There was recently a discussion on twitter on how the bitlocker encryption is being enforced using intune and what the possible ways to bring the device into compliant state post the bitlocker task is done. Read the conversation here
Based on the discussion, I thought I would probably write a blog post on how to handle the situation of device reboot for bitlocker compliance check. This is something that I am using it for quite sometime and thought to share it with public.
Microsoft Intune allows the creation of compliance policies for Windows, Android and iOS, and Mac OS with certain rules and settings to make sure the device is compliant.
In this blog post, I will talk about the custom solution (toast notification) that I have used to reboot the device after the BitLocker encryption is completed as part of the device compliance check. why do you need a device reboot post bitlocker encryption?
Let’s understand the scenario that most organizations commonly use.
1. You have created a windows compliance policy and enabled the BitLocker setting.
2. You have created a device configuration or endpoint security profile for disk encryption. Understand that this profile with disk encryption runs only after the user logged into the PC. This is how it works and if you want the BitLocker to run without user login, create a win32 app or something.
3. You have created a conditional access policy with grant control ‘Require device to be marked as compliant’.
so considering the above, if you are using autopilot service and when the user logged into the device for the first time, the BitLocker encryption will start and complete silently. The user has no idea about what is going on behind the scenes about the device compliance check, conditional access, etc.
User will start connecting to o365 services such as teams, outlook, etc and the user will be blocked from accessing the resources because the device is still non-compliant due to BitLocker.
The measurement of the BitLocker settings that are configured in the device compliance policy and device health attestation is only checked at the device boot. Read the article to understand more about the device health attestation service in intune.
So in our case, the user is blocked until the device is rebooted. How do we force a device to reboot as soon as the bitlocker drive encryption is completed?
There are several ways we can reboot the device after the bitlocker is completed, but I wanted to use a toast notification with some nice text that helps the user to understand the reason for the reboot.
For toast notification scripts, I have used Ben’s toast notification solution.
The entire solution is based on the event viewer ID for bitlocker. when the bitlocker is completed, the Bitlocker driver will generate event viewer ID: 24667.
we will monitor this event viewer and start the toast notification.
The following is what the end-user will see upon the drive encryption is completed.
In the toast notification, the user will see the deadline reboot time, time remaining, and also custom text. All these fields are fully customizable.
Before you grab the script, files, and deploy them to your tenant, let’s understand what the solution consists of.
The solution has a couple of scripts named below. Yes, there are multiple scripts, but you merge them if you are not happy with it.
The flow of the script is listed below.
1. Run.bat will launch “BitlockerTask.ps1” and BitlockerTask.ps1 will create a scheduled task in the autopilot folder inside the task scheduler and wait for the bitlocker event notification ID (24667). Note: Decryption of bitlocker also generates the same event ID 24667, so it is always good (script covers that for you) to remove the scheduled task post-reboot. It is not usual practice to decrypt the disk, so we are good to use event-based device notification.
BitlockerTask.ps1 copies the source files into "C:\programdata\Autopilot\BLRNotification" . All our scripts will execute from this folder.
2. When the drive encryption is completed, the scheduled task will trigger “Restart.bat”. This script leaves a txt file (BitlockerToast.txt, the reboot countdown is measured based on file creation date) and creates another scheduled task (Create_Toast_Notify_Schd.ps1) that will run every 10 min for 30 min. so basically there will be 3 toast notifications for the user in the 30 min reboot window. This task will expire in 30 min after it ran.
The reason for having 3 notifications or 30 min duration is to allow any other user-based deployments or configuration profiles to be applied to the device. you can change the schedule to immediate or increase the time to 1hr as well.
3.CustomMessage.xml is XML file to customize the text message for end-users.
4. Finally Toast_Notify.ps1 is the script that will trigger the toast notifications.
If you want to read further on the toast notification customization, there are a few blogs such as ByteBen ,Martin’s and few others.
Once the toast notification is completed, all the scheduled tasks will auto-delete from the task scheduler.
How to deploy this solution?
1. Download the files from Github. If you want to make any customizations, do it so according to your needs.
2. Create a win32 application and use run.bat as a setup file. This is the main file to be used for execution on the device.
3.Upload win32 application with the following detection method.
Rule Type:File, path: C:\ProgramData\Autopilot\BLRNotification
Detection method: file or folder exist
Assignment, ,make sure you are targeted to device group and also make this win32 application part of your ESP. This is must.
During the ESP, the script will be installed on the device and wait for bitlocker completion.
The following are some of the common troubleshooting steps that I normally check if the toast notification script is not working.
First, test this solution in your tenant before you deploy this to all.
During the testing phase, in case you don’t see the toast notifications, check if there is any scheduled task created under the autopilot folder in the task scheduler.
There must be 1 task schedule that will be waiting for the event viewer ID: 24667
Check if there is any event viewer ID generated post the BitLocker task.
If there is no event viewer ID, you know the issue. If there is any event viewer ID, there should be another scheduled task that takes care of the toast notifications.
Also, check if the edge notifications are allowed in the system settings.
check if you have any security agents that are blocking to execute the scheduled task Powershell scripts.
And finally, edit the Toast_Notify.ps1 using Powershell ISE and run the script ,if this will generate the toast notification or not.
Rudy has a great blogpost on the device health attestation and its flow in deep-dive and how it works. you can refer the blog post https://call4cloud.nl/2021/10/device-health-attestation-age-of-compliance/
An alternate solution from Rudy on the compliance rules check https://call4cloud.nl/2021/11/the-last-days-of-custom-compliance/
Hope you find this blog post useful!
Great Article, definitely going to be using the concept. Been using your site as a reference for many obstacles I faced.
Thanks for your write u, Im exactly facing this challenge!
However Im already stuck at Point 2 - How do you add an W32 App when you dont have an intunewim file?
You can use the intunewrapper tool to create win32 application (intunewim) using the setup files. https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool