Bitlocker: a mess

security Dec 16, 2020

Microsoft disk encryption solution is called Bitlocker. It uses 128 Bit or 256 Bit advanced encryption standard and is available in the Pro and Enterprise Windows flavors. It is part of every endpoint security recommendation and definitely something you want to integrate if you are using Intune. But how can you configure Bitlocker and what can possible go wrong?

Configuring Bitlocker in Intune

First of all; there are different ways to get Bitlocker working. Originally it was thought to use device configuration profile, but meanwhile it is also reachable through endpoint security profiles under disk encryption. Personally I am using the DCP, because the endpoint security could not cover all settings that I was using.

Using device configuration profile

Go to device configuration>create new profile and choose Windows 10 and later>Endpoint security. Now the Bitlocker options are found under Windows encryption. First we have the base settings, that are pretty straight forward:

bitlockerbasesettings

Now the OS drive settings, where you can set additional authentication methods such as TPM, PIN or a key. Something else that is really important, are the recovery password that will be stored to (Azure) Active Directory.

bitlockerosdrivesettings
Some mistakes are also generated through startup authentication requirements. For example if you define a startup PIN requirement by default, Bitlocker will have issues with the encryption, because you would have to set a PIN even before. This can be very tricky and I would always recommend to set it only to allow and not require.

Using endpoint security profile

Move to endpoint security, then disk encryption. Here you can define the Bitlocker options, just the same as in the device configuration profile.

bitlockerendpointsecurity

Troubleshooting

So after applying the configured disk encryption profile, Bitlocker should start to encrypt automatically. (as far as you have set this option) But this is often not the case, caused by diffrent problems.

Command manage-bde

Use the command "manage-bde -status" to get a quick overview of encryption status. It is required to have cmd or Powershell opened as an administrator. Output looks like something following:
manage-bde-status

Event viewer Bitlocker-API

To get more infos, especially in the case of an error, it is always very helpful to check out the event viewer and search for noticeable events that occured recently. Bitlocker events are found under: application and service logs>Microsoft>Windows>Bitlocker-API>management. This is usually rather empty if Bitlocker failed, so any event could help you. If there are many events, search for warnings or errors and focus on repeating event ids. Here is an example:
eventviewerbitlocker

HTSI - DMA capable devices that conflict the encryption

Hardware Security Testability Specification is a security feature that IHV's (independent hardware vendors) use to guarantee a secure device by default.

DMA (direct memory access) are input/output devices that can communicate directly with main memory without any CPU operation. This obviously represents a security risk for unknown peripherals and is disabled for most of the time. It is the responsibility of the IHV's to declare DMA capable devices as protected from external access, but sometimes they do not get this done.

The solution

So from this point I have tried multiple approaches, meanwhile I was even working on my own script. Fortunately I have found something that gets everything done the way I need. The solution found on Github by Aaron Parker is a Powershell script that will check current state, enable Bitlocker (if necessary), save the recovery key to AzureAD and of course also writes some logs. To use the script go to Windows devices>scripts. Upload the script and make sure to force the script to run in a 64 bit Powershell Host because "manage-bde" is not recognized in a x86 Powershell session. Assign it to a device or user group and let it some time.

This works on all of our Lenovo devices which includes T14, T495, X1 Carbon, Yoga, L580, M720q, M920q and similar devices.

Bitlocker key is later on found the endpoint manager admin center shortly after the enrollment:
recoverykeys

And the status of the device configuration profile:
bitlockerdcp

Niklas Tinner

Young IT Nerd.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.