Deploy MEM Disk encryption policy to devices without third party encryption installed

jaybird283 586 Reputation points
2022-09-13T23:38:40.517+00:00

What would be the best way to target a disk encryption policy (in MEM) to workstations that don't already have a third-party disk encryption software already installed?

Ideally we would create a dynamic group that looks for a reg key/service/installed application/file etc. But dynamic groups seem VERY limited in what you can look for, and none of the things are an option for dynamic groups queries as far as i can tell.

I feel like MEM is very painful to work with because of this limitation, or maybe i am just missing something obvious.

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,897 questions
Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
942 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,080 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Akshay-MSFT 17,866 Reputation points Microsoft Employee
    2022-09-29T06:15:28.207+00:00

    Hello @jaybird283 ,

    Thanks for your response. In order to scope the devices which are encrypted with 3rd party encryption via registry path you could use the following PowerShell script.

    $KeyPath = "HKCU:\Registry\Key\Path"
    $ValueName = "name"
    $ValueData = "data"
    try{
    Get-ItemProperty -Path $KeyPath -Name $valueName -ErrorAction Stop
    }
    catch [System.Management.Automation.ItemNotFoundException] {
    New-Item -Path $KeyPath -Force
    New-ItemProperty -Path $KeyPath -Name $ValueName -Value $ValueData -Force
    }
    catch {
    New-ItemProperty -Path $KeyPath -Name $ValueName -Value $ValueData -Type String -Force
    }

    OR

    245911-image.png

    • Devices on which the detection logic is true will show successful status as the IME agent (Win32 agent) would check the registry path and give successful deployment status of the devices which have registry path for encryption software.
    • Same could be exported and used to create a device group, which later could be excluded from encryption policy.

    245897-image.png

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

  2. Akshay-MSFT 17,866 Reputation points Microsoft Employee
    2022-09-20T06:18:17.55+00:00

    Hello @jaybird283 ,

    Thanks for posting your query on Microsoft Q&A. I was able to review this and could understand that you are looking for a way to target bit locker encryption to those devices which are not encrypted by any other encryption and exclude those which are encrypted by third party software. Please do correct me if this is not the ask.

    As of now we don't have a direct way to define a dynamic group membership based upon the device encryption. However, if the users are aware of the encryption status of their devices. Then as a work around we could use the option "Hide Prompt about third party encryption" to "not configured". This will give a warning prompt to the users and would stop them from letting the bitlocker encryption happen on the drives.

    242739-image.png

    I am still investigating a way to add an "extension attribute" for third party encrypted devices. However, this might take little time to conclude on the possibility of achieving the same. ref: https://learn.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0

    Also, you could post this as a feature request on community forum as this is actively monitored by our product development team and based upon the possibility to add the feature the request is accepted or rejected: https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789

    Thanks,
    Akshay Kaushik

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.