Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Enabling BitLocker with Microsoft Endpoint Manager - Microsoft Intune

Published Feb 19 2021 01:50 PM 41.3K Views

By Luke Ramsdale – Service Engineer | Microsoft Endpoint Manager – Intune

 

This is the first in a five-part series about using BitLocker with Intune. The series will review basic concepts and recommended approaches to deploying BitLocker using Intune. Upcoming posts will describe simple and advanced troubleshooting techniques.

 

This post covers the concepts, requirements, and configurations needed for a successful deployment.

 

Intune basics

Intune is a cloud-based service that focuses on mobile device management (MDM) and app protection policies (APP also known as MAM). It helps administrators manage enrolled devices through policies. You use a policy to enable and configure BitLocker on Windows 10 devices.

 

Intune uses the Windows configuration service provider (CSP) to read, set, modify, or delete configuration settings on Windows devices enrolled into Intune using Synchronization Markup Language (SyncML) or Wireless Application Protocol (WAP) protocols. BitLocker Intune uses the BitLocker CSP.

 

BitLocker basics

BitLocker is a built-in Windows data protection feature. It encrypts drives, and prevents the theft of data from lost, stolen, or decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM), version 1.2 or later.

 

Hardware requirements for BitLocker

It is important to understand that BitLocker has specific hardware requirements and that some methods of enabling BitLocker are dependent on those conditions. Silent encryption, for example, requires TPM on a device.

 

Hardware requirements include:

  • For TPM 2.0 devices, you must have native Unified Extensible Firmware Interface (UEFI) configured. (Secure boot is not required but adds another layer of security.)
  • BIOS or UEFI firmware must support USB mass storage.
  • You must partition the hard disk into an operating system drive formatted with NTFS and a system drive with at least 350 MB formatted as FAT32 for UEFI and NTFS for BIOS.

 

Note

We highly recommended that the device you are encrypting has a supported TPM chip (version 1.2 and higher).

 

BitLocker recovery

If BitLocker enters recovery mode when starting the operating system, there are ways to restore access. Choose one of the following options to restore access to the protected drive:

  • Manual option: Retrieve the 48-digit recovery password from a stored location (printed or USB).
  • Automated option: An administrator can obtain the recovery password from Microsoft Azure Active Directory (Azure AD) or Active Directory Domain Services (Azure AD DS).

 

Note

A data recovery agent (DRA) is someone authorized to decrypt data on a Windows operating system. The agent can use their credentials to unlock the drive. However, Intune doesn’t support DRA certificates so the process would have to occur outside the Intune environment.

 

Intune BitLocker configuration processes

Before you configure a BitLocker encryption policy, consider the following options:

  • How much do you want users involved in the BitLocker configuration process? Do you want them to interact with the process, be silent, or both?

    If you have multiple requirements, you might need to configure multiple policies.

  • Do all your devices meet the hardware prerequisites? Do you have a subset of devices that do not have a TPM?

    If you have older devices without TPM, you will not be able to encrypt them silently. This might mean configuring multiple policies.

    The Microsoft Intune encryption report, located in the Microsoft Endpoint Manager admin center, can help you understand the TPM status and encryption readiness of your enrolled devices. To view the report, select Devices > Monitor > Encryption report.

    BitLocker Encryption Report in the Microsoft Endpoint Manager admin centerBitLocker Encryption Report in the Microsoft Endpoint Manager admin center
  • Where do you want to store the recovery key?

    You can store the recovery key in on-premises Active Directory (if hybrid joined), in Azure AD, or manually. Most administrators store the key in Azure AD, which works for both Azure hybrid services and Azure AD joined devices.

  • Do you want to enable recovery password rotation?

    This option will refresh the recovery password after it is used and prevent further use of the same password, enhancing security. Prerequisites include Windows 10 1909, having Intune enrolled, Azure AD, or Azure hybrid services joined. Additional licenses may be required for certain Microsoft BitLocker settings.

  • What algorithm strength do you want to use?

    For OS volumes and fixed drives: XTS-AES 128-bit is the Windows default encryption method and the recommended value.

    For removable drives: Use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1510 or earlier.


    Note: For Autopilot devices, please read Setting the BitLocker encryption algorithm for Autopilot devices | Microsoft Docs to avoid devices from automatically encrypting when Azure AD joining with a different encryption algorithm to the one configured in the policy.

Best practices for configuring BitLocker for Intune

Here are best practices and recommended processes for using BitLocker with Intune.

  • Use a device with TPM for maximum security.
  • Create the BitLocker policy using an Endpoint security policy. This workflow is the most recent method of deploying BitLocker settings. If you are currently using a device configuration profile, consider migrating to an Endpoint security policy.
    • Sign into the Microsoft Endpoint Manager admin center.

    • Select Endpoint security > Disk encryption > Create Policy.

    • In the Platform list, choose Windows 10 and later.

    • Under Profile, select BitLocker.

    • Select Create.

Note
To avoid conflicts, avoid assigning more than one BitLocker profile to a device and consolidate settings into this new profile.

 

  • Use the encryption report to inventory your enrolled devices (Devices > Monitor > Encryption report). It reveals the encryption status and helps you understand the TPM presence and version distribution among your enrolled devices.
  • If BitLocker is not enabled on a device after deploying a policy, check the encryption report to see if the device meets the prerequisites.

 

More info and feedback

For further resources on this subject, please see the links below.

BitLocker Overview and Requirements FAQ

BitLocker recovery guide (Windows 10)

Manage BitLocker policy for Windows 10 in Intune

Encryption report for encrypted devices in Microsoft Intune

Configure endpoint protection settings in Microsoft Intune

 

This is the first post in this series. Catch up on the other blogs:

 

Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

 

Blog post updates:

2/22: Updated post that additional licenses may be required for certain Microsoft BitLocker settings.

45 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-2150601%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2150601%22%20slang%3D%22en-US%22%3E%3CP%3ERight%20in%20time%20for%20my%20Windows%2010%20Intune%20POC.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2150783%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2150783%22%20slang%3D%22en-US%22%3E%3CP%3EAmazing%20post%2C%20thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2152163%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2152163%22%20slang%3D%22en-US%22%3E%3CP%3ENicely%20explained.%20Will%20be%20waiting%20for%20the%20follow-up%20posts%20of%20this%20series.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2158554%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2158554%22%20slang%3D%22en-US%22%3E%3CP%3EExplained%20very%20well%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2159360%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2159360%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Luke%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGreat%20article.%20You%20say%20%22%3CSPAN%3EYou%20can%20store%20the%20recovery%20key%20in%20on-premises%20Active%20Directory%20(if%20hybrid%20joined)%2C%20in%20Azure%20AD%2C%20or%20manually%22%20-%20w%3C%2FSPAN%3E%3CSPAN%3Ehere%20can%20you%20find%20this%20option%20please%20to%20choose%20the%20location%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20configured%20in%20our%20Endpoint%20policies%20to%20save%20the%20recovery%20information%20to%20AAD%20(as%20shown%20below)%2C%20but%20can't%20see%20a%20specific%20option%20to%20store%20in%20on-prem%20AD%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture.PNG%22%20style%3D%22width%3A%20680px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F257041i304EDF09D7C26005%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Capture.PNG%22%20alt%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EOur%20recovery%20keys%20however%20do%20not%20appear%20in%20AAD%2C%20they%20are%20instead%20storing%20to%20on-prem%20AD%20(we%20are%20hybrid%20joined).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%20Michelle%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2162749%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2162749%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F976150%22%20target%3D%22_blank%22%3E%40HeyHey16K%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Michelle%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20memory%20I%20think%20it%20stores%20it%20in%20both%20locations%20from%20Win%2010%201903%20onwards.%20There%20is%20no%20option%20to%20configure%20one%20or%20the%20other%20that%20I'm%20aware%20of.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBen%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2163076%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2163076%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F976150%22%20target%3D%22_blank%22%3E%40HeyHey16K%3C%2FA%3E%26nbsp%3B%20We%20are%20planning%20to%20cover%20this%20in%20the%204th%20blog%20in%20the%20series%20in%20detail%2C%20are%20the%20affected%20Hybrid%20devices%20enrolled%20via%20Autopilot%20and%20do%20you%20enable%20BitLocker%20during%20autopilot%3F%20There%20is%20a%20scenario%20where%20the%20device%20is%20not%20present%20in%20AAD%20(i.e.%20has%20not%20synced%20via%20AD%20connect%20yet)%20but%20is%20in%20AD%20that%20the%20key%20will%20only%20be%20backed%20up%20there%20when%20encryption%20is%20enabled%20during%20Autopilot%2C%20if%20this%20is%20the%20case%20you%20should%20see%20an%20error%20in%20the%20BitLocker-API%20event%20logs%20during%20that%20timeframe.%20You%20can%20try%20rotating%20the%20keys%20from%20the%20console%20to%20recreate%20the%20key%20and%20add%20it%20into%20AAD.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20this%20happening%20for%20existing%20HAADJ%20machines%20that%20have%20a%20BitLocker%20policy%20deployed%20after%20they%20have%20been%20deployed%20then%20investigating%20the%20BitLocker-API%20event%20log%20would%20be%20required%20to%20understand%20why%20the%20key%20has%20not%20been%20stored%20in%20AAD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2165352%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2165352%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F742359%22%20target%3D%22_blank%22%3E%40Luker1%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20the%20reply%2C%20sounds%20logical.%20We%20configure%20BitLocker%20encryption%20in%20our%20device%20policies%2C%20which%20apply%20during%20AP.%20I%20looked%20in%20the%20local%20BitLocker-API%20Management%20log%20and%20there%20is%20error%20%22Failed%20to%20backup%20BitLocker%20Drive%20Encryption%20recovery%20information%20to%20Active%20Directory%20Domain%20Services%22%2C%20then%2C%20three%20minutes%20later%2C%20another%20%22BitLocker%20Drive%20Encryption%20recovery%20information%20was%20backed%20up%20to%20successfully%20to%20Active%20Directory%20Domain%20Services%22%20(with%20a%20similar%20timestamp%20on%20the%20device%20object%20BitLocker%20Recovery%20tab%20in%20AD).%20Both%20seem%20to%20confirm%20AD%20instead%20of%20AAD%3F%20No%20other%20errors%20in%20the%20log%20(which%20only%20has%2014%20entries%20as%20it's%20a%20new%20build).%20Thank%20you%2C%20Michelle%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2165366%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2165366%22%20slang%3D%22en-US%22%3E%3CP%3EAnd%20yes%2C%20the%26nbsp%3B%3CSPAN%3Eaffected%20Hybrid%20devices%20are%20enrolled%20via%20Autopilot%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%408341BD79091AF36AA2A09063B554B5CD%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2165420%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2165420%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20key%20rotation%20trigger%20did%20the%20trick...%20key%20is%20now%20showing%20in%20AD%20and%20AAD%20-%20thank%20you%20for%20that.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2165438%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2165438%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F976150%22%20target%3D%22_blank%22%3E%40HeyHey16K%3C%2FA%3E%26nbsp%3BGood%20to%20hear%2C%20to%20understand%20if%20it%20simply%20a%20timing%20issue%20during%20Autopilot%20try%20comparing%20the%20error%20timestamp%20in%20the%20BitLocker-API%20logs%20to%20the%20device%20registration%20timestamp%20in%20AAD%20and%20see%20if%20the%20error%20occurred%20prior%20to%20the%20device%20being%20added%20to%20AAD.%20If%20this%20is%20the%20issue%20then%20you%20can%20either%20use%20PowerShell%20(I%20think%20the%20cmdlet%20Backup-BitLockerKeyProtector%20should%20work)%20to%20store%20the%20key%20in%20AAD%20after%20the%20device%20has%20enrolled%20or%20simply%20rotate%20the%20keys%20manually%20via%20the%20console.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2165445%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2165445%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F742359%22%20target%3D%22_blank%22%3E%40Luker1%3C%2FA%3E%26nbsp%3BThank%20you%20so%20much%20for%20your%20help%20Luke.%20Look%20forward%20to%20the%20future%20instalments%20on%20your%20articles.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2250536%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2250536%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F742359%22%20target%3D%22_blank%22%3E%40Luker1%3C%2FA%3E%26nbsp%3BHey%20Luke%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20my%20customer%20we%20have%20apply%20this%20best%20practice%20%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23339966%22%3E%3CEM%3ECreate%20the%20BitLocker%20policy%20using%20an%20Endpoint%20security%20policy.%20This%20workflow%20is%20the%20most%20recent%20method%20of%20deploying%20BitLocker%20settings%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%26nbsp%3B%20now%20we%20have%20an%20issue%20on%2025%25%20of%20devices%20that%20don't%20apply%20the%20bitlocker%20strategy%20because%20they%20enforce%20Windows%2010%20default%20strategy%20encryption%20(configuration%20profile%20with%20Require%20Device%20encryption%20and%20Allow%20Standard%20user%20Encryption)%20before%20having%20the%20intune%20bitlocker%20strategy%20...%20This%20devices%20are%20encrypted%20in%20Sha-128%20instead%20256%20and%20recovery%20key%20backed%20up%20to%20AD%20instead%20AAD...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Erollback%20%3D%20decryption%20%26gt%3B%20recryption%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESo%20how%20can%20we%20remediate%20at%20this%20problem%20of%20orchestration%2C%20and%20be%20sure%20devices%20will%20not%20start%20encryption%20before%20receiving%20our%20bitlocker%20strategy%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThank%20you%20in%20advance%20!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2255963%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2255963%22%20slang%3D%22en-US%22%3E%3CP%3EHSTI%20or%20modern%20standby%20devices%20will%20automatically%20encrypt%20during%20OOBE%20if%20they%20conform%20to%20certain%20pre-reqs%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-hardware%2Fdesign%2Fdevice-experiences%2Foem-bitlocker%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EBitLocker%20drive%20encryption%20in%20Windows%2010%20for%20OEMs%20%7C%20Microsoft%20Docs%3C%2FA%3E.%20If%20you%20are%20using%20Autopilot%20then%20it%20is%20possible%20to%20use%20this%20method%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fautopilot%2Fbitlocker%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESetting%20the%20BitLocker%20encryption%20algorithm%20for%20Autopilot%20devices%20%7C%20Microsoft%20Docs%3C%2FA%3E%26nbsp%3Bmore%20details%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Foofhours.com%2F2019%2F08%2F26%2Fbitlocker-esp-and-windows-autopilot-working-in-harmony%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EBitLocker%2C%20ESP%2C%20and%20Windows%20Autopilot%3A%20Working%20in%20harmony%20%E2%80%93%20Out%20of%20Office%20Hours%20(oofhours.com)%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2255966%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2255966%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1015480%22%20target%3D%22_blank%22%3E%40mjlab%3C%2FA%3E%26nbsp%3Breply%20above%20-%20forgot%20to%26nbsp%3B%40%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2256401%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2256401%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F742359%22%20target%3D%22_blank%22%3E%40Luker1%3C%2FA%3E%26nbsp%3BThank%20you%20for%20your%20reply%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20about%20a%20migration%20project%20(from%20Symantec%20to%20Bitlocker)%20for%20existing%20co-managed%20devices%2C%20and%20if%20we%20use%20only%20Configuration%20profile%20(for%20bitlocker%20Strategy%20%2B%20Allow%20Standard%20User%20Encryption)%20no%20issue%20but%20if%20we%20use%20one%20Configuration%20Profile%20(Enforce%20Device%20Encryption%20%2B%20Allow%20Standard%20User%20Encryption)%20%2B%20Endpoint%20Security%20Bitlocker%20Strategy%20we%20have%20several%20issue...%3C%2FP%3E%3CP%3EAnd%20if%20we%20use%20only%20Endpoint%20Security%20Bitlocker%20Strategy%20we%20can't%20encrypt%20device%20in%20silently%20mode...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo%20automatic%20encryption%20initially%3C%2FP%3E%3CP%3ENo%20autopilot%20devices%20for%20moment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2256658%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2256658%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1015480%22%20target%3D%22_blank%22%3E%40mjlab%3C%2FA%3E%26nbsp%3BIt%20might%20be%20worth%20raising%20a%20case%20with%20support%2C%20I%20don't%20think%20I%20am%20going%20to%20be%20able%20to%20investigate%20in%20this%20forum%20effectively.%20We%20would%20initially%20need%20to%20get%20the%20MDM%20diagnostics%20mentioned%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Ftroubleshooting-bitlocker-policies-from-the-client-side%2Fba-p%2F2223190%22%20target%3D%22_blank%22%3ETroubleshooting%20BitLocker%20policies%20from%20the%20client%20side%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%26nbsp%3Bfrom%20a%20couple%20of%20example%20devices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2376492%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2376492%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20this%20great%20overview%20post%20-%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20the%20proposed%20settings%20relate%20to%20the%20Security%20Baselines%20for%20both%20Windows%2010%20and%20Windows%20Defender%20for%20Endpoint%20as%20available%20in%20Microsoft%20Endpoint%20Manager%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20the%20security%20baseline%20the%20best%20practices%20from%20the%20product%20team%2C%20or%20are%20they%20defined%20by%20other%20means%3F%20Like%20for%20example%20being%20compatible%20with%20a%20certain%20security%20standard%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2FKenneth%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2430033%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2430033%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F123985%22%20target%3D%22_blank%22%3E%40Kenneth%20van%20Surksum%3C%2FA%3E%26nbsp%3BThe%20security%20baselines%20are%20recommendations%20for%20best%20practice%20from%20the%20various%20security%20teams%20from%20within%20the%20product%20group%2C%20so%20in%20the%20case%20of%20BitLocker%20those%20will%20be%20the%20recommendations%20from%20that%20particular%20team.%20Whilst%20those%20are%20the%20recommended%20settings%20you%20can%20deviate%20from%20them%20but%20it%20is%20important%20to%20consistently%20set%20the%20same%20settings%20in%20the%20baseline%20and%20endpoint%20security%20policy%20to%20avoid%20conflicts.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThere%20is%20a%20bit%20more%20of%20a%20discussion%20on%20this%20subject%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fsecurity-baselines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ELearn%20about%20security%20baselines%20in%20Microsoft%20Intune%20-%20Azure%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2502650%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2502650%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20enabling%20Silent%20Encryption%20via%20Intune.%20However%20for%20like%2010%25%20of%20device%2C%20it%20is%20not%20starting.%3CBR%20%2F%3EWhen%20I%20check%20the%20encryption%20status%20from%20Intune%2C%20it%20says%20Unknown.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22justineg24_0-1625070071256.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F292621i6C262D8FD32D1522%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22justineg24_0-1625070071256.png%22%20alt%3D%22justineg24_0-1625070071256.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Esettings%3A%3CBR%20%2F%3E-silent%3CBR%20%2F%3E-OS%20%26amp%3B%20Fixed%3CBR%20%2F%3E-Save%20key%20to%20AD%20and%20AAD%3CBR%20%2F%3E-XTS%20256%3CBR%20%2F%3E-TPM%20only%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F742359%22%20target%3D%22_blank%22%3E%40Luker1%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3Banyone%20please%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2503246%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2503246%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1039786%22%20target%3D%22_blank%22%3E%40justineg24%3C%2FA%3E%26nbsp%3BThe%20best%20place%20to%20start%20is%20to%20look%20at%20the%20bitlocker-api%20event%20log%20on%20one%20of%20the%20affected%20machines.%20It%20looks%20like%20the%20policy%20has%20applied%20and%20encryption%20attempted%20but%20it%20has%20failed.%20Its%20also%20worth%20checking%20manage-bde%20-status%20to%20check%20the%20current%20encryption%20status.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2505133%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2505133%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F742359%22%20target%3D%22_blank%22%3E%40Luker1%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22justineg24_0-1625106099968.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F292802i70F57019AA05454C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22justineg24_0-1625106099968.png%22%20alt%3D%22justineg24_0-1625106099968.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22justineg24_1-1625106118439.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F292803i70F2E379F8B42EA5%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22justineg24_1-1625106118439.png%22%20alt%3D%22justineg24_1-1625106118439.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EHere%20are%20the%20initial%20logs%20I've%20seen.%20For%20successful%20devices%2C%20RequireDeviceEncryption%20should%20be%201.%20Checked%20SecureBoot%20%3D%20ON%20on%20msinfo32%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2505583%22%20slang%3D%22de-DE%22%3ESubject%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2505583%22%20slang%3D%22de-DE%22%3E%3CP%3EI%20know%20this%20mistake.%20I%20have%20it%20especially%20on%20older%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20solution.%20Create%20a%20configuration%20profile.%3C%2FP%3E%3CP%3E%3CSTRONG%3ERequire%20Device%20Encryption%3C%2FSTRONG%3E%20%3D%20%3CSTRONG%3EEnable%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2505949%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2505949%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1039786%22%20target%3D%22_blank%22%3E%40justineg24%3C%2FA%3E%26nbsp%3BThat%20secure%20boot%20message%20is%20just%20noise%2Ferroneous%2C%20if%20there%20is%20nothing%20else%20in%20the%20BitLocker-api%20log%20then%20you%20need%20to%20check%20the%20last%20run%20status%20of%20the%20BitLocker%20MDM%20policy%20refresh%20scheduled%20task%20in%20the%20task%20scheduler%20library%20%26gt%3B%20Windows%20%26gt%3B%20BitLocker%20%26gt%3B%26nbsp%3BBitLocker%20MDM%20policy%20refresh.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Luker1_0-1625128409283.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F292844i399F5B70B736C533%2Fimage-dimensions%2F999x273%3Fv%3Dv2%22%20width%3D%22999%22%20height%3D%22273%22%20role%3D%22button%22%20title%3D%22Luker1_0-1625128409283.png%22%20alt%3D%22Luker1_0-1625128409283.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20that%20returns%200x41303%20(not%20run%20previously)%20then%20paste%20the%20device%20id%20of%20this%20failing%20machine%20and%20I%20can%20check%20further%20otherwise%20paste%20the%20error%20code%20for%20the%20task.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2507977%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2507977%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F692528%22%20target%3D%22_blank%22%3E%40oli83%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EI%20am%20trying%20it%20now.%20it%20is%20failing.%20am%20i%20missing%20something%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22justineg24_0-1625230154205.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293123i98ABB93255A5BC7F%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22justineg24_0-1625230154205.png%22%20alt%3D%22justineg24_0-1625230154205.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2510487%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2510487%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F742359%22%20target%3D%22_blank%22%3E%40Luker1%3C%2FA%3E%26nbsp%3B%2C%3CBR%20%2F%3EYou%20are%20right.%3C%2FP%3E%3CDIV%20class%3D%22fxc-summary-item-row%22%3E%3CDIV%20class%3D%22fxc-summary-item%20fxc-summary-label%22%3E%3CDIV%3EIntune%20Device%20ID%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-summary-item%20fxc-summary-item-value%22%3E%3CDIV%3Ea0fa6974-9171-4a64-869c-f6633a47255b%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-summary-item-row%22%3E%3CDIV%20class%3D%22fxc-summary-item%20fxc-summary-item-value%22%3E%3CDIV%3Ewinver%3A%201903%3CBR%20%2F%3EPlease%20advise%20what%20I%20still%20need%20to%20check.%20Thanks%2C%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22justineg24_0-1625231823781.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293125i1232389162EB0BA5%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22justineg24_0-1625231823781.png%22%20alt%3D%22justineg24_0-1625231823781.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2510699%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2510699%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1039786%22%20target%3D%22_blank%22%3E%40justineg24%3C%2FA%3E%26nbsp%3BThe%20policy%20is%20getting%20to%20the%20device%20but%20the%20scheduled%20task%20is%20failing%20with%20the%20device%20is%20not%20ready%20error.%20Does%20the%20device%20satisfy%20all%20the%20pre-reqs%20(i.e.%20TPM%2C%20drive%20formatted%20according%20to%20docs)%20and%20are%20you%20able%20to%20initiate%20encryption%20manually%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2510769%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2510769%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F742359%22%20target%3D%22_blank%22%3E%40Luker1%3C%2FA%3E%26nbsp%3BDrives%20are%20uniform%20since%20OOBE.%20tpm%202.0%2C%20and%20I%20believe%20they%20met%20the%20pre-reqs%20just%20like%20other%20devices.%20I%20will%20try%20to%20initiate%20encryption%20manually%20and%20see%20if%20it%20will%20proceed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2511524%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2511524%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F742359%22%20target%3D%22_blank%22%3E%40Luker1%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3C%2FP%3E%3CP%3EHello%20Sir%2C%20Very%20well%20explained%2C%20Thanks%20a%20lot!!%3C%2FP%3E%3CP%3ECan%20you%20please%20tell%20the%20best%20practices%20for%20Bitlocker%20in%20intunes.%20I%20would%20like%20to%20enable%20it%20for%202000%2B%26nbsp%3B%20laptops%20via%20Intunes%20in%20a%20corporate%20network.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22sagarssky15_0-1625247376485.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293150iE96AC92C7839AFFF%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22sagarssky15_0-1625247376485.png%22%20alt%3D%22sagarssky15_0-1625247376485.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CTABLE%20width%3D%22604%22%3E%3CTBODY%3E%3CTR%3E%3CTD%20width%3D%22382%22%3EDevice%20configuration%20Options%3C%2FTD%3E%3CTD%20width%3D%22222%22%3EDevice%20configuration%26nbsp%3B%20Sub%20options%26nbsp%3B%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EEnable%20full%20disk%20encryption%20for%20OS%20and%20fixed%20data%20drives%3C%2FTD%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3ERequire%20storage%20cards%20to%20be%20encrypted%20(mobile%20only)%26nbsp%3B%3C%2FTD%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EHide%20prompt%20about%20third-party%20encryption%3C%2FTD%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EConfigure%20client-driven%20recovery%20password%20rotation%26nbsp%3B%3C%2FTD%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EBitLocker%20-%20Fixed%20Drive%20Settings(Policy)%3C%2FTD%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3EBitLocker%20-%20OS%20Drive%20Settings%20(Bitlocker%20system%20drive%20policy)%3C%2FTD%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22382%22%3EBitLocker%20-%20Removable%20Drive%20Settings(BitLocker%20removable%20drive%20policy%3CBR%20%2F%3EConfigure)%3C%2FTD%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2513523%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2513523%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F692528%22%20target%3D%22_blank%22%3E%40oli83%3C%2FA%3E%26nbsp%3Bdo%20you%20mind%20sharing%20your%20configuration%3F%20I%20followed%20your%20path%20but%20they%20are%20on%20ERROR%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2515413%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2515413%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1094277%22%20target%3D%22_blank%22%3E%40sagarssky15%3C%2FA%3E%26nbsp%3B%26nbsp%3BThere%20are%20some%20recommendations%20above%20in%20the%20%22Best%20practices%20for%20configuring%20BitLocker%20for%20Intune%22%2C%20there%20is%20also%20a%20separate%20blog%20which%20discusses%20the%20config%20in%20more%20detail%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fconfiguring-bitlocker-encryption-with-endpoint-security%2Fba-p%2F2283101%22%20target%3D%22_blank%22%3EConfiguring%20BitLocker%20encryption%20with%20Endpoint%20security%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2517070%22%20slang%3D%22de-DE%22%3ESubject%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2517070%22%20slang%3D%22de-DE%22%3E%3CP%3EI%20implemented%20it%20as%20follows.%20I%20do%20not%20have%20a%20Bitlocker%20pin%20in%20use.As%20a%20template%20I%20also%20used%20the%20Configuring%20BitLocker%20encryption%20with%20Endpoint%20security%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EConfiguration%20Profile%20%7C%20Settings%20Catalog%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22oli83_0-1625510827006.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293544i20D5F18755767A9D%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22oli83_0-1625510827006.png%22%20alt%3D%22oli83_0-1625510827006.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EEndpoint%20Security%20%7C%20Bitlocker%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22oli83_1-1625510864677.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293545i26AEBADFBBB4BB01%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22oli83_1-1625510864677.png%22%20alt%3D%22oli83_1-1625510864677.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22oli83_2-1625510898852.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293546i338E02B4E202BA61%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22oli83_2-1625510898852.png%22%20alt%3D%22oli83_2-1625510898852.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22oli83_3-1625510974973.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293547i410856F37CC26F3E%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22oli83_3-1625510974973.png%22%20alt%3D%22oli83_3-1625510974973.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22oli83_4-1625511000288.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293548i495E24736651E7F5%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22oli83_4-1625511000288.png%22%20alt%3D%22oli83_4-1625511000288.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22oli83_5-1625511048436.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F293549i18898D991B816943%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22oli83_5-1625511048436.png%22%20alt%3D%22oli83_5-1625511048436.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2517130%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2517130%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F692528%22%20target%3D%22_blank%22%3E%40oli83%3C%2FA%3E%26nbsp%3BI%20can%20confirm%20that's%20what%20I%20did%20on%20the%20config%20profile.%3CBR%20%2F%3EBut%20it%20is%20failing%20with%20no%20logs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2517149%22%20slang%3D%22de-DE%22%3ESubject%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2517149%22%20slang%3D%22de-DE%22%3E%3CP%3EYou%20can%20try%20it%20by%20oma-uri.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EOMA-URI%3C%2FSTRONG%3E%3A%20.%2FDevice%2FVendor%2FMSFT%2FBitLocker%2FRequireDeviceEncryption%3C%2FLI%3E%3CLI%3E%3CSTRONG%3EDate%20type%3C%2FSTRONG%3E%3A%20Integer%3C%2FLI%3E%3CLI%3E%3CSTRONG%3EValue%3C%2FSTRONG%3E%3A%201%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2517152%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2517152%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F692528%22%20target%3D%22_blank%22%3E%40oli83%3C%2FA%3E%26nbsp%3Bfailing%20also.%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20if%20I%20remotely%20ctrl%20the%20device%20and%20regedit%20as%20admin%2C%20change%20the%20integer%20by%20force%20from%200%20to%201%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2517174%22%20slang%3D%22en-US%22%3EBetreff%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2517174%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E1%20%E2%80%93%20Enable.%20The%20device's%20enforcement%20status%20is%20checked.%20Setting%20this%20policy%20to%201%20triggers%20encryption%20of%20all%20drives%20(silently)%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2537075%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2537075%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1039786%22%20target%3D%22_self%22%3E%3CSPAN%20class%3D%22%22%3E%40justineg24%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EDo%20you%20have%20any%20new%20insights%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2537245%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2537245%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20another%20customer%20last%20week%20who%20had%20exactly%20the%20same%20problem%20as%20you%20are%20having%20now.%20Error%20message%20exactly%20the%20same.%20The%20problem%20with%20this%20customer%20was%20with%20the%20Bitlocker%20settings%2C%20which%20were%20not%20correct.%3C%2FP%3E%3CP%3EAfter%20I%20corrected%20it%2C%20everything%20worked.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2537453%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2537453%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1039786%22%20target%3D%22_blank%22%3E%40justineg24%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F692528%22%20target%3D%22_blank%22%3E%40oli83%3C%2FA%3E%26nbsp%3BDo%20the%20policy%20settings%20in%26nbsp%3BHKEY_LOCAL_MACHINE%5CSOFTWARE%5CMicrosoft%5CPolicyManager%20(Intune%20policy)%20match%20what%20is%20in%26nbsp%3BHKEY_LOCAL_MACHINE%5CSOFTWARE%5CPolicies%5CMicrosoft%5CFVE%20(OS%20settings)%3F%20If%20not%20check%20the%20settings%20in%20the%20UI%2C%20sometimes%20updating%20the%20policy%20version%20by%20editing%20the%20policy%20and%20saving%20it%20helps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2538116%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2538116%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F692528%22%20target%3D%22_blank%22%3E%40oli83%3C%2FA%3E%26nbsp%3Bhow%20did%20you%20corrected%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2538368%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2538368%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F742359%22%20target%3D%22_blank%22%3E%40Luker1%3C%2FA%3E%26nbsp%3BI%20compared%20registry%20of%20working%20vs%20not%20working%20device%2C%3CBR%20%2F%3E(1)Registry%20of%20Intune%20Policy%3CBR%20%2F%3E%3CU%3EWorking%20vs%20Not%20working%20%3D%20NOT%20SAME%3C%2FU%3E%3CBR%20%2F%3E%3CU%3ERequireDeviceEncryption%3D0%20on%20%22Not%20Working%22%20Device%26nbsp%3B%3C%2FU%3E%3CBR%20%2F%3E(2)Registry%20FVE%3CBR%20%2F%3EWorking%20vs%20Not%20working%20%3D%20SAME%3CBR%20%2F%3E%3CBR%20%2F%3ENot%20working%20devices%20are%20not%20even%20attempting%20to%20save%20keys%20on%20AAD%20so%20no%20record%20at%20all%2C%20it%20means%20not%20attempting%20to%20start%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2541597%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2541597%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1039786%22%20target%3D%22_blank%22%3E%40justineg24%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20set%20the%20Bitlocker%20settings%20as%20I%20described%20above%3F%3C%2FP%3E%3CP%3EAll%20customers%20who%20had%20a%20problem%20with%20Bitlocker%20activation%20were%20gone%20after%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2542823%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2542823%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F692528%22%20target%3D%22_blank%22%3E%40oli83%3C%2FA%3E%26nbsp%3Bthe%20only%20thing%20we%20differ%20I%20saw%20is%20the%3CBR%20%2F%3E%22%3CSPAN%3EDisable%20BitLocker%20on%20devices%20where%20TPM%20is%20incompatible%22%3CBR%20%2F%3EYou%20set%20this%20to%20-%20Not%20Configured%3CBR%20%2F%3E%3CBR%20%2F%3EI've%20set%20this%20to%20-%20Yes%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20still%2C%20it%20should%20have%20no%20effect%20as%20they%20have%20TPM2.0%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2149784%22%20slang%3D%22en-US%22%3EEnabling%20BitLocker%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2149784%22%20slang%3D%22en-US%22%3E%3CP%3EBy%26nbsp%3BLuke%20Ramsdale%26nbsp%3B%E2%80%93%26nbsp%3BService%20Engineer%26nbsp%3B%7C%20Microsoft%20Endpoint%20Manager%20%E2%80%93%20Intune%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20first%20in%20a%20five-part%20series%20about%20using%20BitLocker%20with%20Intune.%20The%20series%20will%20review%20basic%20concepts%20and%20recommended%20approaches%20to%20deploying%20BitLocker%20using%20Intune.%20Upcoming%20posts%20will%20describe%20simple%20and%20advanced%20troubleshooting%20techniques.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20post%20covers%20the%20concepts%2C%20requirements%2C%20and%20configurations%20needed%20for%20a%20successful%20deployment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EIntune%20basics%3CP%3EIntune%20is%20a%20cloud-based%20service%20that%20focuses%20on%20mobile%20device%20management%20(MDM)%20and%20app%20protection%20policies%20(APP%20also%20known%20as%20MAM).%20It%20helps%20administrators%20manage%20enrolled%20devices%20through%20policies.%20You%20use%20a%20policy%20to%20enable%20and%20configure%20BitLocker%20on%20Windows%2010%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIntune%20uses%20the%20Windows%20configuration%20service%20provider%20(CSP)%20to%20read%2C%20set%2C%20modify%2C%20or%20delete%20configuration%20settings%20on%20Windows%20devices%20enrolled%20into%20Intune%20using%20Synchronization%20Markup%20Language%20(SyncML)%20or%20Wireless%20Application%20Protocol%20(WAP)%20protocols.%20BitLocker%20Intune%20uses%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fclient-management%2Fmdm%2Fbitlocker-csp%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EBitLocker%20CSP%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EBitLocker%20basics%3CP%3EBitLocker%20is%20a%20built-in%20Windows%20data%20protection%20feature.%20It%20encrypts%20drives%2C%20and%20prevents%20the%20theft%20of%20data%20from%20lost%2C%20stolen%2C%20or%20decommissioned%20computers.%20BitLocker%20provides%20the%20most%20protection%20when%20used%20with%20a%20Trusted%20Platform%20Module%20(TPM)%2C%20version%201.2%20or%20later.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EHardware%20requirements%20for%20BitLocker%3CP%3EIt%20is%20important%20to%20understand%20that%20BitLocker%20has%20specific%20hardware%20requirements%20and%20that%20some%20methods%20of%20enabling%20BitLocker%20are%20dependent%20on%20those%20conditions.%20Silent%20encryption%2C%20for%20example%2C%20requires%20TPM%20on%20a%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHardware%20requirements%20include%3A%3C%2FP%3EFor%20TPM%202.0%20devices%2C%20you%20must%20have%20native%20Unified%20Extensible%20Firmware%20Interface%20(UEFI)%20configured.%20(Secure%20boot%20is%20not%20required%20but%20adds%20another%20layer%20of%20security.)%20BIOS%20or%20UEFI%20firmware%20must%20support%20USB%20mass%20storage.%20You%20must%20partition%20the%20hard%20disk%20into%20an%20operating%20system%20drive%20formatted%20with%20NTFS%20and%20a%20system%20drive%20with%20at%20least%20350%20MB%20formatted%20as%20FAT32%20for%20UEFI%20and%20NTFS%20for%20BIOS.%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%3C%2FP%3E%3CP%3EWe%20highly%20recommended%20that%20the%20device%20you%20are%20encrypting%20has%20a%20supported%20TPM%20chip%20(version%201.2%20and%20higher).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EBitLocker%20recovery%3CP%3EIf%20BitLocker%20enters%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fsecurity%2Finformation-protection%2Fbitlocker%2Fbitlocker-recovery-guide-plan%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Erecovery%20mode%3C%2FA%3E%20when%20starting%20the%20operating%20system%2C%20there%20are%20ways%20to%20restore%20access.%20Choose%20one%20of%20the%20following%20options%20to%20restore%20access%20to%20the%20protected%20drive%3A%3C%2FP%3EManual%20option%3A%20Retrieve%20the%2048-digit%20recovery%20password%20from%20a%20stored%20location%20(printed%20or%20USB).%20Automated%20option%3A%20An%20administrator%20can%20obtain%20the%20recovery%20password%20from%20Microsoft%20Azure%20Active%20Directory%20(Azure%20AD)%20or%20Active%20Directory%20Domain%20Services%20(Azure%20AD%20DS).%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%3C%2FP%3E%3CP%3EA%20data%20recovery%20agent%20(DRA)%20is%20someone%20authorized%20to%20decrypt%20data%20on%20a%20Windows%20operating%20system.%20The%20agent%20can%20use%20their%20credentials%20to%20unlock%20the%20drive.%20However%2C%20Intune%20doesn%E2%80%99t%20support%20DRA%20certificates%20so%20the%20process%20would%20have%20to%20occur%20outside%20the%20Intune%20environment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EIntune%20BitLocker%20configuration%20processes%3CP%3EBefore%20you%20configure%20a%20BitLocker%20encryption%20policy%2C%20consider%20the%20following%20options%3A%3C%2FP%3EHow%20much%20do%20you%20want%20users%20involved%20in%20the%20BitLocker%20configuration%20process%3F%20Do%20you%20want%20them%20to%20interact%20with%20the%20process%2C%20be%20silent%2C%20or%20both%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20have%20multiple%20requirements%2C%20you%20might%20need%20to%20configure%20multiple%20policies.%3CBR%20%2F%3E%3CBR%20%2F%3E%20Do%20all%20your%20devices%20meet%20the%20hardware%20prerequisites%3F%20Do%20you%20have%20a%20subset%20of%20devices%20that%20do%20not%20have%20a%20TPM%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20have%20older%20devices%20without%20TPM%2C%20you%20will%20not%20be%20able%20to%20encrypt%20them%20silently.%20This%20might%20mean%20configuring%20multiple%20policies.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20Microsoft%20Intune%20encryption%20report%2C%20located%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FEMAC%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMicrosoft%20Endpoint%20Manager%20admin%20center%3C%2FA%3E%2C%20can%20help%20you%20understand%20the%20TPM%20status%20and%20encryption%20readiness%20of%20your%20enrolled%20devices.%20To%20view%20the%20report%2C%20select%20Devices%20%26gt%3B%20Monitor%20%26gt%3B%20Encryption%20report.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%20Where%20do%20you%20want%20to%20store%20the%20recovery%20key%3F%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20store%20the%20recovery%20key%20in%20on-premises%20Active%20Directory%20(if%20hybrid%20joined)%2C%20in%20Azure%20AD%2C%20or%20manually.%20Most%20administrators%20store%20the%20key%20in%20Azure%20AD%2C%20which%20works%20for%20both%20Azure%20hybrid%20services%20and%20Azure%20AD%20joined%20devices.%3CBR%20%2F%3E%3CBR%20%2F%3E%20Do%20you%20want%20to%20enable%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fclient-management%2Fmdm%2Fbitlocker-csp%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Erecovery%20password%20rotation%3C%2FA%3E%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20option%20will%20refresh%20the%20recovery%20password%20after%20it%20is%20used%20and%20prevent%20further%20use%20of%20the%20same%20password%2C%20enhancing%20security.%20Prerequisites%20include%20Windows%2010%201909%2C%20having%20Intune%20enrolled%2C%20Azure%20AD%2C%20or%20Azure%20hybrid%20services%20joined.%26nbsp%3BAdditional%20licenses%20may%20be%20required%20for%20certain%20Microsoft%20BitLocker%20settings.%3CBR%20%2F%3E%3CBR%20%2F%3E%20What%20algorithm%20strength%20do%20you%20want%20to%20use%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CP%3EFor%20OS%20volumes%20and%20fixed%20drives%3A%20XTS-AES%20128-bit%20is%20the%20Windows%20default%20encryption%20method%20and%20the%20recommended%20value.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EFor%20removable%20drives%3A%20Use%20AES-CBC%20128-bit%20or%20AES-CBC%20256-bit%20if%20the%20drive%20will%20be%20used%20in%20other%20devices%20that%20are%20not%20running%20Windows%2010%2C%20version%201510%20or%20earlier.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ENote%3A%20For%20Autopilot%20devices%2C%20please%20read%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fautopilot%2Fbitlocker%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3ESetting%20the%20BitLocker%20encryption%20algorithm%20for%20Autopilot%20devices%20%7C%20Microsoft%20Docs%3C%2FA%3E%20to%20avoid%20devices%20from%20automatically%20encrypting%20when%20Azure%20AD%20joining%20with%20a%20different%20encryption%20algorithm%20to%20the%20one%20configured%20in%20the%20policy.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3EBest%20practices%20for%20configuring%20BitLocker%20for%20Intune%3CP%3EHere%20are%20best%20practices%20and%20recommended%20processes%20for%20using%20BitLocker%20with%20Intune.%3C%2FP%3EUse%20a%20device%20with%20TPM%20for%20maximum%20security.%20Create%20the%20BitLocker%20policy%20using%20an%20Endpoint%20security%20policy.%20This%20workflow%20is%20the%20most%20recent%20method%20of%20deploying%20BitLocker%20settings.%20If%20you%20are%20currently%20using%20a%20device%20configuration%20profile%2C%20consider%20migrating%20to%20an%20Endpoint%20security%20policy.%3CP%3ESign%20into%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FEMAC%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMicrosoft%20Endpoint%20Manager%20admin%20center.%3C%2FA%3E%3C%2FP%3E%20%3CP%3ESelect%20Endpoint%20security%20%26gt%3B%20Disk%20encryption%20%26gt%3B%20Create%20Policy.%3C%2FP%3E%20%3CP%3EIn%20the%20Platform%20list%2C%20choose%20Windows%2010%20and%20later.%3C%2FP%3E%20%3CP%3EUnder%20Profile%2C%20select%20BitLocker.%3C%2FP%3E%20%3CP%3ESelect%20Create.%3C%2FP%3E%3CP%3ENote%3CBR%20%2F%3ETo%20avoid%20conflicts%2C%20avoid%20assigning%20more%20than%20one%20BitLocker%20profile%20to%20a%20device%20and%20consolidate%20settings%20into%20this%20new%20profile.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EUse%20the%20encryption%20report%20to%20inventory%20your%20enrolled%20devices%20(Devices%20%26gt%3B%20Monitor%20%26gt%3B%20Encryption%20report).%20It%20reveals%20the%20encryption%20status%20and%20helps%20you%20understand%20the%20TPM%20presence%20and%20version%20distribution%20among%20your%20enrolled%20devices.%20If%20BitLocker%20is%20not%20enabled%20on%20a%20device%20after%20deploying%20a%20policy%2C%20check%20the%20encryption%20report%20to%20see%20if%20the%20device%20meets%20the%20prerequisites.%20%26nbsp%3B%20More%20info%20and%20feedback%3CP%3EFor%20further%20resources%20on%20this%20subject%2C%20please%20see%20the%20links%20below.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fsecurity%2Finformation-protection%2Fbitlocker%2Fbitlocker-overview-and-requirements-faq%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EBitLocker%20Overview%20and%20Requirements%20FAQ%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fsecurity%2Finformation-protection%2Fbitlocker%2Fbitlocker-recovery-guide-plan%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EBitLocker%20recovery%20guide%20(Windows%2010)%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fprotect%2Fencrypt-devices%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EManage%20BitLocker%20policy%20for%20Windows%2010%20in%20Intune%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fprotect%2Fencryption-monitor%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EEncryption%20report%20for%20encrypted%20devices%20in%20Microsoft%20Intune%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fprotect%2Fendpoint-protection-configure%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EConfigure%20endpoint%20protection%20settings%20in%20Microsoft%20Intune%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20first%20post%20in%20this%20series.%20Catch%20up%20on%20the%20other%20blogs%3A%3C%2FP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FMEMSupportTip-BitLockerSeries2%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3ETroubleshooting%20BitLocker%20from%20the%20Microsoft%20Endpoint%20Manager%20admin%20center%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FMEMSupportTip-BitLockerSeries3%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3ETroubleshooting%20BitLocker%20policies%20from%20the%20client%20side%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FMEMSupportTip-BitLockerSeries4%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EUsing%20BitLocker%20recovery%20keys%20with%20Microsoft%20Endpoint%20Manager%20-%20Microsoft%20Intune%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FMEMSupportTip-BitLockerSeries5%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EConfiguring%20BitLocker%20encryption%20with%20Endpoint%20security%3C%2FA%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20us%20know%20if%20you%20have%20any%20additional%20questions%20by%20replying%20to%20this%20post%20or%20reaching%20out%20to%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3E%40IntuneSuppTeam%3C%2FA%3E%20on%20Twitter.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBlog%20post%20updates%3A%3C%2FP%3E%3CP%3E2%2F22%3A%20Updated%20post%20that%20additional%20licenses%20may%20be%20required%20for%20certain%20Microsoft%20BitLocker%20settings.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2149784%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20Part%201%20of%20a%20series%20of%20posts%20on%20BitLocker%2C%20we%20will%20review%20basic%20concepts%20and%20recommended%20approaches%20to%20deploying%20BitLocker%20using%20Intune.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2149784%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBitLocker%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EBitLocker%20Series%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMEM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESupport%20Tip%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎May 18 2021 10:10 AM
Updated by: