Sorry it's been a while but following on from my last post Modern Management - Part Six - Resetting Autopilot Devices, here is my lastest post around Modern Management and deploying Bitlocker Device Configuration Profiles as part of an Autopilot deployment.
As a prerequsite you have to have the following within your tenant:
During my initial testing I was finding devices were not being Bitlocker enabled with an error of '0x87d1fde8 remediation failed intune bitlocker' - -2016281112 (Remediation failed) and although it stated Bitlocker had been applied the device was not encrypted:
After looking into this I expected the culprit was the Windows Settings / Encrypt Devices setting, as when deploying with Autopilot it has been documented that you MUST have this configured as 'Not Required' after testing I still found the device was not encrypting.
Looking further I found - BitLocker encryption is not correctly configured. Ex: BitLocker didn’t get an expected notification after policies were applied to begin encryption (https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/known-issues - https://support.microsoft.com/en-gb/help/4505903/windows-10-update-kb4505903)
I used DISM to apply the update to my WIM:
DISM /Mount-Wim /WimFile:G:\sources\install.wim /index:1 /Mountdir:C:\TempMount
DISM /image:C:\TempMount /Add-Package /Packagepath:C:\Users\Public\Downloads\Updates
DISM /Unmount-Wim /Mountdir:C:\TempMount /commit
DISM /Cleanup-Wim
But as we can see with Manage-bde -Status the device was still not encrypted:
I then created the following cutom URI:
Following a rebuild of the device, if we look on a device with Manage-bde -Status you can now see the device is enrolled into AzureAD with Autopilot the BitLocker Encryption Method is XTS-AES 256:
And we can see that the Recovery Keys are backed up to Azure AD:
PLEASE REMEMBER TO REMOVE ANY USB DRIVES DURING THE DEPLOYMENT (if using a USB drive to build the device using autopilot, then remove at the restarting stage after the initial OS deployment.)
I hope this helps someone else :)
As a prerequsite you have to have the following within your tenant:
- An assigned Autopilot profile
- AzureAD P1 & Intune license
- Intune status enrollment page
NAME
|
BITLOCKER
|
DESCRIPTION
|
BitLocker Configuration Profile
|
PLATFORM
|
WINDOWS
10 AND LATER
|
PROFILE TYPE
|
ENDPOINT
PROTECTION
|
ASSIGNMENTS
|
Assign to your Autopilot group here
|
WINDOWS ENCRYPTION SETTINGS
|
|
ENCRYPT DEVICES
|
REQUIRED
|
ENCRYPT STORAGE CARD
|
NOT
CONFIGURED
|
BITLOCKER BASE SETTINGS
|
|
WARNING FOR OTHER DEVICE ENCRYPTION
|
BLOCK
|
ALLOW STANDARD USERS TO ENABLE ENCRYPTION DURING
AZURE AD JOIN
|
ALLOW
|
CONFIGURE ENCRYPTION METHODS
|
ENABLE
|
ENCRYPTION FOR OPERATING SYSTEM DRIVES
|
XTS-AES
256-BIT
|
ENCRYPTION FOR FIXED DATA-DRIVES
|
XTS-AES
256-BIT
|
ENCRYPTION FOR REMOVABLE DATA-DRIVES
|
XTS-AES
256-BIT
|
BITLOCKER OS DRIVE SETTINGS
|
|
ADDITIONAL AUTHENTICAITON AT STARTUP
|
REQUIRE
|
BITLOCKER WITH NON-COMPATIBLE TPM CHIP
|
NOT
CONFIGURED
|
COMPATIBLE TPM STARTUP
|
ALLOW
TPM
|
COMPATIBLE TPM STARTUP PIN
|
ALLOW
STARTUP PIN WITH TPM
|
COMPATIBLE TPM STARTUP KEY
|
ALLOW
STARTUP KEY WITH TPM
|
COMPATIBLE TPM STARTUP KEY AND PIN
|
ALLOW
STARTUP KEY AND PIN WITH TPM
|
MINIMUM PIN LENGTH
|
NOT
CONFIGURED
|
OS DRIVE RECOVERY
|
ENABLE
|
CERTIFICATE BASED DATA RECOVERY AGENT
|
NOT
CONFIGURED
|
USER CREATION OF RECOVERY PASSWORD
|
ALLOW
48 DIGIT RECOVERY PASSWORD
|
USER CREATION OF RECOVERY KEY
|
ALLOW
256-BIT RECOVERY KEY
|
RECOVERY OPTIONS IN THE BITLOCKER SETUP WIZARD
|
BLOCK
|
SAVE BITLOCKER RECOVERY INFORMATION TO AZURE
ACTIVE DIRECTORY
|
ENABLE
|
BITLOCKER RECOVERY INFORMATION STORED TO AZURE
ACTIVE DIRECTORY
|
RECOVERY
PASSWORDS AND KEY PACKAGE
|
STORE RECOVERY INFORMATION TO AZURE ACTIVE
DIRECTORY BEFORE ENABLING BITLOCKER
|
REQUIRE
|
PRE-BOOT- RECOVERY MESSAGE AND URL
|
NOT
CONFIGURED
|
BITLOCKER FIXED DATA-DRIVE SETTINGS
|
|
WRITE ACCESS TO FIXED DATA-DRIVE NOT PROTECTED BY
BITLOCKER
|
NOT
CONFIGURED
|
FIXED DRIVE RECOVERY
|
ENABLE
|
DATA RECOVERY AGENT
|
NOT
CONFIGURED
|
USER CREATION OF RECOVERY PASSWORD
|
ALLOW
48 DIGIT RECOVERY PASSWORD
|
USER CREATION OF RECOVERY KEY
|
ALLOW
256-BIT RECOVERY KEY
|
RECOVERY OPTIONS IN THE BITLOCKER SETUP WIZARD
|
NOT
CONFIGURED
|
SAVE BITLOCKER RECOVERY INFORMATION TO AZURE
ACTIVE DIRECTORY
|
ENABLE
|
BITLOCKER RECOVERY INFORMATION STORED TO AZURE
ACTIVE DIRECTORY
|
RECOVERY
PASSWORDS AND KEY PACKAGE
|
BITLOCKER REMOVABLE DATA-DRIVE SETTINGS
|
|
WRITE ACCESS TO FIXED DATA-DRIVE NOT PROTECTED BY
BITLOCKER
|
NOT
CONFIGURED
|
WRITE ACCESS TO DEVICES CONFIGURED IN ANOTHER
ORGANISATION
|
NOT
CONFIGURED
|
During my initial testing I was finding devices were not being Bitlocker enabled with an error of '0x87d1fde8 remediation failed intune bitlocker' - -2016281112 (Remediation failed) and although it stated Bitlocker had been applied the device was not encrypted:
After looking into this I expected the culprit was the Windows Settings / Encrypt Devices setting, as when deploying with Autopilot it has been documented that you MUST have this configured as 'Not Required' after testing I still found the device was not encrypting.
Looking further I found - BitLocker encryption is not correctly configured. Ex: BitLocker didn’t get an expected notification after policies were applied to begin encryption (https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/known-issues - https://support.microsoft.com/en-gb/help/4505903/windows-10-update-kb4505903)
I used DISM to apply the update to my WIM:
DISM /Mount-Wim /WimFile:G:\sources\install.wim /index:1 /Mountdir:C:\TempMount
DISM /image:C:\TempMount /Add-Package /Packagepath:C:\Users\Public\Downloads\Updates
DISM /Unmount-Wim /Mountdir:C:\TempMount /commit
DISM /Cleanup-Wim
But as we can see with Manage-bde -Status the device was still not encrypted:
I then created the following cutom URI:
NAME
|
Bitlocker -
Allow Standard User Encryption
|
DESCRIPTION
|
Bitlocker -
Allow Standard User Encryption
|
PLATFORM
|
WINDOWS 10 AND
LATER
|
PROFILE TYPE
|
Custom
|
ASSIGNMENTS
|
Assign to your Autopilot group here
|
CUSTOM OMA-URI SETTINGS
|
|
NAME
|
Bitlocker -
Allow Standard User Encryption
|
DESCRIPTION
|
Bitlocker -
Allow Standard User Encryption
|
OMA-URI
|
./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption
|
DATA
TYPE
|
INTEGER
|
VALUE
|
1
|
Following a rebuild of the device, if we look on a device with Manage-bde -Status you can now see the device is enrolled into AzureAD with Autopilot the BitLocker Encryption Method is XTS-AES 256:
And we can see that the Recovery Keys are backed up to Azure AD:
PLEASE REMEMBER TO REMOVE ANY USB DRIVES DURING THE DEPLOYMENT (if using a USB drive to build the device using autopilot, then remove at the restarting stage after the initial OS deployment.)
I hope this helps someone else :)
Comments
Post a Comment