Enabling BitLocker with Microsoft Endpoint Manager - Microsoft Intune
Published Feb 19 2021 01:50 PM 63.7K Views

By Luke Ramsdale – Service Engineer | Microsoft Endpoint Manager – Intune

 

This is the first in a five-part series about using BitLocker with Intune. The series will review basic concepts and recommended approaches to deploying BitLocker using Intune. Upcoming posts will describe simple and advanced troubleshooting techniques.

 

This post covers the concepts, requirements, and configurations needed for a successful deployment.

 

Intune basics

Intune is a cloud-based service that focuses on mobile device management (MDM) and app protection policies (APP also known as MAM). It helps administrators manage enrolled devices through policies. You use a policy to enable and configure BitLocker on Windows 10 devices.

 

Intune uses the Windows configuration service provider (CSP) to read, set, modify, or delete configuration settings on Windows devices enrolled into Intune using Synchronization Markup Language (SyncML) or Wireless Application Protocol (WAP) protocols. BitLocker Intune uses the BitLocker CSP.

 

BitLocker basics

BitLocker is a built-in Windows data protection feature. It encrypts drives, and prevents the theft of data from lost, stolen, or decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM), version 1.2 or later.

 

Hardware requirements for BitLocker

It is important to understand that BitLocker has specific hardware requirements and that some methods of enabling BitLocker are dependent on those conditions. Silent encryption, for example, requires TPM on a device.

 

Hardware requirements include:

  • For TPM 2.0 devices, you must have native Unified Extensible Firmware Interface (UEFI) configured. (Secure boot is not required but adds another layer of security.)
  • BIOS or UEFI firmware must support USB mass storage.
  • You must partition the hard disk into an operating system drive formatted with NTFS and a system drive with at least 350 MB formatted as FAT32 for UEFI and NTFS for BIOS.

 

Note

We highly recommended that the device you are encrypting has a supported TPM chip (version 1.2 and higher).

 

BitLocker recovery

If BitLocker enters recovery mode when starting the operating system, there are ways to restore access. Choose one of the following options to restore access to the protected drive:

  • Manual option: Retrieve the 48-digit recovery password from a stored location (printed or USB).
  • Automated option: An administrator can obtain the recovery password from Microsoft Azure Active Directory (Azure AD) or Active Directory Domain Services (Azure AD DS).

 

Note

A data recovery agent (DRA) is someone authorized to decrypt data on a Windows operating system. The agent can use their credentials to unlock the drive. However, Intune doesn’t support DRA certificates so the process would have to occur outside the Intune environment.

 

Intune BitLocker configuration processes

Before you configure a BitLocker encryption policy, consider the following options:

  • How much do you want users involved in the BitLocker configuration process? Do you want them to interact with the process, be silent, or both?

    If you have multiple requirements, you might need to configure multiple policies.

  • Do all your devices meet the hardware prerequisites? Do you have a subset of devices that do not have a TPM?

    If you have older devices without TPM, you will not be able to encrypt them silently. This might mean configuring multiple policies.

    The Microsoft Intune encryption report, located in the Microsoft Endpoint Manager admin center, can help you understand the TPM status and encryption readiness of your enrolled devices. To view the report, select Devices > Monitor > Encryption report.

    BitLocker Encryption Report in the Microsoft Endpoint Manager admin centerBitLocker Encryption Report in the Microsoft Endpoint Manager admin center
  • Where do you want to store the recovery key?

    You can store the recovery key in on-premises Active Directory (if hybrid joined), in Azure AD, or manually. Most administrators store the key in Azure AD, which works for both Azure hybrid services and Azure AD joined devices.

  • Do you want to enable recovery password rotation?

    This option will refresh the recovery password after it is used and prevent further use of the same password, enhancing security. Prerequisites include Windows 10 1909, having Intune enrolled, Azure AD, or Azure hybrid services joined. Additional licenses may be required for certain Microsoft BitLocker settings.

  • What algorithm strength do you want to use?

    For OS volumes and fixed drives: XTS-AES 128-bit is the Windows default encryption method and the recommended value.

    For removable drives: Use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1510 or earlier.


    Note: For Autopilot devices, please read Setting the BitLocker encryption algorithm for Autopilot devices | Microsoft Docs to avoid devices from automatically encrypting when Azure AD joining with a different encryption algorithm to the one configured in the policy.

Best practices for configuring BitLocker for Intune

Here are best practices and recommended processes for using BitLocker with Intune.

  • Use a device with TPM for maximum security.
  • Create the BitLocker policy using an Endpoint security policy. This workflow is the most recent method of deploying BitLocker settings. If you are currently using a device configuration profile, consider migrating to an Endpoint security policy.
    • Sign into the Microsoft Endpoint Manager admin center.

    • Select Endpoint security > Disk encryption > Create Policy.

    • In the Platform list, choose Windows 10 and later.

    • Under Profile, select BitLocker.

    • Select Create.

Note
To avoid conflicts, avoid assigning more than one BitLocker profile to a device and consolidate settings into this new profile.

 

  • Use the encryption report to inventory your enrolled devices (Devices > Monitor > Encryption report). It reveals the encryption status and helps you understand the TPM presence and version distribution among your enrolled devices.
  • If BitLocker is not enabled on a device after deploying a policy, check the encryption report to see if the device meets the prerequisites.

 

More info and feedback

For further resources on this subject, please see the links below.

BitLocker Overview and Requirements FAQ

BitLocker recovery guide (Windows 10)

Manage BitLocker policy for Windows 10 in Intune

Encryption report for encrypted devices in Microsoft Intune

Configure endpoint protection settings in Microsoft Intune

 

This is the first post in this series. Catch up on the other blogs:

 

Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

 

Blog post updates:

2/22: Updated post that additional licenses may be required for certain Microsoft BitLocker settings.

45 Comments
Iron Contributor

Right in time for my Windows 10 Intune POC. :)

Brass Contributor

Amazing post, thanks

Copper Contributor

Nicely explained. Will be waiting for the follow-up posts of this series.

Copper Contributor

Explained very well

Steel Contributor

Hey Luke,

 

Great article. You say "You can store the recovery key in on-premises Active Directory (if hybrid joined), in Azure AD, or manually" - where can you find this option please to choose the location?

 

We have configured in our Endpoint policies to save the recovery information to AAD (as shown below), but can't see a specific option to store in on-prem AD?

 

Capture.PNG

Our recovery keys however do not appear in AAD, they are instead storing to on-prem AD (we are hybrid joined). 

 

Thank you, Michelle

Copper Contributor

@HeyHey16K 

 

Hi Michelle,

 

From memory I think it stores it in both locations from Win 10 1903 onwards. There is no option to configure one or the other that I'm aware of.

 

Cheers,

 

Ben 

Microsoft

@HeyHey16K  We are planning to cover this in the 4th blog in the series in detail, are the affected Hybrid devices enrolled via Autopilot and do you enable BitLocker during autopilot? There is a scenario where the device is not present in AAD (i.e. has not synced via AD connect yet) but is in AD that the key will only be backed up there when encryption is enabled during Autopilot, if this is the case you should see an error in the BitLocker-API event logs during that timeframe. You can try rotating the keys from the console to recreate the key and add it into AAD.

 

If this happening for existing HAADJ machines that have a BitLocker policy deployed after they have been deployed then investigating the BitLocker-API event log would be required to understand why the key has not been stored in AAD.

Steel Contributor

@Luker1 

Thank you for the reply, sounds logical. We configure BitLocker encryption in our device policies, which apply during AP. I looked in the local BitLocker-API Management log and there is error "Failed to backup BitLocker Drive Encryption recovery information to Active Directory Domain Services", then, three minutes later, another "BitLocker Drive Encryption recovery information was backed up to successfully to Active Directory Domain Services" (with a similar timestamp on the device object BitLocker Recovery tab in AD). Both seem to confirm AD instead of AAD? No other errors in the log (which only has 14 entries as it's a new build). Thank you, Michelle

Steel Contributor

And yes, the affected Hybrid devices are enrolled via Autopilot :smile:

Steel Contributor

The key rotation trigger did the trick... key is now showing in AD and AAD - thank you for that. 

Microsoft

@HeyHey16K Good to hear, to understand if it simply a timing issue during Autopilot try comparing the error timestamp in the BitLocker-API logs to the device registration timestamp in AAD and see if the error occurred prior to the device being added to AAD. If this is the issue then you can either use PowerShell (I think the cmdlet Backup-BitLockerKeyProtector should work) to store the key in AAD after the device has enrolled or simply rotate the keys manually via the console.

Steel Contributor

@Luker1 Thank you so much for your help Luke. Look forward to the future instalments on your articles.

Copper Contributor

@Luker1 Hey Luke,

 

For my customer we have apply this best practice : 

 

Create the BitLocker policy using an Endpoint security policy. This workflow is the most recent method of deploying BitLocker settings

 

But  now we have an issue on 25% of devices that don't apply the bitlocker strategy because they enforce Windows 10 default strategy encryption (configuration profile with Require Device encryption and Allow Standard user Encryption) before having the intune bitlocker strategy ... This devices are encrypted in Sha-128 instead 256 and recovery key backed up to AD instead AAD...

 

rollback = decryption > recryption

 

So how can we remediate at this problem of orchestration, and be sure devices will not start encryption before receiving our bitlocker strategy?

 

Thank you in advance !

 

 

Microsoft

HSTI or modern standby devices will automatically encrypt during OOBE if they conform to certain pre-reqs BitLocker drive encryption in Windows 10 for OEMs | Microsoft Docs. If you are using Autopilot then it is possible to use this method: Setting the BitLocker encryption algorithm for Autopilot devices | Microsoft Docs more details here: BitLocker, ESP, and Windows Autopilot: Working in harmony – Out of Office Hours (oofhours.com)

Microsoft

@mjlab reply above - forgot to @ you.

Copper Contributor

@Luker1 Thank you for your reply !

 

It's about a migration project (from Symantec to Bitlocker) for existing co-managed devices, and if we use only Configuration profile (for bitlocker Strategy + Allow Standard User Encryption) no issue but if we use one Configuration Profile (Enforce Device Encryption + Allow Standard User Encryption) + Endpoint Security Bitlocker Strategy we have several issue...

And if we use only Endpoint Security Bitlocker Strategy we can't encrypt device in silently mode...

 

No automatic encryption initially

No autopilot devices for moment.

 

 

 

 

Microsoft

@mjlab It might be worth raising a case with support, I don't think I am going to be able to investigate in this forum effectively. We would initially need to get the MDM diagnostics mentioned in Troubleshooting BitLocker policies from the client side - Microsoft Tech Community from a couple of example devices.

Copper Contributor

Thanks for this great overview post - 

 

How do the proposed settings relate to the Security Baselines for both Windows 10 and Windows Defender for Endpoint as available in Microsoft Endpoint Manager?

 

Are the security baseline the best practices from the product team, or are they defined by other means? Like for example being compatible with a certain security standard?

 

/Kenneth

Microsoft

@Kenneth van Surksum The security baselines are recommendations for best practice from the various security teams from within the product group, so in the case of BitLocker those will be the recommendations from that particular team. Whilst those are the recommended settings you can deviate from them but it is important to consistently set the same settings in the baseline and endpoint security policy to avoid conflicts. 

 

There is a bit more of a discussion on this subject here Learn about security baselines in Microsoft Intune - Azure | Microsoft Docs

Copper Contributor

We are enabling Silent Encryption via Intune. However for like 10% of device, it is not starting.
When I check the encryption status from Intune, it says Unknown.

justineg24_0-1625070071256.png

settings:
-silent
-OS & Fixed
-Save key to AD and AAD
-XTS 256
-TPM only
@Luker1 @Intune_Support_Team anyone please

Microsoft

@justineg24 The best place to start is to look at the bitlocker-api event log on one of the affected machines. It looks like the policy has applied and encryption attempted but it has failed. Its also worth checking manage-bde -status to check the current encryption status.

Copper Contributor

Hi @Luker1 ,

justineg24_0-1625106099968.png

justineg24_1-1625106118439.png

Here are the initial logs I've seen. For successful devices, RequireDeviceEncryption should be 1. Checked SecureBoot = ON on msinfo32

 

Copper Contributor

I know this mistake. I have it especially on older devices.

 

My solution. Create a configuration profile.

Require Device Encryption = Enable

Microsoft

@justineg24 That secure boot message is just noise/erroneous, if there is nothing else in the BitLocker-api log then you need to check the last run status of the BitLocker MDM policy refresh scheduled task in the task scheduler library > Windows > BitLocker > BitLocker MDM policy refresh.

 

Luker1_0-1625128409283.png

 

If that returns 0x41303 (not run previously) then paste the device id of this failing machine and I can check further otherwise paste the error code for the task.

 

Copper Contributor

@oli83 
I am trying it now. it is failing. am i missing something?

justineg24_0-1625230154205.png

 

 

Copper Contributor

Hi @Luker1 ,
You are right.

winver: 1903
Please advise what I still need to check. Thanks,

justineg24_0-1625231823781.png

 

Microsoft

@justineg24 The policy is getting to the device but the scheduled task is failing with the device is not ready error. Does the device satisfy all the pre-reqs (i.e. TPM, drive formatted according to docs) and are you able to initiate encryption manually?

Copper Contributor

@Luker1 Drives are uniform since OOBE. tpm 2.0, and I believe they met the pre-reqs just like other devices. I will try to initiate encryption manually and see if it will proceed.

Copper Contributor

@Luker1 , 

Hello Sir, Very well explained, Thanks a lot!!

Can you please tell the best practices for Bitlocker in intunes. I would like to enable it for 2000+  laptops via Intunes in a corporate network.

sagarssky15_0-1625247376485.png

Device configuration OptionsDevice configuration  Sub options 
Enable full disk encryption for OS and fixed data drives 
Require storage cards to be encrypted (mobile only)  
Hide prompt about third-party encryption 
Configure client-driven recovery password rotation  
BitLocker - Fixed Drive Settings(Policy) 
BitLocker - OS Drive Settings (Bitlocker system drive policy) 
BitLocker - Removable Drive Settings(BitLocker removable drive policy
Configure)
 
Copper Contributor

@oli83 do you mind sharing your configuration? I followed your path but they are on ERROR

Microsoft

@sagarssky15  There are some recommendations above in the "Best practices for configuring BitLocker for Intune", there is also a separate blog which discusses the config in more detail Configuring BitLocker encryption with Endpoint security - Microsoft Tech Community

Copper Contributor

I implemented it as follows. I do not have a Bitlocker pin in use. As a template I also used the Configuring BitLocker encryption with Endpoint security

 

Configuration Profile | Settings Catalog  

oli83_0-1625510827006.png

Endpoint Security | Bitlocker 

oli83_1-1625510864677.png

oli83_2-1625510898852.png

oli83_3-1625510974973.png

oli83_4-1625511000288.png

 

oli83_5-1625511048436.png

 

Copper Contributor

@oli83 I can confirm that's what I did on the config profile.
But it is failing with no logs.

Copper Contributor

You can try it by oma-uri.

 

  • OMA-URI: ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
  • Date type: Integer
  • Value: 1

 

 

Copper Contributor

@oli83 failing also.

What if I remotely ctrl the device and regedit as admin, change the integer by force from 0 to 1?

 

Copper Contributor

1 – Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently)

Copper Contributor

@justineg24

Do you have any new insights?

Copper Contributor

I had another customer last week who had exactly the same problem as you are having now. Error message exactly the same. The problem with this customer was with the Bitlocker settings, which were not correct.

After I corrected it, everything worked.

Microsoft

@justineg24 @oli83 Do the policy settings in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager (Intune policy) match what is in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE (OS settings)? If not check the settings in the UI, sometimes updating the policy version by editing the policy and saving it helps.

Copper Contributor

@oli83 how did you corrected it?

Copper Contributor

@Luker1 I compared registry of working vs not working device,
(1)Registry of Intune Policy
Working vs Not working = NOT SAME
RequireDeviceEncryption=0 on "Not Working" Device 
(2)Registry FVE
Working vs Not working = SAME

Not working devices are not even attempting to save keys on AAD so no record at all, it means not attempting to start

Copper Contributor

@justineg24 

Did you set the Bitlocker settings as I described above?

All customers who had a problem with Bitlocker activation were gone after that.

Copper Contributor

@oli83 the only thing we differ I saw is the
"Disable BitLocker on devices where TPM is incompatible"
You set this to - Not Configured

I've set this to - Yes

But still, it should have no effect as they have TPM2.0

Copper Contributor

Hi tech community,

 

We have a Hybrid Azure AD environment and implementing Bitlocker from endpoint security is not storing the recovery keys on Azure and endpoint.

All successful from Intune policy and shows succeeded on reports, registry has correct info, get-tpm leads to true.

When talked with Microsoft support, they said i need to run a script manually because we are on Hybrid. Clearly this is false because i cannot see this as a prerequisite in official documentation. 

The only gpo enabled we have is hide bitlocker gui. Does that block storing keys on Azure for a device?


Can someone pleas help?

 

Thanks,

Steel Contributor

We're Hybrid too, with our BitLocker policies configured in Intune, and noticed the BitLocker recovery key wasn't populating during Autopilot (see my messages above ^^^ from February), so implemented this PS script to force it:

 

BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId ((Get-BitLockerVolume -MountPoint $env:SystemDrive ).KeyProtector | where {$_.KeyProtectorType -eq "RecoveryPassword" }).KeyProtectorId

 

 

Version history
Last update:
‎Dec 19 2023 01:29 PM
Updated by: