Disk Encryption

You are correct, the BitLocker and Other administrative templates sections have been added to Intune device configuration profiles in recent updates. This allows you to configure BitLocker settings more granularly than before.

To silently enable BitLocker on new devices using administrative templates in Intune, create a device configuration profile with the following settings:

BitLocker

• Require BitLocker: Enabled
• Encryption method: XTS-AES 128 encryption
• Encryption options:
  • Hide prompt about third-party encryption: Yes
  • Allow standard users to enable encryption during Autopilot: Yes
  • Require Key File Creation: Allowed or Blocked
  • Recovery Password Creation: Allowed or Required

Other administrative templates

• Windows Components > BitLocker Drive Encryption > Operating System Drives > Choose how BitLocker-protected operating system drives can be recovered > Configure recovery options:
  • Recovery key: Save to your Azure AD account
  • Recovery password: Save to your Azure AD account

Once you have created the device configuration profile, you can assign it to the groups of devices that you want to apply it to.

Note that the device prerequisites for silently enabling BitLocker are still the same as before:

• The device must be running Windows 10 or later.
• The device must be joined to Azure Active Directory.
• The device must be enrolled in Microsoft Endpoint Manager.
• The device must have the Intune Management Extension installed.

Once the policy is applied to a device, BitLocker will be silently enabled on the next reboot.