How to configure BitLocker with Microsoft Intune

In today’s world, data security is of utmost importance, and protecting your devices from potential threats is crucial. One of the most effective ways to safeguard your data is by using encryption, and BitLocker is a powerful encryption tool that can help you achieve just that. In this blog post, we’ll show you how to configure BitLocker using Microsoft Intune, a cloud-based service that makes device management a breeze. By following our step-by-step guide, you’ll be able to secure your devices and protect your sensitive data from cyber threats. So, let’s dive in and get started!

What are we going to set up?

In the first step, we will create a new Disk encryption policy in the Endpoint security settings. There we will configure the BitLocker settings. In the second step we will show you, where you can Monitor the BitLocker Encryption.

Enable Bitlocker in Intune

To set up Bitlocker via Intune, follow these steps.

• Go to endpoint.microsoft.com
• Click on Endpoint security
• Click on Disk encryption
• Create a new Policy
• Select Windows 10 and later Platform
• Select Bitlocker Profile
• Click on Create

Give it a meaningful name and click on Next

Configure the BitLocker settings according to your preferences now.

We recomend the following Settings:

BitLocker – Base Settings

• Enable full disk encryption for OS and fixed data drives: Yes
• Require Storage cards to be encrypted: Not configured
• Hide prompt about third-party encryption: Yes
• Allow standard users to enable encryption during Autopilot: Yes
• Configure client-driven recovery password rotation: Enable rotation on Azure AD and Hybrid-joined devices

BitLocker – Fixed Drive Settings

• BitLocker fixed drive policy: Configure
• Fixed drive recovery: Configure
• Recovery key file creation: Allowed
• Configure BitLocker recovery package: Password and key
• Require device to back up recovery information to Azure AD: Yes
• Recovery password creation: Allowed
• Hide recovery options during BitLocker setup: Yes
• Enable BitLocker after recovery information to store: Yes
• Block the use of certificate-based data recovery agent (DRA): Not configured
• Block write access to fixed data-drives not protected by BitLocker: Yes
• Configure encryption method for fixed data-drives: AES 256bit XTS

BitLocker – OS Drive Settings

• BitLocker system drive policy: Configure
• Startup authentication required: Yes
• Compatible TPM startup: Required
• Compatible TPM startup PIN: Blocked
• Compatible TPM startup key: Blocked
• Compatible TPM startup key and PIN: Blocked
• Disable BitLocker on devices where TPM is incompatible: Yes
• Enable preboot recovery message and url: Not configured

• Recovery key file creation: Allowed
• Configure BitLocker recovery package: Password and key
• Require device to back up recovery information to Azure AD: Yes
• Recovery password creation: Allowed
• Hide recovery options during BitLocker setup: Yes
• Enable BitLocker after recovery information to store: Yes
• Block the use of certificate-based data recovery agent (DRA): Not configured
• Minimum PIN length: 8
• Configure encryption method for: AES 256bit XTS

BitLocker – Removable Drive Settings

• BitLocker removable drive policy: Configure
• Configure encryption method for removable data-drives: AES 256bit XTS
• Block write access to removable data-drives not protected by BitLocker: Not configured
• Block write access to devices configured in another organization: Not configured

When you have finished configurating

• Click on Next
• You can skip the Scope tags and click on Next
• Assign it to a Group or to All Users
• Click on Next

• On the Review + create page, click on Create

Congratulations! You have successfully deployed the policy.

Monitor BitLocker Encryption Status

When you have successfully deployed the BitLocker policy, you can view the Status:

• Go to endpoint.microsoft.com
• Click on Devices
• Click on Monitor

• Go to Encryption report

The Encryption report pane displays a list of the devices you manage with high-level details about those devices. You can select a device from the list to drill-in and view additional details from the Device encryption status pane.