Intune - BitLocker silent and automatic Encryption Settings for Lenovo Thinkpads

-
A while ago, I was working on an endpoint management project and one of the key requirements was to roll out BitLocker policies to the Windows 10 MDM enrolled devices. As much as this may seem routine, what made things interesting was that the customer only had Lenovo devices and apparently it required some additional bits and pieces to be put in place along side the Intune BitLocker encryption settings. I will cover the details and my experience through this blog.

Before going into the details, please make a note of the requirements for automatic BitLocker device encryption:

1. Device should be running 1903 with latest CU or newer build.
2. TPM 1.2 or 2.0.
3. UEFI Secure Boot should be enabled.
4. DMA protection should be enabled.

As for my project requirements for enabling BitLocker encryption are concerned, they are as follows -

1. Enable BitLocker of OS drive.
2. Configure BitLocker automatically and silently without any kind of user interaction.
3. Disable Startup Pin.
4. Escrow the BitLocker recovery key to AAD.

Now let’s begin.

This is not a demo so I will only cover the specifics of the policy profile. I created an Endpoint Protection profile policy for BitLocker Encryption settings as shown below.

  
        
         

Here is the summary of the profile settings

 

       

Now here comes the interesting part. Automatic device encryption will probably fail on Whiskey Lake generation ('90 series) ThinkPads, caused by un-allowed DMA capable bus/device(s). This can be verified by checking in the System Information (open it as admin) on an affected system and then looking for the entry Un-allowed DMA capable bus/device(s) detected under Device Encryption Support item.

       

According to Microsoft, the error indicates that Windows detected at least one potential external DMA capable bus or device that may expose a DMA threat. In order to fix this, either OEM adds the bus or device to the allowed list in the registry or one can achieve the same by the means of pushing a PowerShell script using Intune.

I had to add 2 components in the whitelist script and execute it in system context.

$AllowedBus = "PCI\VEN_8086&DEV_15C0"

If ($(Test-Path -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity") -eq $False) { New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity" }

If ($(Test-Path -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses") -eq $False) { New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses" }

New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses" -Name "PCI Express Upstream Switch Port" -Value $AllowedBus -PropertyType "String" -Force

New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses" -Name "PCI Express Downstream Switch Port" -Value $AllowedBus -PropertyType "String" -Force



Once the system restarted, the change came into effect and after the Intune policy was re-evaluated, silent automatic encryption went through straight away.

Bonus Tip –


In case the BitLocker policy reports non-compliant, there can be a number of issues causing this. It is well documented by Microsoft and you can find the link here.


In my case, the issue turned out to be Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer. If you see this in the eventvwr, then run diskpart and check for the presence of an additional Disk. For me, there was an additional volume D: reporting as Disk1. 



This turned out to be a Generic- SD/MMC USB Device which the customer wasn’t using on the laptops and wanted to be disabled. This was easily achieved by pushing a PowerShell script executed in system context.

Get-PnpDevice -Friendlyname *"Generic- SD/MMC USB Device"* | Disable-PnPDevice -Confirm:$false

The policy applied successfully and reported compliant.

 


And so the device BitLocker encryption policies worked happily ever after. The end...

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Prevent users from running certain programs or applications on Windows endpoints using Intune

-
Image
  When it comes to blocking or preventing users from running an application on Windows devices, one normally uses App locker policy, Windows Defender Application Control and not so new but pretty useful method called Defender Vulnerability management within Microsoft 365 Defender Portal. A recent question on the Tech Community Microsoft forum prompted me to look for all possible alternatives. I started reminiscing over the legacy GPO policies and that is when I stumbled upon the policy  Don’t run specified Windows applications  located under User Administrative Templates - The policy setting does come with its own caveat - " This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting pr
Read more