Jump to content


anyweb

Configuring BitLocker in Intune - Part 2. Automating Encryption

Recommended Posts

Introduction

In Part 1 I showed you how you can configure BitLocker on Windows 10 devices using Microsoft Intune, but that method relies on the end user actually clicking on the notification in Windows and then continuing through the wizard until completion.

In this post I'll show you how you can automate that part of the process, using an MSI that is based upon an MSI that was originally created by Pieter WigLeven. That MSI creates a scheduled task to run daily until the drive is encrypted.

Pieter's solution was great but lacked some key features that I wanted such as logging (so that you can view errors which may occur during the encryption phase), logic and a user facing reboot prompt. Therefore, I decided to rewrite the PowerShell script included in the MSI and then re-package it for your benefit.

Note: I'd recommend you test this solution in a lab environment, I used Windows 10 version 1703 Hyper-v based virtual machines (Generation 2) with a Virtual TPM enabled. Also to note, this MSI (and Pieters) does not check for the existance of a third party encryption tool, if you want that functionality then you'll need to modify the PowerShell script accordingly and then repackage it as described in Step 5.

Enabling a Virtual TPM

If you use Hyper-v VM's without a Virtual TPM enabled then the PowerShell script will exit logging errors and will not start the encryption. You can enable the Virtual TPM in the Security settings of your virtual machine (shown in the screenshot below) by placing a check mark in Enable Trusted Platform Module.

Enable Trusted Platform Module.png

 

Step 1. Download the MSI

Note: In this guide I've used the windows-noob.com version of the MSI. I've modified the MSI as described in Step 5 and made it available in the Downloads section of this Guide, it includes new features such as

  • Detailed logging
  • Logic to check if encryption was enabled
  • Reboot notification for end users
  • Automatically remove the scheduled task once encryption is enabled

You can get the the windows-noob.com version of the MSI in the Downloads section of this guide (scroll down....) or you can get the original MSI from Pieter.

Keep in mind that if you are doing Azure AD join, that the user is automatically an Administrator, if however you are using Windows Autopilot then the user will not be an Administrator. The windows-noob.com version of the tool is based on the user being an Administrator.

Step 2. Add the MSI as a LOB app in Intune

Now that you have the MSI available, it's time to upload it into Intune. In the Intune service in Azure, select Mobile Apps, then Apps, then click on + Add to add an App.

add app.png

Select Line of Business app in the drop down, then select Select file and point it to the downloaded MSI file before clicking on OK.

add msi.png

Next click on App Configuration  and fill in some details about the application before clicking on OK

app configuration.png

finally click on Add.

add.png

Step 3. Assign the app as Required to a User Group

Next you will deploy the application (Assign) to a group of Users. In this guide I've created an Assigned User Group called Automate BitLocker Encryption (Users) which contains users that I want to target with this policy.

Click on Assignment, then click on Select Groups, select the User Group you created previously and then click on Select.

select groups.png

For Type, click on the dropdown and select Required and then click on Save. This will mean that any users in this User Group will be targeted by this required application and it will automatically download and run.

type required.png

Step 4. Verify the experience

On a Windows 10 computer that is not yet BitLockered (and not encrypted by any third party encryption), Logon as a user that is a member of the above User Group. Keep in mind that they also need to have received the BitLocker Configuration created in Part 1 of this guide. That policy will set the BitLocker Configuration options (such as Encryption Algorithm), but it will not start encryption automatically.

Trigger a Sync using the appropriate button. This will pull down the new policy and start the download and installation of the MSI which in turn will copy some files, and create a scheduled task.

Sync.png

Once policy is received, you can see that the application is installed in Control Panel

application installed.png

And three files are present in the File System at C:\Program Files (x86)\BitLockerTrigger.

Note: The VBS kicks off the PowerShell script and the XML file is used in the creation of the Task Scheduler task.

files in programfiles.png

You can also check Task Scheduler to see the task is added, and that it is scheduled to run at 2pm.

task in task scheduler.png

Tip: By default Windows Task Scheduler has the  History tab disabled by default, to enable it you must start Task Scheduler as Administrator (Run as Administrator) and then click on Enable All Tasks History in the right pane. This will give you some details about the running task and whether it did run or not, but for more details about the task review the TriggerBitLocker.log file as described below.

Running the Task

You can wait until 2pm for the scheduled task to run or right click on the task and choose Run to run it now. after it has run, if everything was ok it will popup a reboot to the user, if things don't go according to plan use CMTrace.exe and navigate to C:\Windows\Temp and open the generated log file C:\Windows\Temp\TriggerBitLocker.log

The log file should reveal any problems that occur. In the example below you can see what happens when you try to run the task on a computer without a TPM.

log file problem.png

The key takeaway here is that logging is now included with the MSI and the PowerShell logic will avoid popping up a reboot message to the end user in the event that it has not succeeded to enable Encryption.

On a computer that meets the specifications (TPM), the PowerShell script enables encryption and the user will see the popup, they can delay for a few hours or accept the reality that they are getting Encrypted with BitLocker.

popup.png

and if they choose Reboot Now they'll see something like this

reboot now.png

After the reboot we can verify BitLocker encryption status

bitlockered.png

and the recovery key is in Intune in Azure.

recovery key.png

job done !

Note: After successfully enabling BitLocker the script deletes the Scheduled Task so that it no longer re-runs.

Step 5. (Optional) Edit the MSI with Advanced Installer

If you'd like to update the MSI yourself, you can install the MSI on a vm, and pull the scripts from the folder shown above, then load it using Advanced Installer.

Edit what you want in the package

product details.png

and edit the PowerShell script to suit your needs, once done copy the replacement scripts back into the MSI in the Files and Folders section below

add new files.png

Once done, to build the package click on the Save icon in the ribbon.

build project.png

And use that compiled MSI in the guide above.

Downloads

Below is the windows-noob.com version of Pieters MSI, this version was compiled using Advanced Installer 14.2.1 (great product !) and contains improvements to the PowerShell script such as logic handling, logging to help with troubleshooting and a Reboot computer popup at the end of the script which only appears if encryption is enabled.

windows-noob.com TriggerBitlocker.msi (version 1.0.0.2) - TriggerBitlocker.msi

windows-noob.com TriggerBitLockerUser.msi (version 1.0.0.2TriggerBitlockerUser.msi

Recommended reading

 

Share this post


Link to post
Share on other sites


really ? it worked for me when I tested it, what does the log tell you ?

Share this post


Link to post
Share on other sites

well in my version it logs that it's deleting the scheduled task, when did you download the msi, perhaps you should retry the download

Share this post


Link to post
Share on other sites

you would have to configure that requirement in Intune first, and then see how it's applied on a client computer, then and only then should you modify the MSI to match your requirements, I have not tested that scenario though but i'd be happy to help you with it

Share this post


Link to post
Share on other sites

hi Bob,

I based my version of the script on the end user being a local admin, if you need the non-admin version I can supply that also

Share this post


Link to post
Share on other sites
23 minutes ago, anyweb said:

hi Bob,

I based my version of the script on the end user being a local admin, if you need the non-admin version I can supply that also

Yes that would be fantastic, much appreciated.

Share this post


Link to post
Share on other sites

ok here's the USER version of the msi with my 3 edited scripts added, i've not tested it, that's up to you so go ahead and test it and if I need to fix something let me know,

Download the User version of the MSI here: TriggerBitlockerUser.msi

cheers

niall

Share this post


Link to post
Share on other sites

Hi Niall

Just a quick update, received Event ID error 11311 - Could not find source file - Cab1.cab.

I will troubleshoot further but thought I'd mention in case there's something obvious.

Thanks

Bob

Share this post


Link to post
Share on other sites

i'll look into it...

Share this post


Link to post
Share on other sites

ok i've modified the msi again please re-download it and let me know

Share this post


Link to post
Share on other sites

Hello Niall,

Thanks for the script. Installation with Intune works great.

I'm using the script in the USER context, deployed a machine with AutoPilot with a non-admin user.

The task in Tak Scheduler however runs in the Users context, which fails. When I adjust to run in the SYSTEM context the task runs succesfully and Bitlocker is enabled. Can you make an adjustment ro run the script in the right context? Or am I missing something?
 

Share this post


Link to post
Share on other sites

hi Nielsvd

I created two msi's did you use the user based msi ?

Share this post


Link to post
Share on other sites

Hi Niall,

yes I did! Here are the steps I took.

- MSI gets deployed and installed without an issue
- Scheduled Tasks are created
-  I adjusted install time manually using an Admin account
- At time of installation the log file shows an Exception Message: Access Denied message.

I see that the Scheduled task is executed in the USERS context, is that correct?
When I change to SYSTEM, the task is successfully being executed.

Share this post


Link to post
Share on other sites

hi Nielsvd

I'll have to test it in my lab and come back to you, so that's what i'll do now...

Share this post


Link to post
Share on other sites

it's working now, and i've added the updated USER msi to the original blogpost, please download and test, it works fine for me

you can see a video of how to test it yourself outside of Intune, here

cheers

niall

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...