Managing your Disk Encryption in Endpoint Manager is now in preview.

Hello there,

When looking at my Microsoft Endpoint Manager dashboard today, I noticed a number of new preview features have arrived. Next up, I am going to be looking at Disk Encryption capabilities via Endpoint Security.

Microsoft Endpoint Manager has a new home

Access to the Microsoft Endpoint Manager now has a new URL http://endpoint.microsoft.com replacing http://devicemanagement.microsoft.com

Windows 10 and later (BitLocker)

While BitLocker isn’t something new to Microsoft Endpoint Manager all the configuration that you would normally perform in configuration profiles have been separated into the Endpoint Security within the new Microsoft Endpoint Management Dashboard.

Now lets run through all the configuration settings and what they actual do.

BitLocker – Base Settings

Configuration SettingActionDefinition
Enable full disk encryption for OS and fixed data drives Yes / Not ConfiguredIf set to not configured, no Bitlocker enforcement will take place.
If the drive was encrypted before the policy, no additional action.
If the encryption method and options match that of this policy, the configuration should return success
Require storage cards to be encrypted (mobile only) Yes / Not Configured When this setting is set to Yes, encryption on storage cards will be required for mobile devices. When set to not configured, the setting will return to OS default which is to not require storage card encryption. This setting is only applicable to Windows Mobile and Mobile Enterprise SKU devices.
Hide prompt about third-party encryption Yes / Not Configured If BitLocker is enabled on a system that has already been encrypted by a third-party encryption product, it may render the device unusable. Data loss may occur and you may need to reinstall Windows. It is highly suggested to never enable BitLocker on a device that has third-pary encryption installed or enabled. As part of the BitLocker setup wizard, users are informed and asked to confirm that no third-party encryption is in place. When this setting is set to Yes, this warning prompt will be surpressed. When set to not configured, the setting will return to default which is to warn users about third-party encryption. If BitLocker silent enable features are required, the third-party encryption warning must be hidden as any required prompt breaks silent enablement workflows.
Allow standard users to enable encryption during Autopilot Yes / Not Configured When set to Yes, during Azure Active Directory Join (AADJ) silent enable scenarios, users do not need to be local administrators to enable BitLocker. When set to not configured, the setting will be left as client default which is to require local admin access to enable BitLocker. For non-silent enablement/Autopilot scenarios, the user must be a local admin to complete the BitLocker setup wizard.
Enable client-driven recovery password fo Not Configurated / Disabled / Azure AD-joined devices / Azure AD and Hybrid-joined devices Setting this as Not configured means the client will not rotate BitLocker recovery keys when disclosed on the client. Setting it to Key rotation enabled for Azure AD-joined devices will allow key rotation for AADJ devices. Setting it to Key rotation enabled for Azure AD-joined devices and Hybrid-joined devices will allow key rotation for AADJ or Hybrid-joined devices. Add Work Account (AWA, formally Workplace Joined) devices are not supported for key rotation.

BitLocker – Fixed Drive

Configuration SettingActionDefinition
BitLocker fixed drive policy Yes / Not Configured This policy setting is used to control the encryption method and cipher strength. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
Fixed drive recovery Yes / Not Configured Control how BitLocker-protected fixed data-drives are recovered in the absence of the required startup key information. Selecting “Enable” allows you to configure various drive recovery techniques. By selecting “Not configured”, the default recovery options are supported including DRA, the end user can specify recovery options and recovery information is not backed up to Azure Active Directory.
Block write access to fixed data-drives not protected by BitLocker Yes / Not Configured When set to Yes, Windows will not allow any data to be written to fixed drives that are not BitLocker protected. If a fixed drive is not encrypted, the user will need to complete the BitLocker setup wizard for the drive before write access is granted. Setting this to not configured will allow data to be written to non-encrypted fixed drives.
Configure encryption method for fixed data-drives Not Configured / AES 128bit CBC / AES 256bit CBC / AES 128bit XTS / AES 256bit XTS Select the desired encryption method for fixed data-drives disks. XTS- AES 128-bit is the Windows default encryption method and the recommended value. Note that 256-bit encryption may have performance impacts on low spec hardware. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. To change the encryption method, the drive must be decrypted first.

BitLocker – OS Drive Settings

Configuration SettingActionDefinition
BitLocker system drive policy Configured / Not Configured This policy setting is used to control the encryption method and cipher strength. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
Startup authentication required Yes / Not Configured Selecting “Require” allows you to configure the additional authentication requirements at system start up, including utilizing the use of Trusted Platform Module (TPM) or startup PIN requirements.
Compatible TPM startup Blocked / Required / Allowed etting this to Allow TPM will enable BitLocker using the TPM if it’s present. Setting this to Do not allow TPM will enable BitLocker without utilizing the TPM. Setting this to Require TPM will only enable BitLocker if TPM is present and usable. It is recommended to require a TPM for BitLocker. This setting only applies when first enabling BitLocker. If BitLocker is already enabled prior to applying this setting, it will have no effect.
Compatible TPM startup PIN Blocked / Required / Allowed Setting this to Allow startup PIN with TPM will enable BitLocker using the TPM if present, and allow a startup PIN be configured by the user. Setting this to Do not allow startup PIN with TPM will block the use of a PIN. Setting this to Require startup PIN with TPM will require BitLocker have a PIN and TPM present to return success. For silent enable scenarios (including Autopilot) this setting cannot be successful, as user interaction is required. It is recommended that PIN is disabled where silent enablement of BitLocker is required.
Compatible TPM startup key Blocked / Required / Allowed and will allow a startup key (such as a USB drive) be present to unlock the drives. Setting this to Do not allow a startup key will block the use of startup keys. Setting this to Require a startup key with TPM will require bitLocker have a startup key and TPM present to enable BitLocker. For silent enable scenarios (including Autopilot) this setting canot be sucessful, as user interaction is required. It is recommended that startup keys be disabled where silent enablement of BitLocker is required.
Disable Bitlocker on devices where TPM is incompatible Blocked / Required / Allowed Setting this to Yes will disable BitLocker from being configured without a compatible TPM chip. This setting may be helpful for testing, but it is not suggested to enable BitLocker without a TPM. If no TPM is present, BitLocker will require a password or USB drive for startup. This setting only applies when first enabling BitLocker. If BitLocker is already enabled prior to applying this setting, it will have no effect.
Enable preboot recovery message and url Yes / Not Configured Setting this to Yes will allow you to customize the pre-boot recovery message and URL. The pre-boot message and URL is seen by users when they’re locked out of their PC in recovery mode. The message and URL can be customized to help your users understand how to find their recovery password. Setting this to Not configured will leave the default BitLocker recovery information.
Preboot recovery message
Yes / Not Configured Use this option to declare if a custom recovery message or URL is desired.
Preboot recovery url Use this option to declare if a custom recovery message or URL is desired.
System drive recovery Use this option to declare if a custom recovery URL.
Configure encryption method for Operating System drives Configured / Not Configured Control how BitLocker-protected OS drives are recovered in the absence of the required startup key information. Selecting “Enable” allows you to configure various drive recovery techniques. By selecting “Not configured”, the default recovery options are supported including DRA, the end user can specify recovery options and recovery information is not backed up to Azure Active Directory.
Minimum PIN length Select the desired encryption method for OS drives. XTS- AES 128-bit is the Windows default encryption method and the recommended value. Note that 256-bit encryption may have performance impacts on low spec hardware. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. To change the encryption method, the drive must be decrypted first.

BitLocker – Removable Drive Settings

Configuration SettingActionDefinition
BitLocker removable drive policyConfigured / Not Configured This policy setting is used to control the encryption method and cipher strength. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
Configure encryption method for removable data-drives Not Configured / AES 128bit CBC / AES 256bit CBC / AES 128bit XTS / AES 256bit XTS Select the desired encryption method for removable data-drives disks. You should use AES-CBC 128/256-bit if the drive will be used in other devices that are not running Windows 10, 1511 or earlier. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. To change the encryption method, the drive must be decrypted first.
Block write access to removable data-drives not protected by BitLocker Yes / Not Configured When set to Yes, Windows will not allow any data to be written to removable drives that are not BitLocker protected. If an inserted removable drive is not encrypted, the user will need to complete the BitLocker setup wizard for the drive before write access is granted. Setting this to not configured will allow data to be written to non-encrypted removable drives.
Block write access to devices configured in another organization Yes / Not Configured Setting this to Block will require removable drives to be accessed unless they were encrypted on a computer owned by your organization. Setting this to Not configured will allow any BitLocker encrypted drive to be used.

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

macOS (FileVault)

Encryption

Configuration SettingActionDefinition
Enable FileVault Yes / Not ConfiguredIf not already enabled, FileVault will be enabled at the next logout.
Recovery key type Determine which type(s) of recovery key should be generated for this device.
Personal recovery key rotation Not configured or number of months Specify how frequently in months (1-12) the device’s personal recovery key will rotate.
Escrow location description of personal recovery keyDisplay a short message to the user that explains how they can retrieve their personal recovery key. This text will be inserted into the message the user sees when enabling FileVault.
Number of times allowed to bypass Not configured / 1-10 / No limit, always prompt Set the value to -1 to disable the setting. Set the value to 0 to always prompt the user to enable FileVault, although they can ignore the prompt. Set the value from 1 to 10 to allow the user to bypass the prompt that many times until they are required to encrypt the device.
Allow deferral until sign out Yes / Not Configured Defer the prompt until the user signs out. Only ‘yes’ is supported.
Disable prompt at sign out Yes / Not Configured Disable the prompt for the user to enable FileVault when they sign out.

Once you have selected your required configuration

Define the Scope Tags (if in use within your environment
Define the Assignment to your selected groups
Review and Create

This completes the list of configurations available in Microsoft Endpoint Manager for Disk Encryption.

Regards
The Author – Blogabout.Cloud

Leave a Reply

Your email address will not be published. Required fields are marked *