Drive Encryption
 
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
 
 
Enabled
 
Select the encryption method for removable data drives:
 
AES-CBC 128-bit (default)
 
Select the encryption method for operating system drives:
 
XTS-AES 128-bit (default)
 
Select the encryption method for fixed data drives:
 
XTS-AES 128-bit (default)
 
Provide the unique identifiers for your organization
 
 
Not configured
 
Windows Components > BitLocker Drive Encryption > Operating System Drives
 
Enforce drive encryption type on operating system drives
 
 
Enabled
 
Select the encryption type: (Device)
 
Full encryption
 
Require additional authentication at startup
 
 
Disabled
 
Configure minimum PIN length for startup
 
 
Not configured
 
Allow enhanced PINs for startup
 
 
Not configured
 
Disallow standard users from changing the PIN or password
 
 
Not configured
 
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
 
 
Not configured
 
Enable use of BitLocker authentication requiring preboot keyboard input on slates
 
 
Not configured
 
Choose how BitLocker-protected operating system drives can be recovered
 
 
Enabled
 
Omit recovery options from the BitLocker setup wizard
 
False
Allow data recovery agent
 
False
 
Allow 256-bit recovery key
 
Configure storage of BitLocker recovery information to AD DS:
 
Store recovery passwords and key packages
 
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives
 
True
Save BitLocker recovery information to AD DS for operating system drives
 
True
Configure user storage of BitLocker recovery information: 
 
Allow 48-digit recovery password
 
Configure pre-boot recovery message and URL
 
 
Enabled
 
Select an option for the pre-boot recovery message:
 
Use default recovery message and URL
 
 
 
 
 
Custom recovery URL option:
Custom recovery message option:
Windows Components > BitLocker Drive Encryption > Fixed Data Drives
 
Enforce drive encryption type on fixed data drives
 
 
Enabled
 
Select the encryption type: (Device)
 
Full encryption
 
Choose how BitLocker-protected fixed drives can be recovered
 
 
Enabled
 
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives
 
True
Allow data recovery agent
 
True
Configure storage of BitLocker recovery information to AD DS:
 
Backup recovery passwords and key packages
 
 
Allow 256-bit recovery key
 
Save BitLocker recovery information to AD DS for fixed data drives
 
True
Omit recovery options from the BitLocker setup wizard
 
True
Configure user storage of BitLocker recovery information: 
 
Allow 48-digit recovery password
 
Deny write access to fixed drives not protected by BitLocker
 
 
Not configured
 
Windows Components > BitLocker Drive Encryption > Removable Data Drives
 
Control use of BitLocker on removable drives
 
 
Not configured
 
Deny write access to removable drives not protected by BitLocker
 
 
Not configured
 
Review + save
 
  • Ahmad29660's avatar
    Ahmad29660
    Copper Contributor

     

    To resolve the issues with BitLocker encryption and recovery prompts, ensure the policy settings are correctly configured. Specifically, review settings related to drive encryption method, recovery options, and storage of recovery information to AD DS. Adjust settings as needed to enable encryption for both C and D drives and streamline the recovery process to minimize disruptions for users during restarts. Testing the policy on a few devices can help validate its effectiveness.

     
     

    AhmedSHMK 

    • AhmedSHMK's avatar
      AhmedSHMK
      Brass Contributor
      Cant figure out if something in the settings was in correct as I have compared the settings for system drive and fixed data drive as mentioned in the post above. C drive is encrypted just fine.
      What I mostly notice is this error in event viewer,

      Error: Group Policy prevents you from backing up your recovery password to Active Directory for this drive type. For more info. contact your system administrator.

      • AhmedSHMK's avatar
        AhmedSHMK
        Brass Contributor

         

        Regarding D drive encryption, It did not work until I created a GPO for Fixed Data drives as mentioned in the below article.

        https://www.burgerhout.org/the-bitlocker-haadj-nightmare/

        -Had to later on add another to avoid the error above

        Do not forcefully unload the user registry at user logoff

        1. Logon to the application server as an administrator

        2. Run "gpedit.msc"

        3. Navigate to  Computer Configuration | Administrative Templates | System | UserProfiles

        4. Double-click on "Do not forcefully unload the user registry at user logoff" and change the setting from “Not Configured” to “Enabled”

        5. Reboot the server

         

Resources