Intune - BitLocker silent and automatic Encryption Settings for Lenovo Thinkpads
A while ago, I was working on an endpoint management project
and one of the key requirements was to roll out BitLocker policies to the
Windows 10 MDM enrolled devices. As much as this may seem routine, what made
things interesting was that the customer only had Lenovo devices and apparently
it required some additional bits and pieces to be put in place along side the Intune BitLocker encryption settings. I will cover the details and my
experience through this blog.
Before going into the details, please make a note of the requirements
for automatic BitLocker device encryption:
1. Device should be running 1903 with latest CU or newer build.
2. TPM 1.2 or 2.0.
3. UEFI Secure Boot should be enabled.
4. DMA protection should be enabled.
As for my project requirements for enabling BitLocker encryption are concerned,
they are as follows -
1. Enable BitLocker of OS drive.
2. Configure BitLocker automatically and silently without any kind of user interaction.
3. Disable Startup Pin.
4. Escrow the BitLocker recovery key to AAD.
Now let’s begin.
This is not a demo so I will only cover the specifics of the
policy profile. I created an Endpoint Protection profile policy for BitLocker Encryption
settings as shown below.
Here is the summary of the profile settings
Now here comes the interesting part. Automatic device
encryption will probably fail on Whiskey Lake generation ('90 series)
ThinkPads, caused by un-allowed DMA capable bus/device(s). This can be verified
by checking in the System Information (open it as admin) on an affected system and
then looking for the entry Un-allowed DMA capable bus/device(s) detected
under Device Encryption Support item.
According to Microsoft,
the error indicates that Windows detected at least one potential external DMA
capable bus or device that may expose a DMA threat. In order to fix
this, either OEM adds the bus or device to the allowed list in the registry or one
can achieve the same by the means of pushing a PowerShell script using Intune.
I had to add 2
components in the whitelist script and execute it in system context.
$AllowedBus = "PCI\VEN_8086&DEV_15C0"
If ($(Test-Path -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity") -eq $False) { New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity" }
If ($(Test-Path -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses") -eq $False) { New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses" }
New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses" -Name "PCI Express Upstream Switch Port" -Value $AllowedBus -PropertyType "String" -Force
New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses" -Name "PCI Express Downstream Switch
Port" -Value $AllowedBus -PropertyType "String" -Force
Once the system restarted, the change came into effect
and after the Intune policy was re-evaluated, silent automatic encryption went
through straight away.
Bonus Tip –
In case the BitLocker policy reports non-compliant, there
can be a number of issues causing this. It is well documented by Microsoft and
you can find the link here.
In my case, the issue turned out to be Event
ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD)
in the computer. If
you see this in the eventvwr, then run diskpart and check for the presence of
an additional Disk. For me, there was an additional volume D: reporting as
Disk1.
This
turned out to be a Generic- SD/MMC USB Device which the
customer wasn’t using on the laptops and wanted to be disabled. This was easily
achieved by pushing a PowerShell script executed in system context.
Get-PnpDevice
-Friendlyname *"Generic- SD/MMC USB Device"* | Disable-PnPDevice
-Confirm:$false
The policy applied successfully and reported compliant.
Comments
Post a Comment