Endpoint Services, MECM, BitLocker Full Disk Encryption, Setting up on Windows
Overview
This guide describes how to use MECM to set up full disk encryption with BitLocker on managed Windows endpoints.
Systems
Microsoft Endpoint Configuration Manager (MECM)
Intended Audience
University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team
BitLocker Full Disk Encryption
This process will show how to set up BitLocker full disk encryption on endpoint managed Windows systems using MECM. In order for BitLocker to be enabled on workstations a few steps must be taken to ensure proper deployment. The exact process for each step will vary depending on the hardware used and software configuration. In order to properly encrypt and protect a hard drive, the workstation should have a v2.0 or newer TPM device for Windows 11 (or, v1.2 for Windows 10).
You will need
- administrative access to the respective Windows systems
- access to control these endpoints via MECM.
- each managed Windows 11 endpoint that will become encrypted must have a v2.0 TPM device (or, v1.2 for Windows 10)
- a new GPO (Group Policy Object) you can edit for each OU in which you intend to use MECM to encrypt endpoints. Submit a request with consult@illinois.edu if you need blank GPOs.
- GPO editing privileges and the access to the Group Policy Management console for editing the GPOs.
Create and apply a GPO
Because the secure recovery key escrow currently identified for BitLocker is Active Directory, a GPO is required to force the escrow process. The GPO (shown below) should then be applied to all workstations in which BitLocker may be enabled.
Prepping the TPM
The TPM must be enabled and activated for BitLocker to store encryption secrets. This can be done manually from the BIOS or from within Windows using manufacturer supplied tools. Contained within the examples below are methods to accomplish this within MECM. Because of the number of variables involved, testing is strongly recommended.
During OS deployment, MECM can automate the encryption process using BitLocker. This can be done as the OS data is written to disk, known as pre-provisioning, or towards the end of the imaging process, similar to the experience of enabling BitLocker on a deployed device (where resident data is encrypted). The difference between the two is that data is encrypted as it is written to storage when using pre-provisioning, saving significant time over the more traditional process of encrypting after the fact.
All example task sequences can be found in Software Library→Operating Systems→Task Sequences→.DEMO DAYS
. You are free to make a copy of the task sequence and customize it to suit your needs.
DO NOT DEPLOY THE EXAMPLE TASK SEQUENCES!
The "UIUC-DEMO DAYS In-Place BitLocker
" task sequence is a good starting point with encrypting workstations that are out in the field. It demonstrates the general process to prepare the TPM, create the required 300MB partition for BitLocker, and encrypt the device. Remember, in all examples, there is an assumption that you have created the GPO to force recovery key escrow in AD.
To begin testing the task sequence (TS), make a copy by right-clicking the TS and selecting copy. Then right-click the copy and move it to your unit's task sequence folder (right-click, move). Edit the name with your unit's prefix and any other steps as needed. Right-click the TS and deploy it to a test collection containing some test endpoints. This TS is designed to be deployed to managed endpoints, so be sure to make the deployment available to the client, and you probably want to make it an available deployment so it can be manually executed from software center.
An example of using pre-provisioning can be found in the "UIUC-DEMO DAYS Deploy Windows 10 x64
" task sequence, specifically the Pre-provision BitLocker step. The Pre-provision step must execute between when the drive is partitioned and when the OS image is applied. Other than that, preparation of the TPM and the enabling of BitLocker are in their usual places before and after the OS installation, respectively. Modify your existing TS and copy/paste the pre-provisioning and enabling of BitLocker steps in the correct order. If you want to automate TPM activation, you could copy the appropriate TS step groups and paste into your TS as necessary.
For Windows 11: For the 'Pre-provision BitLocker' step, follow these steps to resolve a known issue:
- Replace the step with a new ‘Run Task Sequence’ step that runs the ‘DEMO DAYS-Pre-Provision Bitlocker Workaround’ task sequence, located at '\Software Library\Overview\Operating Systems\Task Sequences\.DEMO DAYS' in the console
- Or, you can create the following four Run Command Line steps in your task sequence using the commands below:
- reg.exe add HKLM\SOFTWARE\Policies\Microsoft\TPM /v OSManagedAuthLevel /t REG_DWORD /d 2 /f
- reg.exe delete HKLM\SYSTEM\CurrentControlSet\Control\MiniNT /f
- manage-bde.exe -on C: -em xts_aes128
- reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\MiniNT /f
Compliance and reporting
Encryption state of each drive on individual workstations are visible in the MECM console via the Resource Explorer (right-click→start→resource explorer) and navigating to the BitLocker node within the hardware inventory.
Collections can be created whose membership is based on this attribute. Below is a query that tests if the C:
drive is encrypted. As written it would be used to create a collection of devices where the C:
drive is not encrypted. You can copy the following text and paste it into the collection query editor:
select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ENCRYPTABLE_VOLUME on SMS_G_System_ENCRYPTABLE_VOLUME.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ENCRYPTABLE_VOLUME.DriveLetter = "C:" and SMS_G_System_ENCRYPTABLE_VOLUME.ProtectionStatus = 0
Configuration Items\Baselines can also be used to determine compliance. In the MECM console, in Assets and Compliance→Compliance Settings→Configuration Items, there is a configuration item called "BitLocker C: Status (PS)" and another called "BitLocker C: Status (WMI)" that can each check BitLocker status. The one ending in (PS) uses a PowerShell script to check the status of BitLocker on the C: drive, the (WMI) variant uses a simple WMI query to determine the encryption status. There is a tradeoff between the two configurations:
"BitLocker C: Status (PS)" |
"BitLocker C: Status (WMI)" |
---|---|
• allows for a remediation script to force encryption of the C: drive |
• doesn’t require any special MECM client setting |
• but also currently requires the MECM client PS execution policy setting to be set to Bypass (the default is All Signed) | • but doesn’t offer the ability to auto-remediate |
You will need to copy the PS variant and modify it if you wish to add a remediation script.
In either case, you would select which works best for you and use it to create a Configuration Baseline which can then be deployed to your endpoint collections. Example configuration baselines that can be copied are found in Assets and Compliance→Compliance Settings→Configuration Baselines as "BitLocker C: Status Baseline (PS)" or "BitLocker C: Status Baseline (WMI)". Each demonstrates how to use the respective configuration item to check the endpoint for compliance on a set schedule (established during the configuration baseline deployment wizard).
In the example below, you see the "BitLocker C: Status (PS)" compliance baseline deployed to the UIUC-Illini Union Laptops collection. The upper pane shows the status of the configuration baseline, indicating number of endpoints that are compliant, non-compliant, and unable to compute compliance due to a failure. The lower pane (the deployments tab) shows the deployment status of the configuration baseline, indicating the number of targeted endpoints, number of successful evaluations and number of failed evaluations. It is important to note that it is showing endpoints where the configuration baseline successfully evaluated compliance, not the result of that evaluation. By right-clicking on the deployment and selecting "View Status" the MECM console shows a breakdown of the deployment.