top of page
Search

(51) Microsoft Intune: Custom BitLocker Assessment

  • Writer: Mr B SOE way
    Mr B SOE way
  • Apr 18, 2023
  • 1 min read

Intune allows you to create Custom Compliance policies, to configure additional assessments or having more controls over existing settings.


BitLocker is one of those settings I have experienced some inconsistencies in production environments where it was enabled using different methods such as for example using MBAM or enabled manually but Intune was unable to return the status. It would return an error code with little to no information. This could be a blocker to deploy device-based Conditional Access policies.


As part of a current project, there are a fair few number of devices that don't have encryption turned on. There are two parts of this assessment for this to get it working.


1. Navigate to https://endpoint.microsoft.com then under Policy, select Compliance Policies












2. Under Compliance Policies, select Scripts












3. Select Add then select Windows 10 and later, then enter a name like: Windows - Check BitLocker Encryption.


4. Copy and paste the below text into Detection Script.

$btVolumes=Get-BitLockerVolume

$btOSVolumes=$btVolumes|where-object -filter {$_.VolumeType -eq 'OperatingSystem'}

$btDataVolumes=$btVolumes|where-object -filter {$_.VolumeType -eq 'Data'}


$isOSDrivesFullyEncrypted=$true

$nonEncryptedOsVolumesString=""


foreach($volume in $btOSVolumes )

{

if($volume.VolumeStatus -ne "FullyEncrypted")

{

$isOSDrivesFullyEncrypted=$false

if(-not [String]::isNullOrEmpty($nonEncryptedOsVolumesString))

{

$nonEncryptedOsVolumesString+=","

}

$nonEncryptedOsVolumesString+=$volume.MountPoint.replace(":","")

}

}


$isDataDrivesFullyEncrypted=$true

$nonEncryptedDataVolumesString=""

foreach($volume in $btDataVolumes )

{

if($volume.VolumeStatus -ne "FullyEncrypted")

{

$isDataDrivesFullyEncrypted=$false

if(-not [String]::isNullOrEmpty($nonEncryptedDataVolumesString))

{

$nonEncryptedDataVolumesString+=","

}

$nonEncryptedDataVolumesString+=$volume.MountPoint.replace(":","")

}

}


$hash=@{OsVolumeEncryptionStatus=$isOSDrivesFullyEncrypted; NonEncryptedOsVolumes=$nonEncryptedOsVolumesString;DataVolumeEncryptionStatus=$isDataDrivesFullyEncrypted; NonEncryptedDataVolumes=$nonEncryptedDataVolumesString}

return $hash |ConvertTo-Json -Compress

5. Then click Review + save.











6. Next go to Windows | Compliance Policies, enter a name. Expand out Custom compliance and set the following:


Custom compliance: Require

Select your discovery script: Windows - Check BitLocker Encryption (the one that was created in the above).

Update and validate the JSON file with your custom compliance settings: Upload the BitLocker-Discovery.json file from https://github.com/mrbernardmah/intune-custom-bitlocker-assessment


It will check for the following.



To be compliant our script should return:


OsVolumeEncryptionStatus = true


NonEncryptedOsVolumes = ""


DataVolumeEncryptionStatus = true


NonEncryptedDataVolumes = ""


 
 
 

Comments

bottom of page