Hello Paul Bergson, back again with another story about my dog Raven. From time to time we get a visit from a family member and they will bring their dog along, problem is we have never socialized Raven with other dogs. She has no interest in sharing any of her toys but like a four year old human, she takes them out of her toy box (yes she has one) and leaves them laying all over the house. When our visiting canine begins to play with one of Raven’s toys, she gets jealous and just waits to get it away from her visitor. If she had a choice, she would stop any dog from ever touching her toys. Unfortunately for Raven she does not have any type of protective measures, to guard against strangers accessing her stuff that is laying around the house “at rest”.
Lucky for Microsoft customers, we have a technology we provide that can prevent unwelcome visitors from playing with your data when you aren’t using it (at rest). Enabling and using BitLocker to encrypt data at rest on a single device is easy and straight forward. Managing BitLocker on 1,000, 10,000, 100,000 or more is a challenge and yes there is Microsoft’s BitLocker Administration and Monitoring (MBAM) but that is in extended support. So, what is an enterprise administrator to do?
Microsoft doesn’t want to see our customer’s administrators frantic with fear of not being able to protect their data at rest. We say, “Look to the Cloud” for support.
Microsoft provides Windows 10 BitLocker management from both Azure (via Intune) and SCCM with enhanced features expected to be released in the second half of 2019. Management of Enterprise BitLocker management includes assessing readiness, key management & recovery, and compliance reporting.
To manage BitLocker from Azure you will need to log into the Azure portal.
https://portal.azure.com and select the Intune Blade -or-
https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/ExtensionLandingBlade/overview
Once you have gained access to the Intune blade you can begin the configuration setup for your enterprise. There are two separate items that will need to be modified, Device Configuration and Device Compliance.
Device Compliance (Policies)
Used to assess a devices compliance to defined values that are required by your enterprise to ensure they are compliant to this enterprise “Policy.” If these settings aren’t compliant, they can be used with Conditional Access to ensure only devices that comply with the corporate Policy to gain access to the network.
Policy
To configure an Intune Policy for BitLocker, within the Azure Portal browse to the Intune blade and select “Device Compliance” --> “Policies” --> “+ Create Policy.”
Once a policy has been defined, it will need to be assigned against either “All Users” or one or more Azure AD groups.
Device Configuration (Profiles)
A devices’ “Profile” is used to define the configuration to be deployed to the asset.
Profile
To configure an Intune Profile for BitLocker, within the Azure Portal browse to the Intune blade and select “Device Configuration” --> “Profiles” --> “+ Create Profile.”
Once a profile has been defined, it will need to be assigned against either “All Users & All Devices,” “All Devices,” “All Users” or one or more Azure AD groups.
Once the process has begun to roll out BitLocker to the enterprise, a review of the current status of devices will be required. Unfortunately, the review of compliance will fall under ALL Intune managed devices not just BitLocker’d devices. Reviewing the screenshots below, it can be seen that the “Compliant” and “Non-Compliant” machines can be selected to bring up the complete list for that category.
Note: that it only brings back the first 100.
To better understand which devices have been properly secured with BitLocker, it is recommend to review the “Encryption Report”.
To review the report, browse too “Device Configuration” à “Encryption report” (under the “Monitor” header). To find which devices are currently encrypted, look at the “Encryption status” column.
BitLocker keys can be managed by the user and available through a self-service portal:
https://go.microsoft.com/fwlink/?linkid=857635
If a user logs in there, they should be able to see their corporate device(s) and they can then select the device they need to recover their key(s) as seen in the two screen shots below.
Administrators can view the keys within the “Devices” blade of Azure AD from the Azure AD portal.
“Azure Active Directory” --> “Devices”
From the “Devices” blade, select the device to recover the BitLocker key from and then select which key is needed. In the example below both the os and the data drive have been encrypted.
Selecting copy from the selected Key, will place the Id and Recovery Key to the clipboard.
Ensuring that the client has pulled down the Profile and Policy, a user can review what has been applied against it.
For complete details see Troubleshoot BitLocker policies in Microsoft Intune
Review the devices BitLocker status from within Control Panel. It may be working on encrypting the device, but it hasn’t completed the task yet.
From an administrative command prompt --> manage-bde -status
The diagnostics report can be reviewed:
Event Viewer --> Applications and Services Logs --> Microsoft --> Windows --> BitLocker API --> Management
Device Registry Configuration Settings
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Bitlocker
Hopefully, you can leverage BitLocker with Intune management to protect your data at rest and not be like Raven who has to sit and wait to try and get back her toys (data) that was left lying around and unprotected.
Helpful URL’s
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.