By Luke Ramsdale– Service Engineer| Microsoft Endpoint Manager – Intune
This is the first in a five-part series about using BitLocker with Intune. The series will review basic concepts and recommended approaches to deploying BitLocker using Intune. Upcoming posts will describe simple and advanced troubleshooting techniques.
This post covers the concepts, requirements, and configurations needed for a successful deployment.
Intune is a cloud-based service that focuses on mobile device management (MDM) and app protection policies (APP also known as MAM). It helps administrators manage enrolled devices through policies. You use a policy to enable and configure BitLocker on Windows 10 devices.
Intune uses the Windows configuration service provider (CSP) to read, set, modify, or delete configuration settings on Windows devices enrolled into Intune using Synchronization Markup Language (SyncML) or Wireless Application Protocol (WAP) protocols. BitLocker Intune uses the BitLocker CSP.
BitLocker is a built-in Windows data protection feature. It encrypts drives, and prevents the theft of data from lost, stolen, or decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM), version 1.2 or later.
Hardware requirements for BitLocker
It is important to understand that BitLocker has specific hardware requirements and that some methods of enabling BitLocker are dependent on those conditions. Silent encryption, for example, requires TPM on a device.
Hardware requirements include:
For TPM 2.0 devices, you must have native Unified Extensible Firmware Interface (UEFI) configured. (Secure boot is not required but adds another layer of security.)
BIOS or UEFI firmware must support USB mass storage.
You must partition the hard disk into an operating system drive formatted with NTFS and a system drive with at least 350 MB formatted as FAT32 for UEFI and NTFS for BIOS.
We highly recommended that the device you are encrypting has a supported TPM chip (version 1.2 and higher).
If BitLocker enters recovery mode when starting the operating system, there are ways to restore access. Choose one of the following options to restore access to the protected drive:
Manual option: Retrieve the 48-digit recovery password from a stored location (printed or USB).
Automated option: An administrator can obtain the recovery password from Microsoft Azure Active Directory (Azure AD) or Active Directory Domain Services (Azure AD DS).
A data recovery agent (DRA) is someone authorized to decrypt data on a Windows operating system. The agent can use their credentials to unlock the drive. However, Intune doesn’t support DRA certificates so the process would have to occur outside the Intune environment.
Intune BitLocker configuration processes
Before you configure a BitLocker encryption policy, consider the following options:
How much do you want users involved in the BitLocker configuration process? Do you want them to interact with the process, be silent, or both?
If you have multiple requirements, you might need to configure multiple policies.
Do all your devices meet the hardware prerequisites? Do you have a subset of devices that do not have a TPM?
If you have older devices without TPM, you will not be able to encrypt them silently. This might mean configuring multiple policies.
The Microsoft Intune encryption report, located in the Microsoft Endpoint Manager admin center, can help you understand the TPM status and encryption readiness of your enrolled devices. To view the report, select Devices > Monitor > Encryption report.
BitLocker Encryption Report in the Microsoft Endpoint Manager admin center
Where do you want to store the recovery key?
You can store the recovery key in on-premises Active Directory (if hybrid joined), in Azure AD, or manually. Most administrators store the key in Azure AD, which works for both Azure hybrid services and Azure AD joined devices.
This option will refresh the recovery password after it is used and prevent further use of the same password, enhancing security. Prerequisites include Windows 10 1909, having Intune enrolled, Azure AD, or Azure hybrid services joined. Additional licenses may be required for certain Microsoft BitLocker settings.
What algorithm strength do you want to use?
For OS volumes and fixed drives: XTS-AES 128-bit is the Windows default encryption method and the recommended value.
For removable drives: Use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1510 or earlier.
Best practices for configuring BitLocker for Intune
Here are best practices and recommended processes for using BitLocker with Intune.
Use a device with TPM for maximum security.
Create the BitLocker policy using an Endpoint security policy. This workflow is the most recent method of deploying BitLocker settings. If you are currently using a device configuration profile, consider migrating to an Endpoint security policy.
Select Endpoint security > Disk encryption > Create Policy.
In the Platform list, choose Windows 10 and later.
Under Profile, select BitLocker.
Note To avoid conflicts, avoid assigning more than one BitLocker profile to a device and consolidate settings into this new profile.
Use the encryption report to inventory your enrolled devices (Devices > Monitor > Encryption report). It reveals the encryption status and helps you understand the TPM presence and version distribution among your enrolled devices.
If BitLocker is not enabled on a device after deploying a policy, check the encryption report to see if the device meets the prerequisites.
More info and feedback
For further resources on this subject, please see the links below.