Saturday 24 October 2020

Windows 10 modern management with Intune - BitLocker issues

Implementing a Windows 10 modern management solution with Intune is not as challenging as it has been in the past. Microsoft have improved the admin experience and the feature set, but more importantly, the platform is now very reliable and stable. Howeever we can still encounter issues from time and time. More than likely they are caused by mis-understanding or mis-configuration. I encountered some of these issues relating to BitLocker this week and I wanted to share.

1. Creating the policy

There are a number of ways to configure and enforce BitLocker in the Microsoft Endpoint Manager (MEM) admin center. The most recent way to manage device security is to use endpoint security policies in the Endpoint security node. This allows you to configure your policies simply without having to navigate the huge number of settings in device configuration profiles or security baselines.


Configuring the policy is very straightforward. There are four categories to configure. I only wanted to encrypt the OS drive so I figured that that I'd just have to configure the Base Setttings and OS Drive Settings categories.


Base Settings


OS Drive Settings

However I couldn't save the policy. 


I got the error "Encryption method setting for all drive types must have an encryption type, or all drive types must not be configured". This didn't make sense to me but I now understand that it is in fact documented. You'll find this information in the BitLocker CSP documentation.

"When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status".

Configuring encryption (with the same settings) on the fixed and removable drives solved the problem and I could save the policy. If you don't want to do this then you need to configure BitLocker in another location in the admin center, for now. This feature is still a work in progress.

2. Remove the ISO/DVD

This is a well known issue but it's very annoying so I want to highlight it here. It happens mostly when using VMs for testing. The Windows 10 ISO can still be mounted on the VM and this causes BitLocker to fail. 


"Failed to enable Silent Encryption. TPM is not available.

 

Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer. Remove the media and restart the computer before configuring BitLocker".


This issue is well documented. During the provisioning process, BitLocker Drive Encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts. To avoid this situation, the provisioning process stops if it detects removable bootable media.

Remove the bootable media, and restart the device.


3. Security baseline conflict

I hadn't really wanted to configure an encryption method for removable drives but I was forced to do do because of issue #1 above. 


I configured the settings like this (not blocking write access to an unprotected removable drive).


That led to this error describing a conflict.

"Failed to enable Silent Encryption

 

Error: BitLocker Encryption cannot be applied to this drive because of conflicting Group Policy settings. When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker".

 


I eventually found that this was due to a setting in the Windows 10 security baseline. The default setting was to block write access to an unprotected removable drive. Changing that setting did the trick and the OS drive was encrypted successfully.

I hope these tips help. Until next time....

5 comments:

  1. Thanks for the tips. I have followed the instructions/configuration settings above completely including the Windows 10 security baseline. I am still getting the "BitLocker Encryption cannot be applied to this drive because of conflicting Group Policy settings. When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required"

    any other suggestions on where to look?

    ReplyDelete
  2. Thanks for the configuration tips. I have configured exactly to the above settings + made the Windows 10 baseline ones. Still having the exact same "...When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required.." errors though. Any tips?

    ReplyDelete
  3. I still get the same error where I have enabled Base settings, fixed drive settings, OS drive settings and Removal drive settings.

    ReplyDelete
  4. I have silent Intune encryption working but when I want to denied write access to not protected USB I got this Error: BitLocker Encryption cannot be applied to this drive because of conflicting Group Policy settings. When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker". Do not know what intune setting I need to change so silent install and USB encryption is working. Thx

    ReplyDelete