Enhancing Security: A Step-by-Step Guide to enabling BitLocker in Microsoft 365 via Intune

Jack Davies
Jan 15
4 min read

Updated: Jul 12

Blue BitLocker screen prompting to enter PIN to unlock drive. Includes instructions to use F1-F10 keys and options for Enter or Esc.

BitLocker is a disk encryption feature in Windows that protects data by encrypting entire drives. It prevents unauthorized access to information, especially if the device is lost or stolen, by requiring a password or PIN to unlock the system at start-up. It helps ensure data security. Here is how to enable this via the Intune portal. Enabling BitLocker Through Intune

Enabling BitLocker silently via Intune:

You first need to go to Intune https://intune.microsoft.com

Now go to Endpoint Security > Disk Encryption > Create Policy
Choose the below:

Platform - Windows

Profile - BitLocker

Click 'Create' and call the policy the relevant name and description

Policy creation screen for disk encryption. Text fields show "JDJD-CORP-BitLocker" and "Enables BitLocker for all corporate devices." Minimalist design.

Configuration Settings:

BitLocker - This section contains global settings to silently enable and enforce BitLocker Drive Encryption on target devices.
BitLocker Drive Encryption - This section contains settings to set the encryption method and cipher strength used with BitLocker.
Operating System Drives - This section contains settings to configure the encryption rules specific to the OS drive, including options for full or used-space encryption and pre-boot authentication methods.
Fixed Data Drives - This section contains settings to establish the BitLocker configuration and compliance settings for internal data drives.
Removable Data Drives - This section contains settings to control BitLocker settings on removable drives, including allowing users to use BitLocker protection on removable drives, etc.

BitLocker:

Require Device Encryption - Select Enabled to mandate that all targeted devices are encrypted with BitLocker.
Allow Warning For Other Disk Encryption: This setting controls user visibility during deployment. To achieve a silent, non-interactive installation, this must be set to Disabled. This prevents the user from seeing any encryption notifications or warnings about pre-existing third-party encryption.
Allow Standard User Encryption: When Enabled, this policy permits BitLocker encryption to be initiated on a device by a standard user who lacks administrative privileges. For this setting to function correctly, Allow Warning for Other Disk Encryption must be Disabled.
Configure Recovery Password Rotation: This policy governs the automatic rotation of BitLocker recovery passwords. By default, it is Not Configured. Important: This feature will only function if the policy to back up recovery passwords to Microsoft Entra ID is also enabled.

BitLocker Drive Encryption:

Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) - Enabled
Select the encryption method for fixed data drives - Recommended options are AES-CBC 128-bit or AES-CBC 256-bit
Select the encryption method for operating system drives - XTS-AES 256-bit (Recommended)
Select the encryption method for removable data drives - XTS-AES 256-bit (Recommended)

Operating System Drives:

Enforce drive encryption type on operating system drives - Enabled
Select the encryption type: (Device) - Select 'Full encryption' or 'Used Space Only encryption' based on your requirements.
Require additional authentication at startup - Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) - False
Configure TPM startup key - Do not allow startup key with TPM (If you allow this, the silent install won't work properly)
Configure TPM startup PIN - Do not allow startup PIN with TPM (If you allow this, the silent install won't work properly)
Configure TPM startup - Allow TPM
Configure minimum PIN length for startup - Disabled (We are using TPM startup, so keep this disabled)
Allow enhanced PINs for startup - Disabled
Disallow standard users from changing the PIN or password - Not Configured
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN - Not Configured
Enable use of BitLocker authentication requiring preboot keyboard input on slates - Not Configured

Windows settings interface with options for PIN configuration. Dropdowns show "Disabled" or "Not configured" statuses. White background.

Choose how BitLocker-protected operating system drives can be recovered - Enabled
Configure user storage of BitLocker recovery information - Allow 48-digit recovery password
Allow data recovery agent - False
Configure storage of BitLocker recovery information to AD DS - Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives - True
Omit recovery options from the BitLocker setup wizard - True
Save BitLocker recovery information to AD DS for operating system drives - True

BitLocker recovery options screenshot with settings to allow 256-bit key, 48-digit password. Options toggled for data recovery, storage, and enabling.

Configure pre-boot recovery message and URL - Not configured

Dropdown menu labeled "Configure pre-boot recovery message and URL" shows selected option "Not configured." Simple interface design.

Fixed Data Drives:

Enforce drive encryption type on fixed data drives - Enabled
Select the encryption type: (Device) - Full Encryption
Choose how BitLocker-protected operating system drives can be recovered - Enabled
Configure user storage of BitLocker recovery information - Allow 48-digit recovery password
Allow data recovery agent - False
Configure storage of BitLocker recovery information to AD DS - Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives - True
Omit recovery options from the BitLocker setup wizard - True
Save BitLocker recovery information to AD DS for operating system drives - True

BitLocker settings menu showing drive encryption options: Full encryption, 256-bit recovery key, and 48-digit recovery password enabled.

Deny write access to fixed drives not protected by BitLocker - Not Configured

Text box showing "Deny write access to fixed drives not protected by BitLocker: Not configured." White background.

Removable Data Drives:

Control use of BitLocker on removable drives - Enabled
Allow users to apply BitLocker protection on removable data drives (Device) - True
Enforce drive encryption type on removable data drives - Not Configured
Allow users to suspend and decrypt BitLocker protection on removable data drives (Device) - False
Deny write access to removable drives not protected by BitLocker - Not Configured

Settings interface for BitLocker on removable drives, showing options for enabling protection, encryption type, suspension, and access denial.

You now need to apply this to a group of your choice for your requirements. For example, I have enabled this for all corporate devices, so I have applied the rule to the corporate devices group, as seen below:

Dashboard showing group assignment details: JDJ-CORP-WIN with 0 devices, 5 users. Target type is set to "Include". Option to add filter.

You will now need to sync this configuration, as this may not happen right away. You can manually sync the device within Intune, or use PowerShell on the device to sync to Intune.

You can then check on the Encryption status for your devices within Intune, if you go to Intune > Devices > Monitor > Encryption Report.