Centralized Drive Encryption From the Cloud

**DISCLOSURE: While I am contracted to Microsoft Corporation, I am not an employee. The articles that I write are not meant to represent the company, nor are they meant to represent me as an employee or spokesman for the company. As has always been the case, all articles on this website represent me and nobody else.

BitLockerIt has been nearly fifteen years since I first encrypted a hard drive with BitLocker. I was invited to Calgary to deliver a presentation on the launch of Windows Vista in January 2007. I was supposed to go skiing the following day with the president of the local user group, but it was too cold to leave to city. Instead of driving to one of the magnificent ski resorts in the Canadian Rockies, I spent the day at the Calgary Public Library. I encrypted the drive on my Acer Ferrari 4000 laptop, in awe that this functionality was built into the operating system. Of course, that laptop did not have a TPM chip, so I had to dedicate a USB key to unlock my computer when I wanted to turn it on.

BitLocker Drive Encryption is a data protection feature that is included with Windows 10 and encrypts your hard drive so that if your computer is lost or stolen, your data will remain uncompromised.

We have come a long way since that long, cold day. BitLocker is no longer a standalone feature of the operating system. With Microsoft BitLocker Administration and Management (MBAM) which was a component of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance you could centrally manage your BitLocker encryption, and use that tool in conjunction with Group Policy to enforce encryption. You could store your BitLocker Recovery Keys in Active Directory, and not have to keep them stored in flat files.

IntuneThe Modern Desktop methodology of enforcing BitLocker is a lot more subtle and does not require an Active Directory Domain Services (AD DS) infrastructure with Group Policy. All you need is Microsoft Intune, and the world is your oyster… or rather, your hard drive is encrypted, and your data is in the vault. In this article, I will show you how to enable and enforce BitLocker for operating system (OS) drives, data drives, and external hard drives that connect to your corporate PCs.

First, let’s navigate to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com). In the navigation pane, click Endpoint security. In the menu on the Endpoint security | Overview page, click Disk Encryption.

In the Endpoint security | Disk encryption screen, click + Create Policy. In the sidebar that appears, select Windows 10 and later from the Platform dropdown list. In the Profile dropdown list that appears, click BitLocker. Click Create.

In the Basics tab enter a name (and possibly a description) for your profile, and then click Next.

In the Configuration settings page, there are several options that you can set. These are the settings I chose for my demo environment:

  • Enable full disk encryption for OS and fixed data drives: Yes
  • Require storage cards to be encrypted: Yes
  • Hide prompt about third-party encryption: Not configured
  • Configure client-driven recovery password rotation: Enable rotation on Azure AD-joined devices
  • BitLocker fixed drive policy: Configure
  • Fixed drive recovery: Configure
    • Recovery key file creation: Allowed
    • Configure BitLocker recovery package: Password and key (this will include both the BitLocker recovery password used by admins and users to unlock protected drives, and recovery packages which are used by admins to recover drives in Active Directory.)
    • Require device to back up recovery information to Azure AD: Yes
    • Recovery password creation: Required (this generates a 48-digit recovery password when initializing BitLocker that is sent to Azure AD (as long as the policy Require device to back up recovery information to Azure AD is set to Yes)
    • Hide recovery options during BitLocker setup: Yes
    • Enable BitLocker after recovery information to store: yes
    • Block the use of certificate-based data recovery agent (DRA): Not configured
    • Block write access to fixed data-drives not protected by BitLocker: Yes
    • Configure encryption method for fixed data drives: AES 256bit XTS
  • BitLocker system drive policy: Configure
    • Startup authentication required: Not configured
    • Configure encryption method for Operating System drives: AES 128bit XTS
  • BitLocker removable drive policy: Configure
    • Configure encryption method for removable data-drives: AES 256bit XTS
    • Block write access to removable data-drives not protected by BitLocker: Yes
    • Block write access to devices configured in another organization: Not configured

    When you have set the options you like, click Next.

    On the Scope tags tab configure any tags you like, and then click Next.

    On the Assignments tab, select the groups to include (or exclude) from the profile. You can be selective, of you can include either all devices, or all users. Click Next.

    On the Review + create tab, review the options you selected and then click Create. You will notice on this page that unlike the Review + create tab of a lot of other options, the settings are not as cleanly shown; you will have to read through the code for a few of the options.


    When you start encrypting hard drives, there is a lot of room to get it wrong. Like every other profile that you have created in Intune, test and test and test again (but more so!)

    Monitoring Device Encryption

    It is pointless to implement policy that you cannot monitor. And so, there is a simple report in the MEM console that will tell you the status of all hard drives, whether they are encrypted or not, and what policy is responsible for them.

    From the Devices | Overview page click Monitor. In the Monitor | Assignment status page click Encryption report (under Configuration). This report will enumerate your device name, OS and version, TPM (Trusted Platform Module) version, encryption readiness and status, and who the primary user of the device is.



    BitLocker is a great way to protect your data, but it is important for the organization to be able to recover a device encrypted by an end user, in case that user leaves the company on bad terms (or falls ill). Creating and implementing a device encryption policy allows you to take charge of that – ensuring your devices are protected, while at the same time resting easy with the knowledge that you can recover any encrypted device.


    One response to “Centralized Drive Encryption From the Cloud”

    1. What’s the best method to configure this policy to encrypt OS and Fixed drives but NOT removeable devices. I currently have a similar policy described above in place. The encryption of removeable devices is proving to be an issue.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s

    %d bloggers like this: