Category Archives: Security

Automatically bitlocker Windows 10 MDM Intune Azure AD Joined devices

I recently ran into an article by Pieter Wigleven, based on an original idea of Jan Van Meirvenne that I simply have to share, and expand upon.

When you go cloud first, and do light MDM management of your Azure AD Joined Windows 10 devices, you will likely enable a Bitlocker policy in Intune. What you’ll quickly discover, is that your policy will not automatically enforce/enable Bitlocker on non-InstantGo capable devices.

So, I expanded upon Jan and Pieter’s script to automatically enable Bitlocker on Windows 10; it has additional error handling, local logging and it will eject removable drives prior to immediately (vs reboot) encrypting your system drive. After this is started, it will register your recovery key in AzureAD. Of course all credit for the original idea goes to Jan van Meirvenne.

Powershell source file

enableBitlockerAndRegisterInAAD.ps1 (right click, save as)

MSI file

enableBitlockerAndRegisterInAAD_v0.2.msi(right click, save as)

As Intune won’t let you deploy a Powershell script, I’ve also wrapped the script in an MSI file with Advanced Installer for you. What this will do;

  1. Deploy the PS1 file to the machine
  2. Register a scheduled task to run this PS1 file at logon each time
  3. Kick off the scheduled task once so a first reboot isn’t required

Advanced installer package (.aip)

enableBitlockerAndRegisterInAAD.zip (right click, save as)

Requirements

  1. Windows 10, AzureAD Joined
  2. TPM chip
  3. User should be local admin

Do not forget to enable the Unified Audit Log

Office 365 and all related services have various forms of auditing options, it’s a pain to monitor and configure them all.

A while back, Microsoft unified these auditing logs into the Unified Audit Log. The Unified Audit Log for Office 365 is super easy to configure.

For all my customers I always enable this free feature, it is pretty much the only way you can have a RPO of 0 when you need to undo changes / deletes or restore data, and gives you a very nice and compliant audit log of everything your users and admins do in your environment.

In addition, it allows me to help you automatically reverse nasty CryptoLocker actions like mass file and folder renames and restore previous versions in bulk.

edit: you can also enable the audit log programatically