This blog post uses the BitLocker configuration service provider (CSP) to manage drive encryption on Windows 10 devices. This CSP was added in Windows 10, version 1703, which is currently available as Insider Preview build.
This blog post will be about requiring BitLocker drive encryption on Windows 10 devices. Until Windows 10, version 1703, this was not possible. It was only possible to create a compliance policy that would block access to Windows 10 devices without BitLocker enabled. Windows 10, version 1703, introduces the BitLocker CSP, which enables the administrator to manage BitLocker settings via Windows 10 MDM. In this post I’ll briefly go through the available settings in the BitLocker CSP and I’ll show how to require BitLocker drive encryption via Microsoft Intune hybrid and Microsoft Intune standalone. I’ll end this post by showing the end-user experience.
I’ll split the configuration in two sections. The first section about the available settings in the BitLocker CSP and the second section about how to configure the BitLocker drive encryption requirement. As the BitLocker CSP is new in Windows 10, version 1703, I thought it would be good to briefly go through the available settings.
Let’s start by going through the available settings in the BitLocker CSP. The root node for the BitLocker CSP is ./Device/Vendor/MSFT/BitLocker and it contains the following settings.
|RequireStorageCardEncryption||This setting allows the administrator to require storage card encryption on the device.|
|RequireDeviceEncryption||This setting allows the administrator to require encryption to be turned on by using BitLocker.|
|EncryptionMethodByDriveType||This setting allows the administrator to configure the algorithm and cipher strength used by BitLocker.|
|SystemDrivesRequireStartupAuthentication||This setting allows the administrator to configure whether additional authentication is required each time the computer starts.|
|SystemDrivesMinimumPINLength||This setting allows the administrator to configure a minimum length for a TPM startup PIN.|
|SystemDrivesRecoveryMessage||This setting allows the administrator to configure the recovery message or replace the existing URL.|
|SystemDrivesRecoveryOptions||This setting allows the administrator to control how operating system drives are recovered.|
|FixedDrivesRecoveryOptions||This setting allows the administrator to control how fixed data drives are recovered.|
|FixedDrivesRequireEncryption||This setting allows the administrator to require BitLocker for fixed data drives to be writable on a computer.|
|RemovableDrivesRequireEncryption||This setting allows the administrator to require BitLocker for a removable drive to be able to write data.|
Now that I’ve been through all the available settings in the BitLocker CSP, let’s have closer look at the setting that enables the administrator to require BitLocker drive encryption. That’s the setting RequireDeviceEncryption. However, keep in mind that this still does require an interaction with the end-user. The end-user has to provide information about the currently used drive encryption and the end-user has to start the BitLocker drive encryption process. More about that in the end-user experience section. To require BitLocker drive encryption the following OMA-URI configuration can be used:
- OMA-URI: ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption
- Date type: Integer
- Value: 1
This configuration information can be used in Microsoft Intune hybrid and Microsoft Intune standalone, by using the configuration guidelines shown below.
Let’s end this post with the end-user experience. As I mentioned earlier, the end-user must still interact with the messages generated by the configuration to require BitLocker drive encryption. Once the configuration arrives at the Windows 10 device, the end-user will receive a toast message stating that “Encryption is needed”, as shown below on the left. After selecting that notification, the end-user will receive a dialog box with the question “Are you ready to start encryption”, as shown below on the right.
After checking the applicable boxes and clicking Yes, the end-user will get the standard BitLocker Drive Encryption wizard. During that wizard the end-user must specify the location to back up the recovery key, choose the encryption method and the end-user can start the encryption.
For more information about the BitLocker CSP, please refer to this article about the BitLocker CSP.