Jump to content


Configuring BitLocker in Intune - Part 1. Configuring BitLocker

Recommended Posts


Security is a big focus for many companies, especially when it comes to data leakage (company data). Encrypting data on Windows 10 devices using BitLocker means that data is protected ("data at rest") . Microsoft Intune got yet more updates on June 30th, 2017, one of which was the ability to configure BitLocker settings detailed here. This ability was initially raised as a uservoice item.


You can now configure BitLocker settings for Windows 10 devices using a new Intune device profile. For example, you can require that devices are encrypted, and also configure further settings that are applied when BitLocker is turned on. For more information, see Endpoint protection settings for Windows 10 and later.

So let's take a look at how it works.

Step 1. Create a Device Configuration Profile

In the Azure Portal, navigate to Intune, and select Device Configuration, then click on Profiles and then click on Create Profile, and fill in the following details:

  • Name: Configure BitLocker Settings
  • Platform: Windows 10 and later
  • Profile type: Endpoint Protection

Note: Endpoint Protection is the profile type for BitLocker configuration, not to be confused with System Center Endpoint Protection.

as shown below.


Step 2. Configure Settings in the profile

Next, in the Windows Encryption pane that appears, make your choices for Windows Settings

Set the Require devices to be encrypted (Desktop only) option to Enable.

Enable BitLocker.png

Make note of the note (the 'i', you can hover over it to see the info it contains), and I've bolded part of that statement below:


Selecting "Yes" will prompt end users to enable device encryption. End users will be asked to confirm there is no third party device encryption in use on their device. Turning on Windows encryption while third party encryption is in use will render device unstable.

So by requiring BitLocker encryption, your users will need to confirm the above prior to encryption taking place. Hopefully in the future we'll be able to automate it 100% so that no user interaction is required.

For BitLocker base settings, set Configure encryption methods to Enable and then set the desired encryption level via the drop down menus for each drive connected.

bitlocker base settings.png

For BitLocker OS drive settings make your choices after setting Require additional authentication at startup  to Enable.

Note: For Enable OS drive recovery, although it states that you can Save BitLocker recovery information to AD DS it actually saves the recovery information to Azure AD if you enable the option (and you should). In other words, if you want to be able to retrieve a BitLocker key from an Azure AD and MDM enrolled device, make sure to Enable OS drive recovery and Save BitLocker recovery information to AD DS.

bitlocker os drive settings.png

For BitLocker fixed data-drive settings, you can deny write access to drives not BitLockered by enabling the option.

bitlocker fixed drive settings.png


And for BitLocker removable data-drive settings, make your choices.

bitlocker removable data drive settings.png

Once you've finished configuring the settings, click on OK and then click on Create, to Create the device configuration profile.

create profile.png

Step 3. Assign the profile to a group

Now that you've created the profile, you need to deploy it (assign it) to a Group containing Windows 10 devices.  Select the profile created above, and click on Assignments, next click on Select groups to Include.

assign and select.png

Select a previously created Group (or groups if you wish), I selected one which I previously created called BitLocker Configuration but you can select whichever Group you want, and then click on the Select button at the bottom of that pane, if it's not visible, zoom out (browser zoom).

selected group.png

Finally, click on Save to save the changes.


If you haven't done so already, add some Windows 10 Device members to the Group.


Step 4. Monitor the device configuration on a Windows 10 device

Login to a MDM connected (and in this case Azure AD joined) device that is not yet encrypted, and trigger a Sync. To trigger a policy sync, select All Settings Accounts, select Access Work or School, select your MDM account and click on Info.


Next, click on Sync


Once the sync is done you should see an Encryption Needed notification in the systray.

encryption needed.png

Click on the notification and you'll see the following screen.

are you ready to start encryption.png

Select I don't have any other disk encryption before clicking on Yes.

i dont have.png

and off it goes...

encrypting drive in progress.png

And you can open an administrative command prompt to verify the encryption algorithm using the following

manage-bde -status

manage bde.png

As you can see from the above, encryption is in progress and the Encryption method matches the XTS-AES 256 setting selected in the device configuration.

After it's done encrypting, you'll be notified.

encryption complete.png

And in Windows File Explorer you can see the BitLocker icon on the operating system drive.


Step 5. Verify device is configured with BitLocker in Azure

At this point trigger another Sync on the device. After the sync is complete, click on the Device configuration profile, and select Device status as shown below. Devices targeted by the profile will be listed along with the Deployment Status of the configuration profile. If the user has allowed BitLocker to complete the deployment status will be listed as "Succeeded" as shown below.


If the user did not start encryption (or if there was some other problem), it will be listed with a Deployment Status of "Error".

Deployment status error.png

If the Deployment Status is listed as Error, you can click on the device listed, and it will take you to the devices' properties.

device properties.PNG

From there click on Device configuration and then click on the Device Configuration error on the right side of this screenshot.

device configuration.PNG

Here you see that it mentions the user needs to click on Yes to start the encryption, so it's likely (in this case) that the user ignored the notifications which is why an error is reported.

require devices to be encrypted.PNG

To enforce this, or rather to force the user to do what we want (in regards to starting the BitLocker encryption via the notification), please see the comments in the summary at the bottom of this guide.

Step 6. Retrieving the BitLocker key as the admin in Azure AD

To locate the BitLocker protector key, select the User that enrolled into MDM, and click on Devices.

niall devices.png

Then select the device in question. The BitLocker key id and BitLocker recovery key will be listed.

recovery key.png

Which can be double checked against the actual computer using this command (in an administrative command prompt on the client computer that is BitLocker encrypted)

manage-bde -protectors -get c:

recovery key verification.png

Note: If the user un-enrolls the device, the BitLocker recovery keys will be removed from Azure AD.

unenroll bitlocker message.png

Step 7. Retrieving the BitLocker key as the user

The user can also check their BitLocker keys on any of their enrolled devices by clicking on Settings, Accounts, Access work or school, highlight the connection, and select Manage your account or by going to https://myapps.microsoft.com in a web browser and clicking on their username, and then clicking on Profile, select the device and then click on Get BitLocker Keys.

manage your account.png

From there they can click select the device in question, and click on Get BitLocker Keys

Get BitLocker Keys.png

and the BitLocker keys will be listed

bitlocker keys.png

Note: If you want to automate this and remove user choice then use the windows-noob.com custom MSI in Part 2.

Recommended reading


It's great that we've finally got the ability to enable BitLocker in Intune but forcing encryption is not that straight forward. To force your users to be compliant you can either use Conditional Access (1) to deny those machines access to email and associated office applications unless they are encrypted, to do that you'll need to configure a Device Compliance policy (2) to verify that the device is encrypted, and based on that the user can access the applications specified.

Or, you can automate the encryption like I do in Part 2 of this series of blog posts about BitLocker in Intune.

(1) Thanks Jan Ketil Skanke

(2) Thanks Nick

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.