Saturday, 24 October 2020

Windows 10 modern management with Intune - BitLocker issues

Implementing a Windows 10 modern management solution with Intune is not as challenging as it has been in the past. Microsoft have improved the admin experience and the feature set, but more importantly, the platform is now very reliable and stable. Howeever we can still encounter issues from time and time. More than likely they are caused by mis-understanding or mis-configuration. I encountered some of these issues relating to BitLocker this week and I wanted to share.

1. Creating the policy

There are a number of ways to configure and enforce BitLocker in the Microsoft Endpoint Manager (MEM) admin center. The most recent way to manage device security is to use endpoint security policies in the Endpoint security node. This allows you to configure your policies simply without having to navigate the huge number of settings in device configuration profiles or security baselines.


Configuring the policy is very straightforward. There are four categories to configure. I only wanted to encrypt the OS drive so I figured that that I'd just have to configure the Base Setttings and OS Drive Settings categories.


Base Settings


OS Drive Settings

However I couldn't save the policy. 


I got the error "Encryption method setting for all drive types must have an encryption type, or all drive types must not be configured". This didn't make sense to me but I now understand that it is in fact documented. You'll find this information in the BitLocker CSP documentation.

"When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status".

Configuring encryption (with the same settings) on the fixed and removable drives solved the problem and I could save the policy. If you don't want to do this then you need to configure BitLocker in another location in the admin center, for now. This feature is still a work in progress.

2. Remove the ISO/DVD

This is a well known issue but it's very annoying so I want to highlight it here. It happens mostly when using VMs for testing. The Windows 10 ISO can still be mounted on the VM and this causes BitLocker to fail. 


"Failed to enable Silent Encryption. TPM is not available.

 

Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer. Remove the media and restart the computer before configuring BitLocker".


This issue is well documented. During the provisioning process, BitLocker Drive Encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts. To avoid this situation, the provisioning process stops if it detects removable bootable media.

Remove the bootable media, and restart the device.


3. Security baseline conflict

I hadn't really wanted to configure an encryption method for removable drives but I was forced to do do because of issue #1 above. 


I configured the settings like this (not blocking write access to an unprotected removable drive).


That led to this error describing a conflict.

"Failed to enable Silent Encryption

 

Error: BitLocker Encryption cannot be applied to this drive because of conflicting Group Policy settings. When write access to drives not protected by BitLocker is denied, the use of a USB startup key cannot be required. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker".

 


I eventually found that this was due to a setting in the Windows 10 security baseline. The default setting was to block write access to an unprotected removable drive. Changing that setting did the trick and the OS drive was encrypted successfully.

I hope these tips help. Until next time....

Tuesday, 20 October 2020

Managing Windows Virtual Desktops with Microsoft Endpoint Manager

Unsurprisingly, I have spent a lot of time recently deploying WVD solutions. In this blog post I want to highlight the MEM features that you can use to manage these desktops, especially in regard to Windows 10 multi-session. At the time of writing Configuration Manager 2006 in the latest production version.

For performance reasons ConfigMgr disables user policies on Windows 10 multi-session devices. This only happens with new client installations (1906 and later). If you upgraded the client from a previous version (pre 1906) then user policies will still be enabled. There may, of course, be a situation where you want to enable user policies and will accept any performance hit.


Open the Client Policy tab of Client Settings and choose "Enable user policy for multiple user sessions"


In versions 2006 and later, Windows 10 multi-session is now available in the list of supported versions for requirement rules. This is very useful when targeting FSLogix installations and registry settings.

If you previously selected the top-level Windows 10 platform, this action automatically selected all child platforms. The new platform isn't automatically selected. If you want to add Windows 10 multi-session, manually select it in the list.

Notes:
  • Currently Intune does not support Windows 10 multi-session but development work is actively being carried out.
  • Co-management is not supported on a client running Windows 10 multi-session.

These are exciting new MEM features with more to come. I hope this helps.

Until next time.......