Encrypting Ubuntu for Intune compliancy

When it comes to using Linux with Microsoft Intune, devices can be checked for compliancy.

At the time of release of Linux management, we have the following compliance options available:

  • Allowed Distros
    • Maximum Version
    • Minimum Version
    • Type
  • Custom Compliance
    • Discovery Script
    • Rules file
  • Device Encryption
  • Password Policy
    • Minimum Digits
    • Minimum Length
    • Minimum Lowercase
    • Minimum Symbols
    • Minimum Uppercase

In my introductory blog post on Linux management in Intune, I showed how a device, which is not encrypted, can be blocked from accessing company resources.

But how do you encrypt an Ubuntu device? Well, if you have a device already up and running then this is not an easy task and encryption of folders is possible, however this will not be enough to become compliant when Device Encryption is your compliancy rule.

Full disk encryption is achieved when building the Ubuntu device, so here is how.

First up, if you are testing this out via a Hyper-V virtual machine, you will need to build a generation 2 machine and also switch off Secure Boot, otherwise you won’t be able to kick start the Ubuntu O/S install.

Remember, you need to have use Ubuntu Desktop 22.04 or 20.04 LTS OS versions as a pre-requisite.

When installing the O/S follow the standard installation wizard until you get to the Installation type screen. Click the Advanced features… button.

Now select the Use LVM with the new Ubuntu installation checkbox and then tick Encrypt the new Ubuntu installation for security. Click OK. Click Install Now to continue the O/S install.

You will be prompted to create a startup key, to be used each time the computer boot. Enter a strong password in the Choose a security key field.

A recovery key will be generated, make sure that this file is saved to another location and kept safe as this will be required for recovery purposes.

You can also check Overwrite empty disk space if you wish to use full disk encryption or leave it unchecked for used space encryption.

When all the options have been completed, click Install Now.

You’ll be prompted to Write the changes to disk. Click Continue.

When the O/S install is completed, whenever you restart the device, you will need to enter the startup key you defined earlier.

Now, follow the First steps into Linux management blog post to enroll the device into Microsoft Intune and, also, enable the Linux compliance policy for Device Encryption as shown in the blog.

When the device arrives in the Intune console, it will report as Compliant (Note the non-compliant, unencrypted device from the first blog post as well).

You can also check the compliance status on the device by signing into the Intune app.

Hope this helps.

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s