Intune - BitLocker silent and automatic Encryption Settings for Lenovo Thinkpads

A while ago, I was working on an endpoint management project and one of the key requirements was to roll out BitLocker policies to the Windows 10 MDM enrolled devices. As much as this may seem routine, what made things interesting was that the customer only had Lenovo devices and apparently it required some additional bits and pieces to be put in place along side the Intune BitLocker encryption settings. I will cover the details and my experience through this blog.

Before going into the details, please make a note of the requirements for automatic BitLocker device encryption:

1. Device should be running 1903 with latest CU or newer build.
2. TPM 1.2 or 2.0.
3. UEFI Secure Boot should be enabled.
4. DMA protection should be enabled.

As for my project requirements for enabling BitLocker encryption are concerned, they are as follows -

1. Enable BitLocker of OS drive.
2. Configure BitLocker automatically and silently without any kind of user interaction.
3. Disable Startup Pin.
4. Escrow the BitLocker recovery key to AAD.

Now let’s begin.

This is not a demo so I will only cover the specifics of the policy profile. I created an Endpoint Protection profile policy for BitLocker Encryption settings as shown below.

  
        
         

Here is the summary of the profile settings

 

       

Now here comes the interesting part. Automatic device encryption will probably fail on Whiskey Lake generation ('90 series) ThinkPads, caused by un-allowed DMA capable bus/device(s). This can be verified by checking in the System Information (open it as admin) on an affected system and then looking for the entry Un-allowed DMA capable bus/device(s) detected under Device Encryption Support item.

       

According to Microsoft, the error indicates that Windows detected at least one potential external DMA capable bus or device that may expose a DMA threat. In order to fix this, either OEM adds the bus or device to the allowed list in the registry or one can achieve the same by the means of pushing a PowerShell script using Intune.

I had to add 2 components in the whitelist script and execute it in system context.

$AllowedBus = "PCI\VEN_8086&DEV_15C0"

If ($(Test-Path -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity") -eq $False) { New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity" }

If ($(Test-Path -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses") -eq $False) { New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses" }

New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses" -Name "PCI Express Upstream Switch Port" -Value $AllowedBus -PropertyType "String" -Force

New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses" -Name "PCI Express Downstream Switch Port" -Value $AllowedBus -PropertyType "String" -Force



Once the system restarted, the change came into effect and after the Intune policy was re-evaluated, silent automatic encryption went through straight away.

Bonus Tip –


In case the BitLocker policy reports non-compliant, there can be a number of issues causing this. It is well documented by Microsoft and you can find the link here.


In my case, the issue turned out to be Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer. If you see this in the eventvwr, then run diskpart and check for the presence of an additional Disk. For me, there was an additional volume D: reporting as Disk1. 



This turned out to be a Generic- SD/MMC USB Device which the customer wasn’t using on the laptops and wanted to be disabled. This was easily achieved by pushing a PowerShell script executed in system context.

Get-PnpDevice -Friendlyname *"Generic- SD/MMC USB Device"* | Disable-PnPDevice -Confirm:$false

The policy applied successfully and reported compliant.

 


And so the device BitLocker encryption policies worked happily ever after. The end...

Comments

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

Prevent users from running certain programs or applications on Windows endpoints using Intune