Share via

Deploy MEM Disk encryption policy to devices without third party encryption installed

jaybird283 626 Reputation points
2022-09-13T23:38:40.517+00:00

What would be the best way to target a disk encryption policy (in MEM) to workstations that don't already have a third-party disk encryption software already installed?

Ideally we would create a dynamic group that looks for a reg key/service/installed application/file etc. But dynamic groups seem VERY limited in what you can look for, and none of the things are an option for dynamic groups queries as far as i can tell.

I feel like MEM is very painful to work with because of this limitation, or maybe i am just missing something obvious.

Microsoft Security | Intune | Configuration
Microsoft Security | Intune | Application management
Microsoft Security | Intune | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 18,011 Reputation points Microsoft Employee Moderator
    2022-09-29T06:15:28.207+00:00

    Hello @jaybird283 ,

    Thanks for your response. In order to scope the devices which are encrypted with 3rd party encryption via registry path you could use the following PowerShell script.

    $KeyPath = "HKCU:\Registry\Key\Path"
    $ValueName = "name"
    $ValueData = "data"
    try{
    Get-ItemProperty -Path $KeyPath -Name $valueName -ErrorAction Stop
    }
    catch [System.Management.Automation.ItemNotFoundException] {
    New-Item -Path $KeyPath -Force
    New-ItemProperty -Path $KeyPath -Name $ValueName -Value $ValueData -Force
    }
    catch {
    New-ItemProperty -Path $KeyPath -Name $ValueName -Value $ValueData -Type String -Force
    }

    OR

    245911-image.png

    • Devices on which the detection logic is true will show successful status as the IME agent (Win32 agent) would check the registry path and give successful deployment status of the devices which have registry path for encryption software.
    • Same could be exported and used to create a device group, which later could be excluded from encryption policy.

    245897-image.png

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
  2. Akshay-MSFT 18,011 Reputation points Microsoft Employee Moderator
    2022-09-20T06:18:17.55+00:00

    Hello @jaybird283 ,

    Thanks for posting your query on Microsoft Q&A. I was able to review this and could understand that you are looking for a way to target bit locker encryption to those devices which are not encrypted by any other encryption and exclude those which are encrypted by third party software. Please do correct me if this is not the ask.

    As of now we don't have a direct way to define a dynamic group membership based upon the device encryption. However, if the users are aware of the encryption status of their devices. Then as a work around we could use the option "Hide Prompt about third party encryption" to "not configured". This will give a warning prompt to the users and would stop them from letting the bitlocker encryption happen on the drives.

    242739-image.png

    I am still investigating a way to add an "extension attribute" for third party encrypted devices. However, this might take little time to conclude on the possibility of achieving the same. ref: https://learn.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0

    Also, you could post this as a feature request on community forum as this is actively monitored by our product development team and based upon the possibility to add the feature the request is accepted or rejected: https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789

    Thanks,
    Akshay Kaushik

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.