Share via


Windows 10: Intune + Windows BitLocker management? = Yes

 

This week’s post is all about Windows BitLocker management with Microsoft Intune. When it comes to data protection, internal and external drive protection is important in the event a device is lost or stolen.

In the past to manage Windows BitLocker we typically needed to create Group Policies or use System Center Configuration Manager (which is still the case with Windows 7, 8.x). However, with Windows 10, Intune now manages BitLocker settings natively right from the admin portal.

 

To create a new BitLocker policy, navigate to portal.azure.com and locate the Intune admin portal.

  1. Select Device Configuration –> Profiles –> Create profile
  2. Name the policy, select Windows 10 and later under Platform, and for Profile type select Endpoint protection:

clip_image002[1]

 

Next select “Windows Encryption” to configure BitLocker

As we can see, there are many settings for BitLocker that can be configured to meet the security needs of most environments requiring drive encryption.

clip_image004[4]

Syncing the new BitLocker policy from Intune

On the Windows 10 client that’s enrolled with Intune via MDM select Settings from the start menu -> Accounts -> Access work or school and find the setting connected to Intune and select it, then select Info:

clip_image006

 

Finally select “Sync” to sync policies from Intune.  You’ll see a notification stating encryption is needed as shown below:

clip_image008

 

Select the Encryption needed notification and begin encrypting the device:

clip_image010

Managing BitLocker using the Configuration Service Provider

Beginning with Windows 10 Creators Update (1703) BitLocker can also be managed and enabled with Microsoft Intune by using Configuration Service Provider (CSP) settings.  Note: Windows Business/Enterprise/Education is required.

What is a Configuration Service Provider (CSP)?

A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot.

Source: /en-us/windows/client-management/mdm/configuration-service-provider-reference

Why use a CSP?

CSPs may be used with 3rd party MDM solutions when supported or if settings are not natively available via the MDM admin interface.

Let’s configure BitLocker to require encryption after device enrollment with Intune

I’ll keep it simple for this post, however the full BitLocker CSP reference is located here including managing TPM and PIN settings: /en-us/windows/client-management/mdm/bitlocker-csp

1. Navigate to Microsoft Intune, select Device configuration -> Profiles -> Create profile

2. Name the profile, select Windows 10 and later as the Platform, then select custom as the Profile type.

3. Select Add and fill in the spaces as shown below:

clip_image012

(the OMA-URI above is: ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption)

4. Save the policy

5. Deploy the policy to an Azure AD group

A question you may have is, “how do the BitLocker CSP policies map to Group Policies?” The following is an example of an Active Directory Group Policy vs. a CSP setting in Intune:

Group Policy in Active Directory
image

CSP in Microsoft Intune image

 

Verifying BitLocker is enabled

Microsoft Intune will also verify if BitLocker is enabled by using Windows Health Attestation.

Configure Windows Health Attestation by selecting “Device compliance: from the Intune admin portal, then Policies –> Create Policy

Configure the settings as shown below.

 

image

 

Under the compliance blade select “Policy compliance” to check which devices are compliant or not with BitLocker.  As shown below, I have two devices that are not compliant with BitLocker.

image

 

 

That’s it, BitLocker can now be managed by Microsoft Intune for Windows 10.

As we map more Group Policies to CSPs it’s important to know if they’re available or not. Use the following tool to see a report of which existing Group Policies on your devices map to CSPs: https://github.com/WindowsDeviceManagement/MMAT

Troubleshooting

BitLocker settings land under the following registry keys:

  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Bitlocker
  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Bitlocker

clip_image018

Additional References

To see what Windows CSPs were added by version please visit: /en-us/windows/client-management/mdm/configuration-service-provider-reference#a-href-idnewcspsanew-csps-added-in-windows-10-version-1703

To learn more about the which settings via the Configuration Service Provider (CSP) is supported for Windows 10 please visit the CSP reference: /en-us/windows/client-management/mdm/configuration-service-provider-reference

For a full Policy CSP reference please visit: /en-us/windows/client-management/mdm/policy-configuration-service-provider

Understanding ADMX-backed policies (i.e. Group Policy to CSP mapping): https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies

Comments

  • Anonymous
    December 28, 2017
    Nice post. I like it when simply not explainiing how to deploy but also how to troubleshoot, references and hints. Worked like a charm for me.
  • Anonymous
    July 09, 2018
    Just do not forget about license for MDM (Intune) and also for Windows 10 client. BitLocker is supported on "Pro" and higher edition (Compliance Policy), but for MDM management for BitLocker configuration (Configuration Policy) is "Business" edition or higher required.