Windows 10 delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility Suite (EMS). This offers mobile users to be more productive regardless of location. At the same time organizations will require data to be safe, especially keeping 2018’s GDPR in mind. Most organizations require a form of disk encryption like Bitlocker.
In one of my previous blog posts you might have read about the requirement for InstantGo capable devices to automate Bitlocker configuration on the device and backup the recovery key to the user’s Azure AD account. Windows 1703, also known as the Creators Update, offers a wizard where users are prompted to start encryption regardless of the hardware used. I’ve received a lot of feedback regarding the need to automate encryption and not relying on end-users to do so.
Recently I received a few scripts that allow the triggering of a fully automated Bitlocker encryption process regardless of hardware capabilities. This is provided by DXC and based on previous work from Jan Van Meirvenne and Sooraj Rajagopalan – thanks for your work and willingness to share.
I’ve tuned the scripts a bit, wrapped them into an MSI – ready to be uploaded in Intune and deployed to a group of users.
How does this solution work?
The MSI attached to this blog does the following:
- Deploys three files into C:Program Files (x86)BitLockerTrigger
- Import a new scheduled task based on the included Enable_Bitlocker.xml
The scheduled task will run every day at 2PM and will do the following:
- Run Enable_Bitlocker.vbs which main purpose is to call Enable_BitLocker.ps1 and make sure to run minimized.
- In its turn, Enable_BitLocker.ps1 will encrypt the local drive and store the recovery key into Azure AD and OneDrive for Business (if configured)
- The recovery key is only stored when either changed or not present
How can users get access to their recovery key?
This recovery key is written to two locations, both the Azure AD account and into a recovery folder in the OneDrive for Business (if configured). Users can retrieve the recovery key via http://myapps.microsoft.com and navigating to their profile, or in their OneDrive for Businessrecovery folder.
Azure AD:
OneDrive for Business:
Important to know:
- After the script has run (most likely after 2PM) a reboot will be required before the initial Bitlocker encryption starts – users will be prompted.
- Upload the MSI to Intune as a “Line-of-business” app. I’ve tested by deploying towards a User Group as “required” using the new portal at http://portal.azure.com.
- The script doesn’t take any potential 3rd party encryption software into account. Only deploy this MSI to devices where Bitlocker will be the only disk encryption solution in place.
- Please test this MSI on your own devices and in your own environment before broadly deploying.
- Like mentioned earlier: the recovery key can be found in Azure AD, either by the tenant administrator or by the end-user at http://myapps.microsoft.com. The recovery key will also be stored in the OneDrive for BusinessRecovery folder.
- This solution has only been tested on Windows 10 x64. You can even test on a Virtual Machine, as long as you assign a Virtual TPM.
A lot of time and testing has gone into this project, if it’s useful to you – please consider leaving a reply.
Downloads: