Let’s learn recommended steps to enable BitLocker using Intune. This post explains the configuration settings for BitLocker Encryption that can help protect data on devices running Windows 10 or 11 and the deployment of BitLocker using Intune.
BitLocker is a built-in Windows data protection feature, capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled.
BitLocker is available on devices that run Windows 10/11. Some settings for BitLocker require the device have a supported TPM. It is important to understand that BitLocker has specific hardware requirements and that some methods of enabling BitLocker are dependent on those conditions.
- For TPM 2.0 devices, you must have native Unified Extensible Firmware Interface (UEFI) configured. (Secure boot is not required but adds another layer of security.)
- BIOS or UEFI firmware must support USB mass storage.
- You must partition the hard disk into an operating system drive formatted with NTFS and a system drive with at least 350 MB formatted as FAT32 for UEFI and NTFS for BIOS.
Joy has well explained the working mechanism of Bitlocker encryption, the internal OS components involved, and most importantly, Take a look at the blog post here if you have not seen it yet – why it is necessary and how it helps secure the OS platform from cold boot attacks.
There are already Bitlocker series providing you in depth details on Bitlocker policies and working mechanisms. Links to the posts are mentioned below. Give them a read if you have not yet.
- Part 1 – Bitlocker Unlocked with Joy – Behind the Scenes Windows 10
- Part 2 – Device Encryption – Bitlocker made Effortlessly
- Part 3 – Deciphering Intune’s Scope w.r.t Bitlocker Drive Encryption
- Part 4 – Intune and Silent Encryption – A Deeper Dive to Explore the Internal
Enable BitLocker using Intune
Let’s follow the steps to use Intune to configure BitLocker Drive Encryption on devices that run Windows 10/11. Here are recommended processes for deploying BitLocker using Intune.
- Sign in to Microsoft Intune Admin Center https://endpoint.microsoft.com
- Navigate to the Endpoint Security node. Select Endpoint security > Disk encryption.
Note – This is the most recent method of deploying BitLocker settings. If you are currently using a device configuration profile, consider migrating to an Endpoint security policy.
Click on + Creare Policy. In Create Profile, Select Platform, Windows 10, and later and Profile, Select Profile Type as Bitlocker. Click on Create button.
On the Basics tab, enter a descriptive name, such as Bitlocker Policy. Optionally, enter a Description for the policy, then select Next.
In Configuration settings, Scroll down and configure the policy you want to configure for your environment. Depending on the type of policy that you use to silently enable BitLocker, configure the following settings. There is no user interaction when enabling BitLocker on a device in this scenario.
If BitLocker silent enable features are required, the third-party encryption warning must be hidden as any required prompt breaks silent enablement workflows.
First, ensure that the Hide prompt about third-party encryption setting is set to Yes. This is important because there should be no user interaction to complete the encryption silently.
Endpoint security disk encryption Base Settings – Configure the following settings in the BitLocker profile:
- Enable full disk encryption for OS and fixed data drives Yes
- Require storage cards to be encrypted (mobile only) Not configured
- Hide prompt about third-party encryption Yes
- Allow standard users to enable encryption during Autopilot Yes
- Client-driven recovery password rotation to Enable rotation on Azure AD-joined devices or Enable rotation on Azure AD and Hybrid-joined devices
Manage your requirement for encryption of fixed data drives. If you enable this setting, BitLocker requires users to put all fixed data drives under protection. It then encrypts the data drives.
- BitLocker fixed drive policy Configure
- Fixed drive recovery Configure
- Recovery key file creation Allowed
- Configure BitLocker recovery package Password and key
- Require device to back up recovery information to Azure AD Yes
- Recovery password creation Allowed
- Hide recovery options during BitLocker setup Yes
- Enable BitLocker after recovery information to store Yes
- Block the use of certificate-based data recovery agent (DRA) Yes
- Block write access to fixed data-drives not protected by BitLocker Yes
- Configure encryption method for fixed data-drives AES 256bit XTS
Endpoint security disk encryption policy – In the BitLocker profile you’ll find the following settings in the BitLocker – OS Drive Settings category when BitLocker system drive policy is set to Configure, and then Startup authentication required is set to Yes.
The Compatible TPM startup PIN, Compatible TPM startup key and Compatible TPM startup key and PIN options are set to Blocked. BitLocker cannot silently encrypt the device if these settings are configured to required because these settings require user interaction.
- Compatible TPM startup – Configure this as Allowed or Required
- Compatible TPM startup PIN – Configure this as Blocked
- Compatible TPM startup key – Configure this as Blocked
- Compatible TPM startup key and PIN – Configure this as Blocked
- Disable BitLocker on devices where TPM is incompatible Yes
- Enable preboot recovery message and url Not configured
Here you can control how BitLocker-protected OS drives are recovered in the absence of the required startup key information.
For OS volumes and fixed drives: XTS-AES 128-bit is the Windows default encryption method and the recommended value. An IT Administrator can set this algorithm to AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit, or XTS-AES 256-bit encryption.
- System drive recovery Configure
- Recovery key file creation Allowed
- Configure BitLocker recovery package Password and Key
- Require device to back up recovery information to Azure AD Yes
- Recovery password creation Allowed
- Hide recovery options during BitLocker setup Yes
- Enable BitLocker after recovery information to store Yes
- Block the use of certificate-based data recovery agent (DRA) Not configured
- Minimum PIN length – The startup PIN must have a minimum length of four digits and can have a maximum length of 20 digits.
- Configure encryption method for Operating System drives AES 256bit XTS
Here you can configure the Control use of BitLocker on removable drives group policy setting that controls the use of BitLocker on removable data drives. Removable drive settings apply to storage devices such as USB flash storage devices and external hard drives.
Note – If you do not configure Removable Drive settings, the policy will always result in a failure state.
- BitLocker removable drive policy Configure
- Configure encryption method for removable data-drives AES 256bit XTS
- Block write access to removable data-drives not protected by BitLocker Yes
- Block write access to devices configured in another organization Not configured
Scope tags are filtering options provided in Intune to ease the admin jobs. In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next.
Under Assignments, In Included groups, click Add groups and then choose Select groups to include one or more groups. Click Next to continue.
In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned for deploying BitLocker using Intune.
A notification will appear automatically in the top right-hand corner with a message. You can see the message “Profile created successfully”. Once you create the profile, it’s pushed to the assigned group and you are ready to silently enable BitLocker using intune.
Monitor Bitlocker Encryption Status with Intune
Intune provides a built-in encryption report that presents details about the encryption status of devices, across all your managed devices. The encryption report shows common details across the supported devices you manage, Intune Device Encryption Status Report for deploying BitLocker using Intune.
If BitLocker is not enabled on a device after deploying a policy, check the encryption report to see if the device meets the prerequisites.
If you want more details on how to manage Windows Bitlocker compliance policy using Intune and MS Graph by Mark Thomas, Managing Windows Bitlocker Compliance Policy Using Intune | MS Graph | Grace Period.
Hi, we have deployed bitlocker from intune in our office systems. now we need to enforce users to set pre boot pin authentication. we need to deploy it from Intune, how to configure the same.
The preboot authentication option Require startup PIN with TPM of the Require additional authentication at startup policy, You can specify it under BitLocker – OS Drive Settings!!
We also want to enable bitlocker silently using Autopilot but at the same time want our users to set TPM startup PIN also. If we enable this setting in policy then silent encryption is not supported. How can we achieve this requirement ?
Hi,
I wanted to see if you had an updated version of these instructions with the most recent Intune options?
Thanks
Nat