Category Archives: BitLocker

Managing your BitLocker Encryption using Microsoft Endpoint Manager

Microsoft Azure Active Directory (Azure AD) and Microsoft Intune bring the power of the intelligent cloud to Windows 10 device management, including management capabilities for BitLocker. Some of these capabilities work on Windows 10 Pro, while other capabilities require Windows 10 Enterprise or Education editions.

The first step to managing BitLocker using Microsoft Intune is to visit the new Microsoft Endpoint Manager admin center. Select Endpoint security > Disk encryption, and then Create policy. Enter in the Platform and Profile indicated in the screen capture below, and then select Create.

Next, enter the basics, such as the name of the policy and an optional description,

Then move on to Configuration settings. Notice you can search for a specific setting, like “fixed drive policy,” or you can scroll through the settings.

Also notice the options offered for key rotation.

This setting, which requires Windows 10, version 1909 or later, will change the recovery key when the recovery key is used to unlock a drive.

Important notice!!

As you enable settings, additional settings may appear. For example, Enabling Fixed drive encryption expands more options: Recovery key file creation and Configure BitLocker recovery key package.

Finally, add Scope tags (optional), assign the new policy to specific groups of users or devices, and select Create.

The settings that can be configured here include:

  • BitLocker – Base Settings
    • Enable full disk encryption for OS and fixed data drives
    • Require storage cards to be encrypted (mobile only)
    • Hide Prompt about third-party encryption
    • Configure client-driven recovery password rotation
  • BitLocker – Fixed Drive Settings
    • BitLocker fixed drive policy
  • BitLocker – OS Drive Settings
    • BitLocker system drive policy
  • BitLocker – Removable Drive Settings
    • BitLocker removable drive settings

For more details, see the RequireDeviceEncryption section of the BitLocker CSP.

Regards
The Author – Blogabout.Cloud

Require BitLocker -2016345708 (Syncml(404): The requested target was not found)

Hello Reader,
During a Windows 10 pilot roll-out, I have run into the following issue where the Device Compliance Policy is shown an error for Require BitLocker but however, Encryption of the data storage on the device was compliant?

Weird!!

This issue was being caused PCR7 Configuration stating “Binding Not Possible”. The resolution of this message is to UPDATE YOUR BIOS!! The devices were newly purchased but required an urgent patch to their BIOs.

Required Steps

  • Decrypt/suspend BitLocker in order to install the latest firmware.
  • Install the BIOs
  • Reboot device
  • Turn on BitLocker

Once the device has again checked in for its Device Compliance Policy, both Encryption of data storage on the device and Require BitLocker should be compliant.

Regards,
The Author – Blogabout.Cloud