How to configure BitLocker on Windows devices using Intune

by | Intune, Azure, Cloud

In this post I will show you how to configure BitLocker on Windows devices using Intune. Windows devices could be either Windows 10 or Windows 11. If the devices are enrolled to Intune, we can target the BitLocker policies to the devices in certain ways. The recovery key of the device is saved which can be utilized when required by the user.

What is BitLocker

BitLocker is a feature which encrypts the drive so as to prevent the data loss in case device is stolen/ lost. BitLocker with TPM (Trusted Platform Module) version 1.2 or later, enhances the capabilities and provide better protection. If complemented with secure boot (if enabled), it further increases the capability for security.

If device is stolen or lost, data is secured. Another person can still format the drive and use the device; however they won’t be able to access the data as the disk would encrypted. Anyone trying to access the disk with multiple attempts will take the device into recovery mode. In BitLocker recovery mode, you can access the disk by providing 48-digit recovery password.

Using Intune, we can configure saving the recovery password in Microsoft Entra ID. The feature can be used for both Microsoft Entra joined and Microsoft Entra hybrid joined devices.

Recovery Password Rotation is a setting which is part of BitLocker policy. This allows to refresh / regenerate the recovery password once recovery password is utilized.

Pre-requisites of BitLocker

  • The hard disk should have a partition for Operating system drive formatted with NTFS and system drive with minimum 350 MB partition size as FAT32 (for UEFI) or NTFS (for BIOS).
  • TPM (Trusted Platform Module) chip version 1.2 or 2.0 is required which should be in unlocked. Though TPM is only mandate for silent encryption, however it is highly recommended for all types of encryptions for increased security.
  • For Intune enrolled devices: It should either be Microsoft Entra join, Microsoft Entra registered, or Microsoft Entra hybrid joined.

Preparing yourself for BitLocker encryption via Intune report

Intune has built-in report for BitLocker encryption. This can be accessed by logging on to Microsoft Intune admin center and navigating to Devices > Monitor > Device encryption status.

BitLocker Encryption report

The Encryption report shows you the TPM version, Encryption readiness and Encryption status. This is the first place to look into the device to check for the BitLocker readiness. Based upon the hardware status of the device, you will be able to see the results which can help you taking further actions for the devices.

BitLocker Encryption methods using Intune

There are multiple methods available in Intune to implement BitLocker Encryption policies:

  • Device Configuration – Settings Catalog: Device Configuration profile with settings catalog can be used to create the policy.
  • Device Configuration – template (Endpoint protection): Device Configuration profile with template used as Endpoint protection can be used to create BitLocker Encryption policies.
  • Endpoint security: Creating the policy via Endpoint security’s Disk encryption node, we can target BitLocker encryption policies. This is recommended method to create the policy. We will be creating this one as demo.

Create BitLocker policy using Endpoint Security

  • Under Microsoft Intune Admin center, navigate to Endpoint security > Disk encryption and create policy
Endpoint security disk encryption
  • From Create a profile blade, select platform as Windows 10 and later and profile as BitLocker and click Create.
Bitlocker profile
  • Provide the name of the profile as Demo BitLocker Encryption and click Next.
  • You will be now under Configuration settings page with BitLocker and Administrative Templates settings. Under BitLocker, specify following:
  • Require Device Encryption: Enabled. To turn on the Encryption of the drive
  • Allow Warning for Other Disk Encryption: Disabled. To disable to UI notification and warning and prompt for other disk encryption.
  • Allow Standard User Encryption: Enabled. This will configure encryption for standard users (without admin rights) in silent mode.
  • Configure Recovery Password Rotation: Refresh on for Azure AD-joined devices. Recovery password will be refreshed when it is used. The information will be saved on Microsoft Entra ID and Intune portal both.
BitLocker Configuration settings
  • Expand the Administrative Templates section which further consists of four sections.

Windows Components > BitLocker Drive Encryption

  • Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Enabled. By enabled it, we can configure the encryption method for the drive. If we are not selecting this option, the default one will automatically apply. If we enable it, we have further option to change the encryption type for each drive.
  • Select the encryption method for removable data drives: Select AES-CBS 128-bit (default)
  • Select the encryption method for operating system drives: Select XTS-AES 128-bit (default)
  • Select the encryption method for fixed data drives: Select XTS-AES 128-bit (default)
  • Provide the unique identifiers for your organization: Select Not configured

Windows Components > BitLocker Drive Encryption > Operating System Drives

  • Enforce drive encryption type on operating system drives: Enabled. Enforces the encryption of operating system drives.
  • Select the encryption type: (Device): Used Space Only encryption. It will only encrypt the used space. We have other option with Full encryption.
  • Require additional authentication at startup: Enabled. Devices with TPM chipset, it provides additional protection for encrypting the data. There are 4 types of options we can set including specifying the PIN while switching on the device.
    • Configure TPM startup key and PIN: Allow startup key and PIN with TPM
    • Configure TPM startup: Allow TPM
    • Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive): True
    • Configure TPM startup PIN: Allow startup PIN with TPM
    • Configure TPM startup key: Allow startup key with TPM
  • Configure minimum PIN length for startup: Not configured
  • Allow enhanced PINs for startup: Not configured
  • Disallow standard users from changing the PIN or password: Not configured
  • Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN: Not configured
  • Enable use of BitLocker authentication requiring preboot keyboard input on slates: Not configured
  • Choose how BitLocker-protected operating system drives can be recovered: Not configured
  • Configure pre-boot recovery message and URL: Not configured
BitLocker drive encryption Operating system drives

Windows Components > BitLocker Drive Encryption > Fixed Data Drives

Any additional drives attached to the device will be treated as Fixed Data Drive which can also be controlled for encryption.

  • Enforce drive encryption type on fixed data drives: Enabled
    • Select the encryption type: (Device): Used Space Only encryption
  • Choose how BitLocker-protected fixed drives can be recovered: Not configured
  • Deny write access to fixed drives not protected by BitLocker: Not configured
Bitlocker drive encryption Fixed data drives

Windows Components > BitLocker Drive Encryption > Removable Data Drives

We can configure the encryption of removable drives as well. However, we are not configuring it in this demo.

  • Control use of BitLocker on removable drives: Not configured
  • Deny write access to removable drives not protected by BitLocker: Not configured
Bitlocker drive encryption removable data drives
  • Complete rest of the wizard by targeting the policy on the devices.

Verify BitLocker Encryption status

Login to the device. Once the sync happens, policy will be downloaded and we will be able to see the disk encryption happening. This can be verified by running the command:

Manage-bde -status c:
BitLocker status command line

Once the disk is encrypted, you can check the status by navigating to Control Panel > System and Security > BitLocker Drive Encryption. You will be able to see c: BitLocker On.

BitLocker Drive Encryption on

You may further change the startup option as we allowed TPM startup key and PIN. Click on Change how drive is unlocked at startup.

Under Choose how to unlock your drive at startup, Either select Enter a PIN or Insert a USB flash drive. We are going with former one which allows you to set the PIN which needs to be entered when you switch on the device.

BitLocker Drive Encryption Enter PIN

You can verify the status of encryption via Event viewer by navigating to Applications and Services Logs \ Windows \ BitLocker-API\Management. The information will be displayed here:

BitLocker successfully sealed a key to the TPM.
PCRs measured include [7,11].
The source for these PCRs was: Secure Boot.
Event Viewer BitLocker-API logs

Recovery keys

To find the recovery key of the device, navigate to Microsoft Intune admin center > Devices. Search for the specific device you have targeted the encryption and click on Recovery keys. We can see the BitLocker Key Id and to reveal the BitLocker recovery key, click on Show Recovery Key. 48 digital recovery key will be visible.

Show BitLocker Recovery key

One of the device action allows you to manually rotate the Key. Click on ellipses and select BitLocker key rotation.

Device action BitLocker key rotation

Important Links

https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices

https://learn.microsoft.com/en-us/mem/intune/protect/encryption-monitor

Discover more from SCCM | Intune | Device Management| Enterprise Mobility & Security

Subscribe to get the latest posts sent to your email.

Leave a Reply