Enabling BitLocker In Silent Mode Using the Settings Catalog (2023)


There are many blog posts and articles online about the old way to configure silent BitLocker. These used a template that Microsoft added to Intune. Since March 2023 BitLocker has moved (along with lots of other configurations) to using the Settings Catalog. Often the settings are similar and you can take a old blog post and work out what to do – not so with BitLocker. There is considerable change in the settings catalog version and therefore worthy of what seems a rewrite of old content.

Note that if you have existing BitLocker policies created with templates you can still use them and duplicate them to create other policies. This blog post is really where you have no existing policy in place and you would like to create a new one.

Additional note, silent BitLocker is used when you don’t want popups and alerts during, or to get the user to complete the BitLocker process. This limits some of the options you have, such as requiring a TPM chip on the device and not requiring a start-up PIN, but it does mean that you can easily roll out device encryption to all of your existing devices or enable BitLocker during AutoPilot.

You start by creating a new BitLocker policy in the Intune Portal (https://intune.microsoft.com/) > Endpoint Security > Disk encryption, or a Configuration Profile from the portal > Devices > Windows > Configuration profiles (Settings Catalog option). I prefer the second, as it is possible to export these settings as JSON for both documentation reasons and to easily import them into another tenant.

Creating an Endpoint Security > Disk Encryption policy
Creating an Configuration Profile based on the Settings Catalog

Create and name your policy, provide a description as shown:

Step 1: Creating the configuration profile

From the “Step 2” page, click + Add settings

Step 2: Add settings

Search the settings catalog for “BitLocker”. You will see five seperate categories:

Step 2: Seaching the settings catalog for BitLocker related settings

You need to select the following, one at a time, and add the relevant settings. They will appear on the left of the screen as you select them:

  • BitLocker (the last one on the above list)
    • Allow Warning For Other Disk Encryption
    • Configure Recovery Password Rotation
    • Require Device Encryption
  • Administrative Templates\Windows Components\BitLocker Drive Encryption
    • Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
  • Administrative Templates\Windows Components\Operating System Drives
    • Choose how BitLocker-protected operating system drives can be recovered
    • Enforce drive encryption type on operating system drives
    • Require additional authentication at startup
  • Others (Fixed Data Drives and Removable Data Drives) are optional for silent BitLocker policies

Adding the above, which is not all of the available settings, results in them being shown on the left and not configured (or in the default state). This screenshot is a view of the top of this list of settings.

Step 2: Settings Catalog for BitLocker added and ready to configure

For each of these settings, there are various options. I will list here those that need to be selected (enabled or disabled) and why that setting needs to be such. Where a setting is not mentioned below it is disabled. It is still listed on the BitLocker policy becuase this turns off a setting rather than ignores it (i.e. not configured):

  • Windows Components > BitLocker Drive Encryption
    • Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) | Enabled
      • Select the encryption strength you need for all three components. For silent BitLocker you need to say all disk types even if you are not planning to encrypt all disk types in the policy.
    • Choose how BitLocker-protected operating system drives can be recovered | Enabled | Allow 265-bit Recovery Key
      • Configure user storage of BitLocker recovery information | Allow 48-digit recovery password
      • Allow data recovery agent | True
      • Configure storage of BitLocker recovery information to AD DS | Store recovery packages and key packages. And yes, I realise this says Active Directory and not Azure Active Directory or Entra ID. Settings Catalog is based on GPO settings (ADMX files).
      • Do not enable BitLocker until recovery information is stored to AD DS for operating system drives | True. As above, this says Active Directory and not Azure Active Directory or Entra ID – but it does work and Entra Joined devices will save their recovery keys to Entra ID and then start encrypting the drive(s).
      • Save BitLocker recovery information to AD DS for operating system drives | True
    • Enforce drive encryption type on operating system drives
      • Select the encryption type (Device) | Used Space Only encryption (you can pick “Full Encryption” as well, it takes longer), but on new devices Used Space Only is sufficient.
  • Windows Components > BitLocker Drive Encryption > Operating System Drives
    • Disallow standard users from changing the PIN or password | Enabled
    • Require additional authentication at startup | Enabled
      • Configure TPM startup key and PIN | Do not allow startup key and PIN with TPM
      • Configure TPM startup key | Do not allow startup key with TPM
      • Configure TPM startup PIN | Do not allow startup PIN with TPM
      • Configure TPM startup | Require TPM (this is needed for silent BitLocker, and the device needs a TPM chip enabled in the BIOS/UEFI). All the other settings above must be disabled for silent BitLocker, otherwise they will prompt the user to perform key management jobs such as set a boot PIN.
  • BitLocker
    • Require Device Encryption | Enabled
    • Configure Recovery Password Rotation | Refresh on for both Azure AD-joined and hybrid-joined devices
    • Allow Warning For Other Disk Encryption | Disabled (this defaults to Enabled in the policy – be sure to disable it as this is required for silent BitLocker)
    • Allow Standard User Encryption | Enabled (this is required so BitLocker during AutoPilot, when the first user is not an admin, will work).

The last of the above section (BitLocker) looks like this. Notice how settings that are both enabled or disabled in the policy. They are not absent/removed from the policy as that means “Not Configured” rather than “Disabled” or “False”.

Step 2: Configuring the individual settings for each policy category

Click Next to move onto Step 3. Set any Scope Tags you require.

Click Next to move onto Step 4. Assign the policy to All Devices to cover your entire Windows client estate. Start with an assignment to a group that contains a few unencrypted devices, and for completion, a few encrypted devices. The unencrypted devices should encrypt over the next few days and the already encrypted ones should do nothing. These should not change settings in any way (for example startup keys, recovery passwords, or encryption levels). The already encrypted devices will only move to your required settings if they have their existing encryption removed first.

Therefore collecting recovery keys from existing encrypted devices to Entra ID will be required as a seperate task.

Step 4: Assignment

Click Next to review and then Create to complete the process. Devices will check into Intune within 8 hours and download the new policy if they are assigned it. They will then start the encryption process. Forcing the sync of a device from the Intune portal or the device itself will speed up this, and BitLocker should start encrypting within minutes on a device that you force sync to. It will finish encrypting based on amount of the data and the “Used Space Only” (quicker) or “Full Encryption” (slower) setting.

Export the configuration profile from the … menu to the right of the profile name and Export JSON to save (and possibly import the profile to another tenant).

Export Configuration Profile

You can track the success of your silent BitLocker process initially on the devices you are using to pilot this policy (via the Event Viewer, DeviceManagement-Enterprise-Diagnostic-Provider log). The status of the policy can be seen from “Device Status” under the policy. This will show the number of devices that have picked up the policy. The Encryption Report under Devices > Monitor > Encryption Report can also be used.

Reporting on the effect of the policy – first device succeeded!

Photo by Azamat Esenaliev: https://www.pexels.com/photo/black-internal-hdd-on-black-surface-117729/


Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.